The US Supreme Court heard arguments on Monday for a case that could change how the nation treats hacking and cybercrime.
The ruling will come sometime later this year or early next year, and it could be either way. Best case scenario: We’ll start being more fair to white-hat hackers who locate and warn of major security vulnerabilities. Worst case? Lying about your height on Tinder becomes a federal crime.
That’s right, the stakes are high on this one. Here’s what to know about the last 30-plus years of US hacking law.
The Computer Fraud and Abuse Act
Since 1986, the Computer Fraud and Abuse Act (CFAA) has been the single biggest cybercrime law in the US. It’s widely considered outdated, as you might expect from a law about the internet that was passed just a year after the last season of Stranger Things was set.
Because it’s so old and vaguely worded, the law can be used to prosecute any hackers. But a “hacker” is anyone who exploits an online security bug or flaw, and exploiting a flaw is pretty much the only way to determine that one exists. So, under the CFAA, anyone who helps an existing site strengthen its security — potentially protecting the private data of millions in the process — could be prosecuted for a federal crime.
This isn’t a hypothetical, either. Take the massive 2017 Equifax data breach, which saw the credit reporting company expose its data on 143 million U.S. consumers, from names and Social Security numbers, to addresses, birth dates, and even drivers license numbers. A security researcher had actually spotted the vulnerability months earlier, and had warned Equifax, but didn’t go public with the information due to the legal and professional risk.
The Van Buren v. United States Case
The case in question here is Van Buren v. United States. The defendant is Nathan Van Buren, a former Georgia police sergeant, who was convicted under CFAA of taking a bribe and using his access to a police license plate database to look up an individual without authorization. He was prosecuted on two counts — for getting a kickback for accessing the database and for violating the CFAA — but only the CFAA violation stuck. If Van Buren v. United States goes his…