author photo
By Clare O’Gara
Mon | Jul 13, 2020 | 6:15 AM PDT

Typically, you can distinguish between a cybercriminal and a security researcher.

But according to The Electronic Frontier Foundation (EFF), the current scope of the Computer Fraud and Abuse Act (CFAA) fails to account for the distinction.

Now, a group of security researchers are begging the Supreme Court to change that.

What are security researchers asking the Supreme Court?

On the surface, the CFAA sounds like a victory for cybersecurity. The bill outlaws accessing computers “without authorization” or by “exceeding authorized access.”

But according to the contributors to the EFF amici curiae brief, filed with the U.S. Supreme Court, the law's overlap is dangerous for security researchers.

The CFAA's current scope also criminalizes access that violates the Terms of Service (TOS) companies impose to control the use of their websites, apps, and computer systems.

According to EFF, that consequence empowers private companies:

"Overbroad interpretations of whether someone exceeds authorized access to a computer under the draconian CFAA have turned on compliance with TOS, meaning private companies across the country get to decide who prosecutors can go after for alleged computer crimes."

A result of that empowerment? Challenging circumstances for security researchers:

“To give a timely example, security researchers have faced legal threats from companies waving the CFAA at them after reporting flaws in voting technologies,” said EFF Senior Staff Attorney Andrew Crocker.

“Especially as interest in digital voting expands amid COVID-19, it’s crucial that the CFAA not be used to chill researchers from pointing out the often massive and frightening flaws in these technologies. The Supreme Court should stop dangerous, overbroad interpretations of the CFAA that would leave us less secure.”

How do you define the term security researchers?

Nearly 20 security researchers are listed on the brief, some with ties to Intel, Luta Security, Cruise, the CTI-League, and others, including a lengthy list of colleges and universities like MIT, Stanford, Johns Hopkins, and Harvard. Here's how the group describes the role of security researchers:

"Independent computer security research furthers the public interest in secure voting systems, medical devices, critical national infrastructure, vehicles, and many other sectors."

According to them, a bill with this broad an interpretation targets the very work that attempts to improve the cybersecurity space.

What are potential problems with the Computer Fraud and Abuse Act?

And what does the newly filed brief say about the CFAA's scope?

Here's the argument, in a nutshell:

"The government’s broad interpretation of the Computer Fraud and Abuse Act (“CFAA”) chills essential computer security research by exposing computer security researchers to criminal and civil liability."

The brief breaks that down into two main points:

  1. The Work of the Computer Security Research Community Is Vital to the Public Interest.
  2. The Broad Interpretation of the CFAA Adopted by the Eleventh Circuit Chills Valuable Security Research.

And to bolster those, it offers seven additional arguments:

  1. Computer Security Benefits from the Involvement of Independent Researchers.
  2. Security Researchers Have Made Important Contributions to the Public Interest by Identifying Security Threats in Essential Infrastructure, Voting Systems, Medical Devices, Vehicle Software, and More.
  3. The Eleventh Circuit’s Interpretation of the CFAA Would Extend to Violations of Website Terms of Service and Other Written Restrictions on Computer Use.
  4. Standard Computer Security Research Methods Can Violate Written Access Restrictions.
  5. The Broad Interpretation of the CFAA Discourages Researchers from Pursuing and Disclosing Security Flaws.
  6. Voluntary Disclosure Guidelines and Industry-Sponsored Bug Bounty Programs Are Not Sufficient to Mitigate the Chill.
  7. Malicious Actors Seeking Security Flaws Are Not Dissuaded by the CFAA.

Interested in more details from the brief? Check it out here.