In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the "Exceeds authorized access" language was too broad. Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.
Today, the US Supreme Court restricted the scope of the federal Computer Fraud and Abuse Act after overturning the conviction of a Georgia police officer who searched a police database for money. The CFAA is a cybersecurity bill created in 1986 that prohibits unauthorized access to computer systems and networks or acts that "Exceeds authorized access." Due to the vague nature of the bill, the CFAA can be broadly interpreted to allow harmless actions such as violating a website's terms of service or violating corporate policies by using work devices to access personal accounts on social sites.
Some companies have argued that narrowing the scope of the CFAA would not be damaging to security programs if companies are already contracting security services, including crowdsourced programs like bug bounty. One company received pushback from the information security community when it accused MIT security researchers of acting in "Bad faith" by identifying vulnerabilities in its mobile app.
Abstract: Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla, Microsoft, IBM, Google to demonstrate vulnerabilities. In this paper, we ask, "What are the potential legal risks to adversarial ML researchers when they attack ML systems?" Studying or testing the security of any operational system potentially runs afoul the Computer Fraud and Abuse Act, the primary United States federal statute that creates liability for hacking.
The particular case under review concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for running a computer search for a license plate number. Lawyers and legal minds have been fighting over the question of authorized and unauthorized use under the CFAA ever since it was enacted back in 1986.