The Supreme Court on Monday expressed skepticism about the sweeping nature of the 1986 Computer Fraud and Abuse Act, claiming that the cybercrime law — the only one of its kind in the United States — could lead to a slippery slope where average Americans are criminalized for innocuous transgressions like checking Facebook at work.
The reexamination of the law comes during arguments for a case involving a Georgia police officer convicted of violating the Act after he accessed a license plate database in during an attempt to obtain information on a strip club dancer in what lawyers argued was an improper manner. Lawyers for the officer, Nathan Van Buren, say that he had not violated the CFAA and had, in fact, had legitimate access to the database through the course of his work.
The case — the first significant challenge to the scope of the CFAA to reach the nation’s highest court — spurred a string of amicus briefs from a wide range of technology, privacy and cybersecurity experts, many of whom argued that the law could discourage computer researchers and good-faith hackers from uncovering and disclosing security flaws.
“Under the government’s broad interpretation of the CFAA, standard security research practices — such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data — can be highly risky,” one group of experts wrote.
Despite arguments from the government’s lawyer, Deputy Solicitor General Eric Feigin, that anxieties about overzealous enforcement of the law were overhyped, many of the Justices seemed concerned about the law’s broad scope.
According to Justice Neil Gorsuch, the DOJ’s argument threatened to “[make] a federal criminal of us all.” Justice Sonia Sotomayor argued that the government was “...asking us to write definitions to narrow what could otherwise be viewed as a very broad statute, and dangerously vague.”
Other members of the bench raised concerns about the key terms outlined in the statute.
“What is this statute talking about when it speaks of information in the computer?” Justice Samuel Alito asked at one point. “All information that somebody obtains on the web is in the computer in a sense. I have a feeling that’s not what Congress was thinking about when it adopted this [law].”
While the Supreme Court’s decision will undoubtedly have far-reaching implications for security researchers in particular, the case could also affect the lives of millions of average Americans who could, under certain broad interpretations of the law, be found in violation of it just for lying on a dating profile, checking social media at work or committing any other innocuous act that violates an online service’s terms of use.