2016 marks the 30th anniversary of the Computer Fraud and Abuse Act (CFAA), the main anti-hacking law in the US. Since its inception, the CFAA has been deeply contentious, with strong criticism raised that it is overly broad and vague, too harsh (or conversely not harsh enough) in sentencing, and that it is fundamentally unable to keep up with the speed of evolution of the technology usage it is designed to police.
Perhaps more troubling for the security community, the CFAA contains both civil and criminal causes of action, enabling some technology vendors to use it as a handy stick to threaten security researchers away from making important disclosures. This, combined with the factors above, is widely believed to be creating a chilling effect on security research. Yet recent attempts to update the CFAA have proven fruitless and highly contentious, with disagreement and frustration on all sides of the debate.
In this session, we will discuss the purpose and history of the CFAA, high profile cases and lessons learned, the impact on security research, and our predictions for the future of the CFAA. To cover all that ground, this session will be an unusual mixture of presentation and panel. In the first half, Jen Ellis (security research advocate) and Leonard Bailey (DOJ) will provide a factual overview of the law. In the second half, Leonard will be joined by Nate Cardozo (EFF lawyer), Cristin Flynn Goodwin (Microsoft lawyer), and Tod Beardsley (Rapid7 security researcher) to discuss their varied points of view on this contentious law, and their hopes for future application and developments.