Security News > 2021 > June > Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in

Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in
2021-06-03 20:45

The US Supreme Court on Thursday limited the scope of the 1986 Computer Fraud and Abuse Act in a ruling that found a former sergeant did not violate the law by misusing his access to a police database.

The CFAA prohibits accessing a protected computer "Without authorization" and accessing a protected computer in a way that "Exceeds authorized access." The problem with these ill-defined terms is that there's been disagreement in different courts over whether the law imposes criminal liability for violating Terms of Service agreements.

"This provision covers those who obtain information from particular areas in the computer - such as files, folders, or databases - to which their computer access does not extend," Associate Justice Barrett wrote.

In that case, the US District Court for the District of Columbia ruled that researchers providing false information to employment websites to test for discriminatory algorithms did not violate the CFAA, even if doing so violated the site's ToS. "I am elated that the Supreme Court made clear today that violations of websites' terms of service alone do not constitute violations of the Computer Fraud and Abuse Act," said Alan Mislove, one of the plaintiffs in Sandvig, and a professor of computer science at Northeastern University, in a statement issued by the ACLU. "This decision removes a significant cloud of uncertainty and legal risk for researchers who perform online civil rights testing."

At the same time, the ruling doesn't entirely clarify the CFAA. Kerr observes that in a footnote, the court appears to adopt an authentication test - whether a user's credentials remove a gate to access.

"The Supreme Court recognized today that the terribly written CFAA crossed the line by criminalizing everyday activities like using your work computer to read the news or send personal emails," he said.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/03/supreme_court_cfaa/