Schneier on Security

MrC • May 24, 2022 8:56 PM

@Barry:

Does the CFAA law criminalize unauthorised access to a computer system?

Yes that’s exactly what it does. The longstanding problem is the the wording is vague as hell and open to some interpretations that are unfathomably broad. What’s going on right now is that the U.S Supreme Court recently issued an opinion swatting down one of the more outrageously broad interpretations. This prompted the DOJ central office to issue a memo instructing its District U.S. Attorneys, in essence, “hey guys, don’t prosecute potential cases that fall under this new precedent, or that come close to falling under this new precedent, or under any of those bullshit expansive interpretations that common sense dictates shouldn’t be a crime.” In other words, they’ve made a good-faith effort to extrapolate the line the Supreme Court drew in this one case and to narrow the DOJ’s interpretation of what’s prosecutable to fit within that line.

(When I say that the DOJ is acting in good faith here, I’m explicitly rejecting the innuendo that this standard is flexible and will be used to selectively go after people they don’t like, suggested in some of the comments here. That’s not what they’re up to. They really, truly are trying to get their interpretation “right” in the wake of Van Buren. However, they are not entirely without ulterior motives — Narrowing their interpretation is a way for the DOJ to preemptively avoiding the embarrassment of losing another Supreme Court case on one of these broad theories like Van Buren, or, even worse from their perspective, having a case on one of these broad theories prompt the Supreme Court to chuck the entire CFAA as unconstitutionally vague.)

@Clive: Afraid you’re off-base there.

(Some key background that you may be unaware of: In Anglo-American law, crimes consist of individual “elements,” each of which must be proven to secure a conviction. For example: Traditionally, burglary consisted of (1) breaking and entering, (2) into a dwelling, (3) that is not your own home, (4) for the intended purpose of committing a crime inside (usually stealing stuff). Even when one isn’t written into the statute, all crimes include a mental state (mens rea) element, which is usually “intended to do the proscribed act,” unless otherwise specified.)

The “fuzzing the username versus fuzzing the password versus userland process” distinction arises from someone trying to make sense of what Van Buren has to say about the “exceeding authorized access” element. However, the DOJ memo’s section on “good-faith security research” pertains to the mental state element. Different elements. Under this memo, a mental state of “good faith security research” (that’s obvious to the DOJ) should preclude prosecution regardless of what specifically you’re doing.

(“But,” you may ask, “what if my subjective mental intent was ‘good-faith security research,’ and the DOJ prosecuted me anyway?” Oh-ho, here’s where things get interesting. The boilerplate final paragraph expressly says that this memo doesn’t create defenses that defendants can assert. But it a roundabout way it does despite itself. The memo is not a binding statement of the law that the courts or DOJ are obliged to obey, but it nevertheless contributes to your mental state once you’ve read it. So you end up with this meta component of your mental state where you subjectively believe you lack criminal intent because you read the DOJ memo that says you lack criminal intent. Now you have a two-pronged argument: First, that the DOJ memo is actually correct on the law (good faith security research isn’t criminal intent) and, second, that, even if that’s not correct, that a meta-belief that you lack criminal intent collapses into a lack of criminal intent. This second argument has mixed results that usually correlate with the reasonableness of the meta-belief (which in this case would be extremely reasonable).)