© Digital Journal
In the United States this week, the Supreme Court decision 6-3 on Van Buren v. United States was announced. The decision significantly reduces the scope of the Computer Fraud and Abuse Act (CFAA). The sentence overturned the conviction of a former Georgia police officer for misusing a government database to investigate whether an alleged local stripper was a covert police officer.
That now means that federal prosecutors can no longer use the CFAA to charge people who have misused the databases they are entitled to access.
As to what this means, along with the associated implications, digital newspaper caught Casey Ellis, CTO, founder and president of Bugcrowd.
Ellis is conveniently located for reviews. since he was part of the brief amicus presented by the Center for Democracy and Technology, Bugcrowd, Scythe, Tenable, and others arguing that a broad interpretation of the CFAA will deter bona fide security research, meaning that detectable security vulnerabilities remain undetected or uncorrected, effectively waiting for the attackers to find and exploit them.
Ellis begins by explaining the importance of change: “With this ruling, the Supreme Court has not updated or amended the law itself, but has put an end to any overly broad use of the Computer Fraud and Abuse Act (CFAA). ”
With this act, Ellis summarizes: “The CFAA was originally approved by Congress in response to the growing threats of malicious actors, but over time and the progress of technology now serves to create a terrifying effect for researchers in security that seek to improve the overall security of the Internet.
Returning to the specific case, Ellis states: “In order for an objectively strange case to produce a resolution that challenges the very letter of the law to set a precedent that reflects an evolving technological environment (including, above all, in this case, the impact of the interaction that the environment and the law have on the general security of the Internet) is enormously encouraging ”.
He adds that: “Whenever the CFAA is used in an excessively broad way, hackers acting in good faith are disproportionately affected, so a SCOTUS ruling against this phenomenon is something I consider fundamentally positive.”
Significantly, Ellis concludes by saying, “The final Certiorary, as well as previous hearings, make it quite clear that SCOTUS believes that the CFAA itself is outdated in ways that make it impossible to apply to a case like Van Buren v. USA. The footnote 8 stands out, in particular, as SCOTUS ‘attempt to encapsulate and allow its own law, while acknowledging the ambiguity that remains, despite Van Buren’s ruling.
As for progress, Ellis states: “While there is no doubt that the SCOTUS ruling will have a significant impact on the protection of researchers, no work is being done to achieve a safer and more resilient Internet. This SCOTUS decision does not change the law itself.It is up to the U.S. Congress to review it.Until that happens, Safe Harbor remains the rule of law that organizations should establish to ensure the ongoing security investigation or reports of vulnerability that are being marked in the organization are legally covered ”.