In an area of law that worries many white hat hackers, the Computer Fraud and Abuse Act (CFAA) makes testing websites and vulnerabilities somewhat risky. In 1986 the CFAA amended the Comprehensive Crime Control Act of 1984, to cover unauthorized access to a computer.
Now , it seems that anyone can scrape public data from a website without violating the CFAA. Previously, companies like Craigslist, Facebook and LinkedIn tried to use the CFAA in a civil context when suing individuals and organizations who were scraping data from their services. While scraping data may still violate terms of service, the courts in this case have decided that criminal and civil charges through CFAA law don’t apply, at least in this specific instance. As it turns out, the same court also ruled in that the CFAA does apply when accessing private content, even authorized by the user, given that in both cases a cease and desist letter was sent.
Between these two cases, the courts cases don’t make a clear distinction of what the CFAA covers so further court cases may overturn either decision. Perhaps we can interpret the outcome of both cases to mean that if access to the data is possible without a login then the CFAA doesn’t apply. But, the CFAA covers password-protected company data even if it’s available through other public means, including template data like HTML, even if the end user allows access.
We will watch this closely because we rely on CFAA to protect us from hackers. But when abused, a company could use this law could prevent other companies from competing. It also could prevent white hat hackers from calling out companies with weak security leaving the internet less secure. Hopefully This will not happen.