US Fraud Trial Faces Limits of Anti-Hacking Laws, as 1984 Computer Fraud and Abuse Act is Vague & Weak
A former software engineer and Amazon employee, accused of being the mastermind behind one of the most massive data breaches in the US, is now facing a federal trial in Seattle.
She is charged with ten counts of computer fraud, wire fraud and identity theft.
Paige Thompson, 36, is accused of downloading secure, personal data of over 100 million Capital One customers. The stolen data includes about 140,000 social security numbers, personal information from credit card applications plus 80,000 bank account numbers.
Thompson has pleaded not guilty.
She is accused of violating the Computer Fraud and Abuse Act, an anti-hacking law. This Act makes it illegal to gain access to any computer, from business to personal ones, without authorization. The Computer Fraud and Abuse Act (CFAA) was passed in 1984.
Based upon this law, the Act states authorities must prove Thompson “(1) intentionally accessed a computer; (2) lacked authority to access the computer or exceeded granted authority to access the computer; (3) obtained data from the computer; and (4) caused a loss of $5,000 or more during a one year span.”
But this law, created in 1984, is considered out of touch with today’s exponentially different technology, including how hackers access and steal private data.
Thompson’s lawyers told the court that what she did was scan online for weaknesses and then review the data available to view, all proving she was nothing more than a “novice white-hat hacker.”
This statement by Thompson’s lawyers may indicate their strategy to argue that just like in a previous Supreme Court case, their client did not violate the Computer Fraud and Abuse Act.
Over the years, the 1984 Computer Fraud and Abuse Act has been considered vague and weak by many attorneys, legal experts, and news outlets. The verbiage, according to numerous critics, is so broad that it may be used to criminalize the regular use of computers by anyone.
In 2021, the Supreme Court considered the case of Van Buren v. United States. This case looked at concerns about the scope of the CFAA, as the justices reviewed a then-police sergeant who used a law enforcement computer to do a license plate search after being told he’d receive $5,000 to do the hack.
The Supreme Court agreed the actions of the former sergeant were wrong, but they considered whether he had violated the CFAA. The justices voted 6 -3 that the sergeant had not violated the CFAA.
The language in the CFAA is vague. For example, the CFAA states that a person violates the Act when they are “without authorization” but then does not explain anywhere what “without authorization” is in the CFAA. Also in the CFAA is vague language about someone who “exceeds authorized access.”
The Supreme Court’s decision that Van Buren did not violate the CFAA may influence the outcome of Thompson’s case and also signify the reality that a new, modern CFAA should be created to define more accurately today’s hacking realities.
In their decision in the Van Buren case, the justices stated that when a citizen access a computer with authorization but uses data found in another part of the computer’s files, this act “exceeds authorized access.”
But in Thompson’s case, since she worked as a software engineer at Amazon, was she allowed to view and read the data she is accused of hacking? In her case, she might not be found guilty of violating the CFAA, depending on her specific authorized access via Amazon in her role as a software engineer.
Other recent cases also reflect issues with the lawsuit due to current hacking laws. A few months ago, a federal appeals court ruled that web scraping, a common AI automatic form of data collection taken from public websites, did not violate the CFAA. The Department of Justice announced in June that they will not use the CFAA law to prosecute hackers anymore if they were acting with "good-faith security research.”
