SoylentNews

Runaway1956 [soylentnews.org] writes:

The Supreme Court is finally considering whether to rein in the nation’s sweeping anti-hacking law, which cybersecurity pros say is decades out of date and ill-suited to the modern Internet.

The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just hacking into websites but also far more innocuous behavior – such as lying about your name or location while signing up on a website or otherwise violating the site’s terms of service.
If the court agrees to narrow how prosecutors can use the law, it would be a huge victory for security researchers.

They routinely skirt websites’ strict terms of service when they investigate them for bugs that cybercriminals could exploit.

It would also make the Internet far safer, they say. That’s because current interpretations of the 1986 law, known as the Computer Fraud and Abuse act (CFAA), have made researchers wary of revealing bugs they find because they fear getting in trouble with police or with companies, which can also sue under the law in civil courts.

“Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law,” Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. “This law makes the Internet less safe because it chills legitimate information security research and it’s bad for the economy because it chills innovation.”

The fight centers on whether the law should apply just to hacking or more broadly to breaking rules on a computer.

That’s a distinction that didn’t matter much when the law was drafted in the mid-1980s. But it makes a huge difference now when people routinely spend hours each day visiting a slew of websites that all have their own terms of service that most people never read.

“It’s making a crime out of ordinary breaches of computer restrictions and terms of service that people likely don’t even know about and if they did would have no reason to think would be a federal crime,” Jeffrey L. Fisher, a Stanford University law professor who is the lead attorney in the case before the high court, told me.

That case focuses on a former Georgia police officer, Nathan Van Buren, who was convicted under the law in 2017 after he allegedly sold information from a police database to an acquaintance for $6,000. The information was allegedly focused on helping the acquaintance figure out whether a local stripper was actually an undercover cop.

CFAA critics say that takes the anti-hacking law too far because Van Buren didn’t actually hack into anything. He just broke the rules for a database that he was legitimately allowed to use.

Fisher was an attorney on two other cases in the past six years in which the Supreme Court tackled pressing technology issues and limited police authorities. In Riley v. California in 2014, the court required a warrant for most police searches of cellphone contents. In Carpenter v. United States in 2018, the justices limited how police can use cellphone location data to track suspects.

Fisher said he believes that the justices will also be ready in this case to roll back police powers that no longer make sense given modern technology.

Federal appellate districts have split over how broadly to read the law.

Courts in New York, California and several other states generally require that a person actually hack into a computer by using stolen information or exploiting a bug in the system to be prosecuted under the law, while courts in states including Georgia and Florida have convicted people in cases such as Van Buren’s where there’s no clear hacking.

Van Buren’s lawyers are essentially asking the Supreme Court to settle the argument.

“This is important because the law either says very few people are criminals under CFAA or almost everyone is a criminal under CFAA,” Jeffrey L. Vagle, a Georgia State University law professor who focuses on cybersecurity law, told me. “This question has been unanswered for years and now it’s about time that it gets answered.”

https://www.pcsecurity-99.com/2020/04/25/analysis-the-cybersecurity-202-theres-finally-a-supreme-court-battle-coming-over-the-nations-main-hacking-law-the-washington-post/

Alternatively, WAPO paywalled article: https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/04/24/the-cybersecurity-202-there-s-finally-a-supreme-court-battle-coming-over-the-nation-s-main-hacking-law/5ea1ade6602ff140c1cc5f51/ [washingtonpost.com]

Original Submission