According to foreign media reports,The U.S. Supreme Court will hear a case debate on Monday, local time, that could lead to a sweeping change in America's controversial computer hacking law - and affect how millions of people use their computers and access online services.American Computer Fraud and Abuse Act (Computer Fraud and Abuse Act,CFAA) was signed into federal law in 1986, but still regulates what constitutes hacking -- o
The controversial law aims to sue hackers, but critics call it the "worst law" in technical law books, saying its outdated and vague language fails to protect well meaning hackers from discovering and disclosing security vulnerabilities.
At the heart of the case is Nathan Van Buren, a former police chief from Georgia. Van Buren used his access to the police license plate database to search for an acquaintance in exchange for cash. Van Buren was arrested and charged on two counts: accepting kickbacks for accessing police databases and violating the CFAA. The first charge was overturned, but the CFAA violation was upheld.
Van Buren may have been allowed access to the database through police work, but whether he has exceeded his access is still a key legal issue.
Orin Kerr, a law professor at the university of california, berkeley, says Van Buren's case with the us is an "ideal case ". In a April blog post, he said,
It is unclear how the Supreme Court will determine
Pfefferkorn said a broad interpretation of CFAA could criminalize any act, including lying on dating materials, sharing passwords for streaming media services, or using work computers for personal purposes in violation of employer policies.
But the final decision of the Supreme Court may also have a wide impact on bona fide hackers and security researchers who purposefully destroy the system to make it safer. For decades, hackers and security researchers have been operating in the grey area of the law, because written laws will bring charges against their work, even if the goal is to improve cybersecurity.
Technology companies have encouraged hackers to contact security vulnerabilities in private for years. In return, companies fix their systems and pay hackers for their work. Mozilla, Dropbox and Tesla are among the few companies that have promised not to sue bona fide hackers under the CFAA. Not all companies welcome the review and are bucking the trend, threatening to sue researchers for their findings and, in some cases, actively initiating legal action to prevent dishonorable headlines.
Security researchers are no stranger to legal threats, but if the Supreme Court makes a ruling against Van Buren, it could have a chilling effect on their work and push disclosure underground.
"The potential criminal (and civil) consequences of a violation of the policy on the use of computer systems would give the owners of those systems the right to ban bona fide security research and silence researchers from disclosing any vulnerabilities they found in these systems." Pfefferkorn said. "Even inadvertently coloring outside the boundaries of a set of loophole reward rules puts researchers at risk."
"The court now has an opportunity to resolve ambiguities in the scope of the law and, through a narrow interpretation of CFAA, make it safer for security researchers to carry out their much-needed work." Pfefferkorn said. "We can't afford to scare away people who want to improve network security."
The Supreme Court is likely to rule on the case later this year or early next year.