CFAA will harm security researchers, EFF tells SCOTUS

The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to rein in the scope of the Computer Fraud and Abuse Act (CFAA) by holding that accessing computers in ways that violate terms of service (TOS) does not violate the law.

It’s the first time the High Court will consider if the CFAA – which outlaws accessing computers “without authorization” or “exceeding authorized access” – violates the TOS companies impose to control the use of their websites, apps, and computer systems.

In a brief filed on behalf of 18 leading computer security researchers, the Center for Democracy & Technology, and the cybersecurity companies Bugcrowd, Rapid7, SCYTHE and Tenable, EFF told the court that despite its intended purpose to increase security, the CFAA has been wrongly interpreted to encompass common security research techniques like reverse engineering. These acts may technically violate TOS, but they should not result in criminal or civil charges.

Security researchers’ work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene TOS, EFF pointed out.

“To give a timely example, security researchers have faced legal threats from companies waving the CFAA at them after reporting flaws in voting technologies,” EFF Senior Staff Attorney Andrew Crocker, said in a release. “Especially as interest in digital voting expands amid COVID-19, it’s crucial that the CFAA not be used to chill researchers from pointing out the often massive and frightening flaws in these technologies.” The EFF added that the Supreme Court should stop “dangerous, overbroad interpretations of the CFAA that would leave us less secure.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.