Breaching Terms of Service Doesn’t Breach the CFAA: Protect Independent Security Research
July 10, 2020
Advances in securing medical devices, vehicle systems, and any of the other systems and connected devices used daily would not be possible without independent researchers testing and auditing those in novel and often unanticipated manners from that intended by the computer/website/app owners. SCYTHE’s adversary emulation platform that empowers security teams to protect their networks and systems is built on the tools, vulnerabilities, and techniques developed through such research. Yet, many standard and valued security research methodologies such as port and network scanning, scraping and automated access, and reverse engineering have been viewed as violating written access restrictions under overly broad interpretations of the Computer Fraud and Abuse Act (CFAA).
To that end, SCYTHE is proud to have joined with 18 leading researchers from across a wide range of security fields as well as the EFF, Center for Democracy & Technology, Bugcrowd, Rapid7, and Tenable in supporting the protection of independent security research and filing an amicus brief in Nathan Van Buren v. U.S.
In a first of its kind case, the Supreme Court is poised to consider whether accessing information or systems in a manner that technically violates the terms of service is also a criminal act under the CFAA. The CFAA, first enacted in 1986, among other things, prohibits accessing computers “without authorization” or in a manner that “exceeds authorized access.” Under current expansive interpretations of the CFAA, companies have leveraged it to chill research and the disclosure of critical vulnerabilities.
Threats of criminal action for breaching the terms of a website TOS, which companies may draft however they decide and revise at their discretion (and, to be honest, few people read the entire TOS every time they visit a website), should not be used to shut down critical public interest research. Reverse engineering software, for example, is such a valuable cybersecurity tool that the NSA has publicly released its own version to aid independent security researchers in their endeavors. To claim that its use should be halted under the CFAA solely for breaking a TOS, completely ignores the beneficial gains of vulnerability research and impairs future security advances.
SCYTHE, along with the other parties to the brief, urge the Supreme Court to protect valuable security research and narrow the current unintended, far-reaching scope of the CFAA.
Read the full brief: https://www.eff.org/document/van-buren-eff-security-researchers-amicus-brief
Read the EFF’s Statement on the Brief: https://www.eff.org/press/releases/eff-asks-supreme-court-rule-violating-terms-service-isnt-crime-under-cfaa
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email email@example.com, visit https://scythe.io, or follow on Twitter @scythe_io.