In October 2021, Josh Renaud exposed two dangerous flaws: one in the code of a website and another in the American cyber regulatory regime. As a reporter for a Missouri newspaper, Renaud located a vulnerability on a state agency’s website which endangered the Social Security numbers of more than one hundred thousand educators. He disclosed the flaw to the state and ensured it was patched before he published a story about the incident. While many private companies pay handsome rewards to those who uncover and report vulnerabilities in their code, Renaud received little thanks from the Missouri state government. Instead, Gov. Mike Parson (R) accused the paper of violating a state anti-hacking law and ordered the State Highway Patrol’s digital forensic unit to look into the incident, although a prosecutor later declined to bring charges.
In the wake of the controversy, Renaud has been declared the “poster child for overbroad hacking laws.” His ordeal highlights how decades-old laws fail to account for the realities of rapid digital development. The law referenced by Gov. Parson, the Computer Fraud and Abuse Act, makes it illegal to access personal information online without permission. It states that someone illegally tampers with data if they “knowingly and without authorization” access “a computer, a computer system or a computer network, and intentionally examines information about another person.” The prosecutor who declined to press charges asserted, “the law does appear to be so vague that it basically describes someone using a computer to look up someone’s information.” Critics of Gov. Parson warn that his understanding of the law disincentivizes well-intentioned individuals from disclosing security flaws.
The Renaud controversy raises real concerns about overly broad and outdated hacking laws at both the state and national level. Nevertheless, a recent court case involving Facebook and the Wiretap Act, written in 1968 and amended in 1986, suggests not all pre- or early-internet technological regulation should be quickly written off as irrelevant. In 2012, a group of users sued Facebook for tracking their browsing history even after they had logged out of their accounts. The users alleged that Facebook had violated the Wiretap Act, which prohibits unauthorized interception of electronic communications. While the case was initially dismissed by a federal judge in 2017, the U.S. Court of Appeals for the Ninth Circuit reversed the ruling in 2020, finding that Facebook’s practices violated users’ reasonable expectation of privacy by failing to secure proper user consent under the Wiretap Act. In March, ten years after the initial lawsuit, Facebook’s parent company Meta agreed to a $90 million settlement and pledged to delete user data collected between April of 2010 and September of 2011.
The success of the Wiretap Act’s protections on user privacy in this case should not be misconstrued to represent the complete adequacy of decades-old digital privacy law. In fact, the Electronic Communications Privacy Act of 1986 (ECPA), which updated the Federal Wiretap Act of 1968, has long faced criticism for its outdated nature. In particular, privacy advocates protest law enforcement’s ability to access older data stored on servers and in the cloud for over six months without a warrant. While the ECPA may need to be modernized, it is important to recognize that it still contains meaningful protections, such as its prohibition on the unauthorized interception of electronic communications. The commitment to privacy in communications so apparent in the Wiretap Act remains cogent even as the practice of electrically tapping physical telephone lines has waned.
While outdated, vague anti-hacking regulation is a legitimate danger to national security, broad language can be an asset when it comes to protections on digital privacy. It can allow room for interpretation that safeguards rights even as digital platforms rapidly evolve. Of course, the potential of broad language can only be realized if those interpreting and implementing the laws do so well. The efficacy of cyber policies is just as dependent on the officials who execute them as it is on the language of the laws themselves. Government officials who implement laws and judges who interpret them must have knowledge of technology, digital policy, and its ramifications. Unfortunately, there have been far too many incidents of government lawyers and judges struggling with the technical aspects of the cases that come before them. While the Missouri hacking case is an important warning of the need to revisit U.S. cyber regulation, it’s also a stark reminder that the way officials interpret the law can create new challenges.
A comparison of the Missouri and Meta cases illustrates an interesting dichotomy wherein cyber regulation can be too broad while protections on digital rights are too narrow. While far too many people may be criminalized by Missouri’s anti-hacking law, far too little internet activity is protected by U.S. state and federal privacy laws. This distinction can give lawmakers direction as they work to craft effective governance for the 21st century. Lawmakers need to update anti-hacking laws to include narrower, precise language to protect well-intentioned individuals such as Renaud from undue penalization. Simultaneously, lawmakers need to broaden digital protections to safeguard Americans’ privacy even as technology evolves. Yet all of these changes may be for naught if the people tasked with implementing and interpreting the law lack the necessary technical acumen. Looking forward, to improve the U.S. cyber regulatory apparatus policymakers must address both the shortcomings of laws and the people who enforce them.
Jessie Miller is the Digital and Cyberspace Policy Program intern at the Council on Foreign Relations.