Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime
As the Supreme Court prepares to consider a controversial federal anti-hacking law, a group of prominent cybersecurity researchers and legal advocates is pleading with the court not to criminalize digital research in the public interest.
In a brief filed with the court Wednesday led by digital rights group Electronic Frontier Foundation, the researchers warned that if violations of a company’s “terms of service” are deemed to be illegal, it risks chilling important research into voting systems, medical devices and other key equipment.
“Despite widespread agreement about the importance of this work—including by the government itself— researchers face legal threat for engaging in socially beneficial security testing,” wrote the EFF, the nonprofit Center for Democracy & Technology, and cybersecurity companies Bugcrowd, Rapid7, SCYTHE and Tenable. Famous security researchers like Peiter “Mudge” Zatko and Chris Wysopal, who warned Congress of the internet’s insecurities in the 1990s as members of the L0pht hacking collective, also signed the amicus brief.
At issue is the U.S. Computer Fraud and Abuse Act, a 1986 law used to prosecute people who break into computers. Legal experts and cybersecurity researchers have long complained that the law could be abused to target altruistic researchers who are breaking systems in order to make them more secure. Internet pioneer Aaron Swartz was infamously charged under the CFAA for allegedly downloading articles from an academic database. He committed suicide before he stood trial.
When its next term begins in October, the Supreme Court is set to consider whether corporate terms of service (TOS) can be considered an inviolable boundary under the CFAA. The court will review the case of Nathan Van Buren, a former Georgia police officer who was convicted of violating the CFAA by searching police records on behalf of an acquaintance.
Security researchers worry that allowing the TOS to be a delineator of CFAA violations would give corporations far too much sway over the law’s implementations. While the climate for security research has improved in recent years — with many big corporations setting up programs with researchers to find software vulnerabilities — researchers are still subject to legal threats.
“The security research community has wanted clarity on the limits of CFAA when it comes to good faith research for two decades,” said Wysopal, who is co-founder and CTO of security firm Veracode. “This case has rallied many together because of the possibility of better protecting researchers from the legal jeopardy they fear.”
Marc Rogers, a vice president at security firm Okta and one of the brief’s signatories, told CyberScoop that “getting [these legal issues] right is critical to ensuring that we protect future security research.”
“We know bad actors have few morals and aren’t always limited by legislative action,” Rogers added. “However, ethical researchers who are bound by policy and law can be chilled or scared away from important research.”
The issue is clear-cut for Katie Moussouris, founder and CEO of Luta Security, who also signed the brief.
“[W]e need to consider any decision that increases the legal risk to security researchers will effectively decrease the security of the internet for everyone,” Moussouris told CyberScoop.
You can read the full amicus brief below.
https://www.documentcloud.org/documents/6983068-19-783-Eff-Security-Researchers-Amici-Brief.html
