Independent security researchers, digital-rights groups, and technology companies have issued friend-of-the-court briefs in a US Supreme Court case that could determine whether violating the terms of service for software, hardware, or an online service equates to hacking under the law.
The case—Nathan Van Buren v. United States—stems from the appeal of Van Buren, a police sergeant in Cumming, Georgia, who was found guilty in May 2018 of honest services wire-fraud and a single charge of violating the Computer Fraud and Abuse Act (CFAA) for accessing state and government databases to look up a license plate in exchange for money. While Van Buren was authorized to use the Georgia Crime Information Center (GCIC) to access information, including license plates, federal prosecutors argued successfully that he exceeded that authorization by looking up information for a non-law enforcement purpose.
With the appeal accepted by the US Supreme Court, security researchers and technology companies are concerned with the potential for the case to turn independent vulnerability research into unauthorized access and, thus, a prosecutable offense. If the US Supreme Court rules that Van Buren's actions are a violation of the CFAA, it will undermine software and cloud security, says Casey Ellis, chief technology officer and founder of crowdsourced bug bounty firm Bugcrowd.
"Unauthorized access is one of the main purposes of security research—by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will w ..
Support the originator by clicking the read the rest link below.
