As the Heartbleed story broke last week, a number of individuals and security vendors released tools designed to test for the vulnerability. One very popular tool was written and hosted by Filippo Valsorda. Many systems administrators took advantage of this free tool in order to test the security of their own systems.
Tools that test for vulnerabilities make the internet more secure. Consumers feel safer knowing their bank or email provider is not leaking sensitive information. Similarly, websites which do not immediately patch their systems put their customers’ data at risk, and assessment tools allow this information to be known. A publicly-available assessment tool allows anybody to test whether sites they rely on are properly protecting data.
But releasing these assessment tools to the public is problematic from a legal perspective. Using a security assessment tool to test any site you don’t control is a violation of the Computer Fraud and Abuse Act (CFAA).
The CFAA amended 18 USC § 1030 to define crimes which occur due to computer misuse. Multiple clauses of this law could be violated by scanning a website for vulnerabilities without prior authorization. The Heartbleed bug allows an attacker to receive information located in a server’s memory just by asking for it, so the way to assess whether a particular server is secure is to ask for extra information and see whether the server provides it. Subsection (a)(2)(c) of 18 USC § 1030 deals specifically with unauthorized access to information:
(a) Whoever —
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(C) information from any protected computer;
What exactly is a “protected computer”? The CFAA defines such in subsection (e)(2):
(e) As used in this section–
(2) the term “protected computer” means a computer–
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
(The growth of the internet, unforeseen when the CFAA was introduced in 1986, essentially means that a “protected computer” as defined above covers every internet-connected computer, as they are used in “interstate or foreign commerce or communication”.)
Of course, being charged under one section of the CFAA does not preclude being charged under additional sections. Subsections (a)(5)(B) and (C) cover potential damage caused by access from those who:
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss
Section (b) of 18 USC § 1030 makes attempting or conspiring to attempt unauthorized access a crime. Use of a vulnerability assessment tool could be considered tantamount to “casing the joint” before actually committing the crime:
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
The provisions of the CFAA were intended to fight crime, but they’ve made criminals out of every internet user who is concerned about security. Criminalizing security research makes us all less safe – after all, how does anyone know who to trust without basic knowledge regarding security practices?
The inability of prosecutors to uniformly enforce this outdated law also creates a system of selective enforcement. Since it’s impossible to punish everyone, a federal prosecutor can choose who they would like to charge under this law. The technology community is painfully aware of what happens when overzealous prosecutors take the CFAA too far.
Part of this problem is symptomatic of a larger issue. As it stands, it is currently impossible to count the number of federal crimes that could be committed:
“There is no one in the United States over the age of 18 who cannot be indicted for some federal crime,” said John Baker, a retired Louisiana State University law professor who has also tried counting the number of new federal crimes created in recent years. “That is not an exaggeration.”
There have been recent efforts to reform the CFAA. A bill introduced by Zoe Lofgren would eliminate penalties for Terms of Service violations, such as using a friend’s Netflix account or joining a class-action lawsuit against Steam or Sony. While these reforms are a step in the right direction, they do not go far enough to de-criminalize responsible online behavior.