with Tonya Riley

The Supreme Court may be ready to rein in the nation’s main anti-hacking law, which Congress hasn't revised since 1986 and which has bedeviled cybersecurity researchers almost since the birth of the Internet. 

The high court heard arguments yesterday for the first time in a case challenging the broadest interpretations of that law, the Computer Fraud and Abuse Act, Those interpretations have left cybersecurity pros fearing jail time for doing basic Internet detective work. 

Critics say the CFAA is vaguely worded and that its Reagan-era concerns haven't translated well to modern technology

When the law's language is interpreted narrowly — as in many U.S. court jurisdictions — it just criminalizes malicious hacking, such as breaking into a computer to steal credit card information. But other jurisdictions interpret the law more broadly to make it a federal crime whenever someone breaks a website's terms of service or a company's workplace computer rules. 

That could criminalize innocuous acts, such as lying about one's height on a dating app or checking personal email at work. It also produces a chilling effect for cybersecurity researchers who routinely skirt strict terms of service and company policies when they investigate technology for bugs that cybercriminals could exploit. 

Right now, there’s just a lot of uncertainty as to what’s illegal,” Orin Kerr, a law professor at the University of California at Berkeley, who focuses on computer crimes, told me. “So, we need some clarity about what this law means.”

The justices expressed severe concerns about CFAA's ambiguity during the 80-minute hearing. Computer law experts were cautiously optimistic they'll rule it should be interpreted narrowly. 

Here's more from Kerr on Twitter:

If the justices do mandate a narrower interpretation of the law, that could give a lot more breathing room to cybersecurity researchers and companies.

“Coders, people with start-ups come to me asking if routine things they’re doing are illegal under this law and most of the time I have to answer, ‘yeah, maybe,’” Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. “Because the law is so poorly conceptualized, it sweeps up a broad range of normal, everyday behaviors and gives prosecutors the option of charging people for computer crimes.”

The case that reached the Supreme Court represents one of the broadest interpretations of the CFAA in many years. 

It focuses on a former Georgia police officer, Nathan Van Buren, who was convicted under the law in 2017 after he allegedly sold information from a police database to an acquaintance for $6,000. The information allegedly focused on helping the acquaintance figure out whether a local stripper was actually an undercover cop. 

That takes the anti-hacking law too far, Van Buren’s lawyer argued, because his client didn’t actually hack into anything. He just broke the rules for a database he was legitimately allowed to use. 

It could create a slippery slope to prosecuting far more innocuous rules violations, Van Buren's attorney, Jeffrey Fisher of Stanford University argued. 

Some of the justices also seemed concerned. 

Justice Neil M. Gorsuch called the case “the latest … in a rather long line of cases in recent years in which the government has consistently sought to expand federal criminal jurisdiction in pretty significantly contestable ways that this court has rejected.”

Justice Sonia Sotomayor described CFAA as “a very broad statute, and dangerously vague.”

The government’s lawyer, however, argued the concerns were overblown. 

Deputy Solicitor General Eric Feigin accused Fisher of creating a “wild caricature” of the government’s CFAA position and scaring the court with “invented cases” about CFAA overreach.

He also warned that current Justice Department guidance urges against interpreting the law too broadly. 

“To the extent we start to see cases like that, that’ll give courts, including this court if necessary, the opportunity to further articulate those limits,” he said. 

But federal courts in other jurisdictions have interpreted CFAA far more narrowly than Georgia’s courts did.

Courts have thrown out similar cases in federal appellate districts that include New York and California, for example. 

You could say the law’s broad or you could say it’s narrow, but it’s all based on who’s looking at the crystal ball,” Jeffrey L. Vagle, a Georgia State University law professor who focuses on cybersecurity law, told me. “The justices didn’t seem to express a great deal of comfort with that.”

Most prominently, a federal judge in Los Angeles dismissed a jury’s verdict convicting Lori Drew of CFAA charges in 2009. Drew, who was 50 at the time, was accused of cyberbullying a 13-year-old girl in her daughter’s social circle who later committed suicide. 

The alleged CFAA violation in the case was that Drew violated MySpace’s terms of service by posing as a teenage boy to lure the victim into an online relationship and later to taunt her.

The CFAA is just not a well written law and its vagueness is what’s so scary about it,” Whitney B. Merrill, a privacy and information security attorney who previously worked for the Federal Trade Commission, told me. 

The keys

Georgia’s Republican governor and secretary of state are hitting back as Trump attacks them.

President Trump called Gov. Brian Kemp “hapless” in a tweet and questioned why he hadn’t used “emergency powers” to force Secretary of State Brad Raffensperger to conduct an audit that matched signatures on mail-in ballots to signatures on the envelopes in which they were received, John Wagner reports.

Trump has asserted without evidence that such a review will reverse his narrow loss in the state to President-elect Joe Biden. 

Kemp spokesman Cody Hall responded that “Georgia law prohibits the governor from interfering in elections.”

Kemp has encouraged Raffensperger to conduct a limited audit of the signatures. But Raffensperger called such an audit impractical since ballots were separated from their envelopes during counting and the state had found no evidence of fraud in a statewide hand recount.

Raffensperger also criticized efforts by Trump and his allies to muddy Georgia's election results, calling them dishonest actors spreading massive amounts of disinformation. 

“The truth matters, especially around election administration,” he said.

The comments came on a bad day for Trump's efforts to contest the election results. Both Wisconsin and Arizona certified Biden's win in the states. The Trump campaign has already threatened to file a lawsuit in Wisconsin claiming a recount in two counties there included illegally cast ballots.

Trump allies’ baseless claims about Dominion Voting Systems "do real damage to democracy," the company's CEO wrote.

The unfounded claims have led to death threats against Dominion employees, chief executive John Poulos wrote in an op ed published in the Wall Street Journal. He urged Trump and other officials spreading the claims to retract them immediately.

Poulos's op-ed is just the most recent effort to refute the baseless allegations from Trump and his allies that Dominion machines secretly altered thousands of votes. Dominion has devoted its website to an extensive refutation of the charges. Federal, state and local officials also say there was no evidence that any voting machines were compromised during the election.

The lies and smears have no basis in fact, but they do real damage to our democracy by casting doubt on the legitimacy of the electoral process, Poulos wrote.

He also refuted other erroneous claims against the company, including that it was a front for Venezuelan communists. 

Departing FCC Chairman Ajit Pai was a leading foe of Huawei and other Chinese telecoms.

Pai, who announced he'll leave his post in January, played a leading role in enacting the White House's agenda blocking Chinese telecommunications companies from U.S. markets over cybersecurity concerns.

Under his leadership, the FCC labeled Huawei and ZTE as national security threats, stopping the flow of federal funding to rural and underserved telecoms that used parts from the Chinese companies. He also urged Congress to pass funding that would help U.S. telecoms replace Huawei equipment. 

His agency denied a request from China Mobile to provide phone services between the United States and other countries, also citing national security as a concern.

Pai was controversial among Internet activists and best known for rolling back Obama-era net neutrality rules Tony Romm reports. Biden has expressed plans to bring back the rules  that prevented Internet providers from throttling web traffic. 

Cyber insecurity

Phishing scams are skyrocketing during holiday shopping season.

Shipping-related phishing emails increased 440 percent in November compared to October, researchers at Check Point found. Hackers posed as Amazon in over half the phishing emails identified by Check Point.

More cybersecurity news:

Daybook

  • The Aspen Cyber Summit will take place Dec. 1-3.
  • Washington Post Live will host a conversation with former CISA director Christopher Krebs on Wednesday at 11 a.m.
  • CSIS will hold an online event “The Perfect Weapon”: Cyber Policy and the Incoming Biden Administration" Wednesday at 12:30pm
  • The Institute for Security and Technology is hosting a discussion, “Biden Administration Cyber Agenda,” on Wednesday at 2:30 p.m.
  • The Senate Homeland and Governmental Affairs federal spending oversight subcommittee will hold a hearing on “Defending Our Communities from Cyber Threats amid covid-19” on Wednesday at 2:30 p.m.
  • MIT Technology Reviews CyberSecure conference will take place Dec. 2-3.
  • The Atlantic Council will hold an event on the incoming U.S. administration and the future of supply chains in the Americas on Dec. 9 at 2 p.m.

Secure log off

Moderna, Pfizer and AstraZeneca have released promising results from their initial coronavirus vaccine trials. Here are answers to common questions about them. (The Washington Post)