The Supreme Court is scheduled to hear a case in late November that could have broad implications for the main U.S. hacking law, and tempers are already flaring between its opponents and supporters.
The case, in which Georgia police officer
Nathan Van Buren
was convicted under the Computer Fraud and Abuse Act for improperly accessing a license-plate database, has the potential to set a national precedent for how previously woolly terms in the 1986 law are interpreted, experts say.
This is the first time that the Supreme Court has agreed to hear an appeal that involves a review of the CFAA, which could have marked effects on how law enforcement prosecutes hackers, and how companies pursue civil litigation, against individuals for computer-related crimes.
Tech companies, privacy advocates and others have weighed in on the case and underlying law, which bars people from obtaining data from a computer “without authorization” or while “exceeding authorized access.” The court could decide whether the statute covers accessing a network for improper purposes, such as using a work system for nonwork business, said
, counsel of record for Mr. Van Buren and co-director of the Stanford Law School Supreme Court Litigation Clinic.
Mr. Fisher will call for a narrow reading of the law during oral arguments on Nov. 30. “We think of hacking as accessing information you have no right to access for any purpose whatsoever,” he said. “If there are other, particularized pockets of improper use that ought to be regulated or even criminalized, Congress can pass new legislation to do that.”
The case bears little relation to cybersecurity research on its face. But researchers and a digital-voting startup have faced off in recent weeks with dueling arguments on the case and its potential fallout.
More From WSJ Pro Cybersecurity
Researchers argued in a July brief on the case that a broad reading of the law could chill research that tests the vulnerabilities of medical devices, vehicle software and more. They accused Boston-based Voatz Inc., which sells a mobile voting application, of reporting a college student to the authorities after the student tested the company’s system for an election-security course.
Voatz shot back in its own brief this month, condemning such unauthorized efforts. The company said it had no choice but to report the student to its customer, which in turn referred the matter to the Federal Bureau of Investigation, because the activity was indistinguishable from an attack.
“We can’t read the mind of an actor,” Voatz co-founder and Chief Executive
said in an interview.
Mr. Sawhney defended the CFAA, saying it “does not stop research of any kind,” and that the company isn’t opposed to security research, as long as it is conducted with companies’ explicit consent. This includes bug-bounty programs in which firms pay outsiders who find flaws in their systems.
But several dozen cybersecurity professionals from industry and academia criticized the digital-voting firm again in an open letter last week. They argued that companies like Voatz can take advantage of a broad CFAA by continuously updating their terms of service or other data policies, including for bug-bounty programs.
“Security research doesn’t benefit from that,” said
, chief technology officer of the bug-bounty platform HackerOne Inc. and a signatory of the letter. “Only the corporation benefits from that, by keeping potential security problems a secret.”
While Mr. Van Buren’s particular actions were wrong, Mr. Rice added, “we need some other way to define that as criminal activity.”
A Supreme Court decision affirming the government’s broad interpretation of the law will give businesses license to revamp their terms and erect higher walls around their data, said Nick Akerman, a partner at law firm Dorsey & Whitney LLP. Mr. Akerman, who has worked on CFAA cases for two decades, said he expects the court to follow the lead of the U.S. Court of Appeals for the 11th Circuit in giving prosecutors discretion to interpret unauthorized access.
“A criminal statute always comes down to somebody’s intent,” he said.
Write to David Uberti at firstname.lastname@example.org