Washington, D.C.—The Electronic Frontier Foundation (EFF) and leading cybersecurity experts today urged the Supreme Court to rein in the scope of the Computer Fraud and Abuse Act (CFAA)—and protect the security research we all rely on to keep us safe—by holding that accessing computers in ways that violate terms of service (TOS) does not violate the law.

The Supreme Court will for the first time consider if the CFAA—which outlaws accessing computers “without authorization” or “exceeding authorized access”—also criminalizes access that violates the TOS companies impose to control the use of their websites, apps, and computer systems.

Overbroad interpretations of whether someone exceeds authorized access to a computer under the draconian CFAA have turned on compliance with TOS, meaning private companies across the country get to decide who prosecutors can go after for alleged computer crimes. The Supreme Court’s decision will have far-reaching implications for many people, but especially security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene TOS.

“To give a timely example, security researchers have faced legal threats from companies waving the CFAA at them after reporting flaws in voting technologies,” said EFF Senior Staff Attorney Andrew Crocker. “Especially as interest in digital voting expands amid COVID-19, it’s crucial that the CFAA not be used to chill researchers from pointing out the often massive and frightening flaws in these technologies. The Supreme Court should stop dangerous, overbroad interpretations of the CFAA that would leave us less secure.”

In a brief filed today on behalf of eighteen leading computer security researchers, the Center for Democracy & Technology, and the cybersecurity companies Bugcrowd, Rapid7, SCYTHE, and Tenable, EFF told the court that despite its intended purpose to increase security, the CFAA has been wrongly interpreted to encompass common security research techniques like reverse engineering. These acts may technically violate TOS, but they should not result in criminal or civil charges.

Interpreting the CFAA so broadly jeopardizes security researchers who have identified serious flaws in medical devices, voting machines, cloud services, and much more. Discovering security vulnerabilities by its very nature involves techniques that often circumvent TOS, as researchers search for and locate holes in complex computer systems that can be exploited by criminals.  

“We need clarity from the Supreme Court to protect essential computer security research,” said Naomi Gilens, the Frank Stanton Legal Fellow at EFF. “Congress intended to outlaw malicious computer break-ins, not give private companies and the government the power to shut down valuable research and make us all less safe."

For the brief:
https://www.eff.org/document/van-buren-eff-security-researchers-amicus-brief

For bios of security researchers who signed the brief:
https://www.eff.org/cases/van-buren-v-united-states/security-researcher-amici

For more about CFAA reform:
https://www.eff.org/deeplinks/2013/01/these-are-critical-fixes-computer-fraud-and-abuse-act