CDT Joins EFF, Cybersecurity Firms in Amici Curiae Brief Defending Security Researchers Against Broad CFAA Interpretation
CDT joined the Electronic Frontier Foundation (EFF) and cybersecurity firms Bugcrowd, Rapid7, SCYTHE, and Tenable to file a friend-of-the-court brief alongside the petitioner in NATHAN VAN BUREN v. U.S.
The Center for Democracy & Technology (“CDT”) is a nonprofit public interest organization that supports laws, corporate policies, and technical tools to protect the civil liberties of Internet users and represents the public’s interest in maintaining an open Internet. CDT supports the clear and predictable application of cybercrime statutes including the CFAA. CDT has filed amicus briefs in several CFAA cases, including United States v. Manning, 78 M.J. 501 (A. Ct. Crim. App. 2018), United States v. Valle, 807 F.3d 508 (2d Cir. 2015), and United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).
Summary of Argument
Congress passed the CFAA in recognition of growing security threats that malicious attackers could pose to computers and networks, especially computers used by the federal government and financial institutions. See hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1001 (9th Cir. 2019). Over the following decades, however, the CFAA has been interpreted too broadly, with the perverse effect of slowing the development of computer security, undermining the very purpose of the law. That is because, in practice, secure computing and software relies heavily on the work of independent researchers in academia, industry, public service, and independent practice to identify and fix flaws that malicious attackers could otherwise exploit. These researchers work to identify serious shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research is especially urgent as we find ourselves integrating networked computers into our homes, vehicles, and even our bodies.
Despite widespread agreement about the importance of this work—including by the government itself— researchers face legal threat for engaging in socially beneficial security testing. Under the government’s broad interpretation of the CFAA, standard security research practices—such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data—can be highly risky.
Amici write to inform the Court of the vital role that security researchers play and to demonstrate how the CFAA has hindered their work. They urge the Court to adopt a narrow construction of the law consistent with Congress’s intent and to clarify that contravening written prohibitions on means of access is not a violation of the CFAA.
Read the full brief here.