SCOTUS CFAA Ruling: What does it mean for pen testers and security?

The US Supreme Court just handed down a 6-3 ruling narrowing the scope of the Computer Fraud and Abuse Act (CFAA). It sets a precedent that “authorized access” is to be interpreted in a binary “gates up / gates down” approach, and not contextual in a way that can be dictated by the computer’s owner via the fine print in a EULA. But what exactly what does this mean, and why is it so important? And how does this affect us all as security professionals?

COMPUTER FRAUD & ABUSE ACT

There’s really only one federal “anti-hacking” statute on the books: the Computer Fraud and Abuse Act of 1986. It has a troubled history. A group of US congress people watched the film “Wargames” with Mathew Broderick and got really scared that this was a realistic threat. (Yes, seriously. Stop laughing). Not wanting to appear as having done nothing, they put together some exceedingly broad language in a bill that gives us what we have as law today.

The CFAA has two primary provisions that trigger penalties under the law:

1. When an individual “accesses a computer without authorization.”
2. When an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information they are “not entitled so to obtain.”

It’s this second provision that was in contention with the court. To see how, let’s talk about the specific case that was brought forward.

VAN BUREN V. UNITED STATES

The text of the Supreme Court’s decision actually summarizes the case pretty well. Here it is verbatim:

Former Georgia police sergeant Nathan Van Buren used his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. Although Van Buren used his own, valid credentials to perform the search, his conduct violated a department policy against obtaining database information for non-law-enforcement purposes. Unbeknownst to Van Buren, his actions were part of a Federal Bureau of Investigation sting operation. Van Buren was charged with a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”

Naturally, the point of interest here isn’t whether Van Buren’s actions were “good." I think it’s pretty clear that this was reprehensible behavior and an obvious abuse of power that ought to be penalized in some form. But is the CFAA really the right way to do it?

In particular, the court’s decision hinges on a particular turn of phrase in the CFAA’s text: the word “so,” in the phrase “not entitled so to obtain.” It reminds me of that one time the oxford comma was at the center of a Supreme Court case. The exact language and meanings are a bit complicated, but the two competing interpretations were as follows:

Interpretation A: “Gates Up / Gates Down”

The “Gates Up / Gates Down” interpretation (language taken verbatim from the decision) is what wound up winning, so let’s look at that first. This means that in order to exceed your authorization, you must first have authorization to a computer system and then access some piece of information that you don’t have authorization to. The justices give examples such as accessing certain files or folders that the user is not authorized to access, despite otherwise being authorized to use the system in general.

Thus, it’s the information that you do or don’t have authorization to, taken in in a binary fashion.

Interpretation B: “Contextual Authorization”

The competing interpretation (which lost and is not law) would have made it a violation of the CFAA to access a computer system in a manner that is in excess of your authorization. That is to say, your authorization would be contextual depending on things going on outside the scope of the CFAA.

In the case of Van Buren, it would have made his accessing of the police database illegal since the purpose for which he accessed it was forbidden, despite otherwise having authorization to that information.

THE RULING

I’m not a legal scholar, but after reading the entire court decision, interpretation A seems clearly and obviously correct. It really seems like the court got this one right both from a strictly-legal-reasoning perspective and also a policy-consequences perspective.

The obvious example here is in personal banking. When you visit your bank’s website, you are authorized to read the information for your account. Therefore, you are authorized in general to access the bank’s website. You are not, however, authorized to access the financial information for every other user simultaneously. The point of the CFAA is to make accessing that other stuff illegal, since accessing that other stuff plausibly involves some sort of hacking.

What doesn’t make sense at all from a policy perspective is to allow service or device owners to create private law, unilaterally dictating the terms of how users operate under conditions that no reasonable human being could call “hacking.” This would make violating the terms of service fine print on any website or program a criminal offense. The majority’s opinion nails this point on the head very clearly:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s], “§1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers. And indeed, numerous amici explain why the Government’s reading of subsection (a)(2) would do just that—criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook.

WHAT THIS MEANS FOR SECURITY PROFESSIONALS

As hackers by trade, the law around what does and doesn’t count as “illegal hacking” matters a lot to Bishop Fox and security generally. The CFAA has been used in the past as a bludgeon to threaten legitimate security research, using the expansive interpretation that the Supreme Court has now just rejected. When laws are so overly broad to criminalize ordinary behavior, they invite arbitrary and discriminatory enforcement.

In this case, I’d consider this ruling an unmitigated positive development. For security professionals, you no longer have to worry about violating the CFAA by transgressing a site or program’s terms of service fine print. As the court has said, you either have authorization to the information or you don’t. The computer owners do not get to dictate the terms with which you use the service. (In a legal capacity. You can still be fired for doing something against company policies, of course).

This will open up security research significantly, without the threat of criminal lawsuits looming over those who would dare to violate the fine print. There are many instances here at Bishop Fox where we have chosen to abandon security research because it involved using a service against its EULA, fearing the repercussions of the CFAA. The corollary to this is that service providers can no longer make their systems immune from legitimate security research by putting onerous clauses in their terms of service. Overall, the recent CFAA ruling is a win for security.