The US Supreme Court heard arguments on Monday for a case that could change how the nation treats hacking and cybercrime.
The ruling will come sometime later this year or early next year, and it could be either way. Best case scenario: We'll start being more fair to white-hat hackers who locate and warn of major security vulnerabilities. Worst case? Lying about your height on Tinder becomes a federal crime.
That's right, the stakes are high on this one. Here's what to know about the last 30-plus years of US hacking law.
The Computer Fraud and Abuse Act
Since 1986, the Computer Fraud and Abuse Act (CFAA) has been the single biggest cybercrime law in the US. It's widely considered outdated, as you might expect from a law about the internet that was passed just a year after the last season of Stranger Things was set.
Because it's so old and vaguely worded, the law can be used to prosecute any hackers. But a “hacker” is anyone who exploits an online security bug or flaw, and exploiting a flaw is pretty much the only way to determine that one exists. So, under the CFAA, anyone who helps an existing site strengthen its security — potentially protecting the private data of millions in the process — could be prosecuted for a federal crime.
This isn't a hypothetical, either. Take the massive 2017 Equifax data breach, which saw the credit reporting company expose its data on 143 million U.S. consumers, from names and Social Security numbers, to addresses, birth dates, and even drivers license numbers. A security researcher had actually spotted the vulnerability months earlier, and had warned Equifax, but didn't go public with the information due to the legal and professional risk.
The Van Buren v. United States Case
The case in question here is Van Buren v. United States. The defendant is Nathan Van Buren, a former Georgia police sergeant, who was convicted under CFAA of taking a bribe and using his access to a police license plate database to look up an individual without authorization. He was prosecuted on two counts — for getting a kickback for accessing the database and for violating the CFAA — but only the CFAA violation stuck. If Van Buren v. United States goes his way, that decision could be overturned.
Granted, Van Buren isn't the most sympathetic defendant out there, but if the Supreme Court agrees that he shouldn't be considered to have violated the CFAA, they'll be more clearly defining the boundaries of a poorly worded and sweepingly powerful law.
This in turn could lead to better outcomes for many, many others, by removing the specter of federal prison time from small-time misdeeds like pirating a movie or scraping JSTOR papers.
As Jeff Fisher, Van Buren's lawyer, put it on Monday:
“Imagine a secretary whose employee handbook says that her email or Zoom account may be used only for business purposes. Or consider a person using a dating website, where users may not include false information in their profile to obtain information about potential mates. Or think of a law student who is issued login credentials for Westlaw or Lexis for educational uses only. If the government is right, then a computer user who disregards any of these stated use restrictions commits a federal crime.”
So far, it's unclear which way the Supreme Court will go, given the wide variety of opinions the justices have revealed.
The Supreme Court Hearings
Part of the Department of Justice's response to Fisher's argument was to contend that anyone who lies on a dating website was never in danger of federal reprisal in the first place, saying the CFAA applies to those who abused their “authorized access,” not normal citizens on the internet. But that's not how the CFAA has been applied in the past. Justices seemed unconvinced:
Justice Sonia Sotomayor notes that the law could “be viewed as a very broad statute, and dangerously vague.”
Justice Neil Gorsuch says the DOJ argument risks “making a federal criminal of us all.”
A favorable outcome of the case could be a clear ruling that anyone who violates a website's terms of service will not be committing a crime under the CFAA. That's good news for anyone who's using a VPN to access Netflix or who's fudging the facts on their dating profile.
And while anything could happen, given the justices' responses to the oral hearings on Monday, that outcome appears to be the most likely one.