The Computer Fraud and Abuse Act (CFAA), a controversial anti-hacking law which bans “exceeding authorized access” on a computer system, was narrowed by the Supreme Court on Thursday in a 6-3 ruling. The court said the law shouldn’t cover people misusing systems they’re allowed to access — and that claiming otherwise would criminalize a “breathtaking amount” of everyday computer use.
Great news here on a couple fronts:
- Every Terms of Service (TOS) or End User License Agreement (EULA) should not be grounds for criminal prosecution. Congress makes laws, not private companies.
- The Court adopted a “gates-up-or-down” approach. Either you are entitled to access the information or you are not. If you need to break through a digital gate to get in, entry is a crime. Otherwise, it is not. This seems like a clear standard, as opposed to “exceeding authorized access” which was too vague in that a user could easily stumble into an area of access to which they were completely unaware they were “not authorized” to access.
- Not actively discouraging white hat hacking is good for everyone. The sooner a problem is identified, the quicker it can be fixed and the lower risk for all users of a platform/tool/technology.