Sara Sass is a biomedical engineer of Persian and German heritage. She has years of patent and pharmaceutical experience and is a student at American University Washington College of Law. Sara wrote this essay in her individual capacity and its contents do not necessarily reflect the views of her employer.
The Department of Homeland Security (DHS) uses the international search engine SHODAN to test risks to industrial control systems. SHODAN.io searches internet-connected devices for search terms. Online devices such as energy management systems, baby monitors, webcams, power plants, iPhones, wind turbines, traffic lights, routers, electric grids, manufacturing companies, and even the Lawrence Berkeley National Laboratory are all accessible on SHODAN. A dozen institutional cybersecurity firms “pay five figures annually for access to SHODAN’s entire database of 1.5 billion connected devices.”
Business owners can determine the extent of their online exposure by using SHODAN. Gathering that data, the business can apply stringent security measures such as firewalls and router lists to at-risk devices, change operating systems or remove the online access entirely in compliance with the CFAA. The business can also attempt to hack their own at-risk device, thus learning how to gain access to their own system from an outside perspective.
SHODAN is a search engine. It presents unbiased data by searching the internet for connected devices. Finding a product under SHODAN’s search results of IP addresses, IP address locations, network names, network titles, company names and company products would not violate any section of the CFAA because its use is publicly available and any user can get ten results for free. “Approximately 10,000 users pony up a nominal one-time fee of up to $20 to get 10,000 results per search. A dozen institutional users, all of them cybersecurity firms, pay five figures annually for access to the entire database of 1.5 billion connected devices.” A business paying the nominal one-time fee receives 10,000 search results per search—probably more search results than necessary unless the business has many online devices. Who should pay the fee, who should search, and who should be in control of the search results? In order to abide by the “authorized access” limitation of the CFAA, it would be best if an IT specialist or the most privileged user of the business (i.e., the user with the administrative passwords or total administrative access to the computer system network) paid the fee, did the search on their assigned business computer, and transferred any results of faulty devices to the IT department. The fee would be recorded and reimbursed by the business.
Contract terms identifying the authorized accessor of SHODAN, time spent on SHODAN, search terms used, search term relevancy to the business and the business’ products, and including a non-disclosure agreement on all SHODAN search results submitted to the company before that administrator could access SHODAN, would help define authorized access. Contract terms would be designed to define and limit authorized access, since unauthorized access of a user is required for CFAA violation. A user’s unauthorized access for CFAA purposes falls under two categories: “without authorization” or “exceeding authorized access.” With a required contract specifically defining what authorization or authorized access is before business user interaction with SHODAN, CFAA violations are avoided or at least clearly defined in terms of authorization desecrations.
The required business contract for SHODAN users would specify who the collected information can be shared with. For example, in Bioservices Corp. v Lugo, a pharmaceutical care provider sued its former employees for violating the CFAA by obtaining confidential information of patient reports on their work computers, emailing it to private email accounts, and sharing it with a new employer. The former employees argued that during employment, their authorization of such information was permitted and access to private email was also permitted, so no violation of CFAA occurred. Using SHODAN would not impinge on other employee duties, but sharing SHODAN results with other employers would be regulated or not permitted via contract. The court in Bioservices agreed that the CFAA cannot be read to encompass and criminalize frauds that happen to involve the use of a computer someplace during the course of its commission, as plaintiffs’ interpretation seemed to require. Nevertheless, the intent of those who use SHODAN for business purposes must be evaluated for CFAA violation with respect to the privileged information access. If employees have initial access to confidential information in plaintiffs’ computer system, this initial access can move into unauthorized access when confidential information appears in a private email account. In an attempt to protect confidential information found using SHODAN, employers should contract with its employees for computer access and authorization. Breach of such a contract can result in CFAA damages with the guilty employees paying damages.
If the business does not create a contract for SHODAN-accessing employees, relief under the CFAA may still be possible for any unauthorized access or distribution of confidential information found by SHODAN. This is because the damages section of the CFAA provides relief for discovered unauthorized access. For example, in a 2001 class action case against AOL, a court found that allegations of the consumers’ complaint against AOL do not fail to state a claim under § 1030(a)(5)(A) simply because “exceeds authorized access” is not included within the provision. The other language of the CFAA, the damage section, supported the consumer's position. The court writes that “the CFAA makes it clear that damage is to be measured as it stems from one act, not a single computer, and thereby affects several individuals.” If, in accessing SHODAN results, the employee were to use a residential or privately-owned computer and use an insecure connection, that employee could violate the CFAA.
Remote access by employees interpreting and gathering SHODAN results will not violate the CFAA as long as the access is permissive and entitled. In Tennessee case ReMedPar, Inc. v. AllParts Medical LLC, a former employee of ReMedPar went to work for a competing medical part company. This employee had access, including remote access, to ReMedPar’s computer system and to its source code for his job while he was an employee and an independent contractor after formally resigning his employment at ReMedPar. Not every circuit has addressed this agency theory of authorization issue; the Sixth Circuit hasn’t, but the Seventh and First Circuits have. The employee's misuse of information he was authorized to access did not constitute a CFAA violation. Exceeding authorization, required for CFAA violation, did not occur because the employee had permission and did not access information to which he was not entitled. Establishing which employees are entitled to SHODAN results or the SHODAN subscription is vital in preventing CFAA violation for exceeding authorization.
The remote access of employees who use personal email as a simple data transfer mechanism but who remain loyal to the business accumulating SHODAN results is also likely permitted under the CFAA. Employees permitted to access SHODAN results, who have no interest in spreading such results to a competitor but use a personal computer, will likely not violate the CFAA. This is especially true in the Ninth Circuit, where courts reject the interpretation that employees would breach duty of loyalty to their company when resolved to email confidential documents and information to a personal computer. The Ninth Circuit has written that:
Nothing in the CFAA suggests that a defendant's liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer. If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.
So the employee's loyalty is an important factor in determining unauthorized access, where there is no discernible damage done under the CFAA if the SHODAN results are not sent to a competitor or public source.
If the SHODAN results are particularly vital to another business department, a results transfer may not constitute a CFAA violation. Third parties that access confidential information without knowing the information is confidential or where it came from cannot be held liable for a CFAA claim. Activity to data subsequently taken from protected computers is not encompassed in the purview of the CFAA. However, the results transfer is rooted in the original authorization by the SHODAN accessor, and if such authorization violates the CFAA damages will still accrue. So it is important that the original attaining of the data by an employee is within the boundaries of the CFAA, to avoid damages. It is beneficial that the SHODAN accessor can communicate relevant results to other departments without those departments being held liable. This enables the entire business to be up to date with the SHODAN results and take appropriate action, under ICS-CERT or NERC for example, while steering clear of CFAA violation.
Another effective authorization boundary determined in precedent is a website warning. Like in Cvent, Inc. v. Eventbrite, Inc., an authentication “I agree” checkbox after a list of terms would further define authorization on the system used for SHODAN enabled checking. The “I agree” authentication step could exist in addition to password protected modems and password enabled log-in information to ensure that the accessor is authorized to test SHODAN-identified devices.
Another affirmative step would be password protection for any employee to the SHODAN results on a computer or series of computers. Routinely-changed passwords that coincide with the list of prioritization overcomes DHS identified network weaknesses.
If the SHODAN results are valuable enough, hackers may use specific tools to attempt to gain access to the results. One such tool is a “crawler”, a script that scans websites to create an index of that website’s data. One scraper analyzed by courts was designed by Explorica employees and sent more than 30,000 inquiries to competitor EF’s website. The result was 60,000 recorded lines of data, or eight phonebooks’ worth. Explorica and EF signed a confidentiality agreement for scraper creations prior to the litigated incident. While the scraper access is substantial, the issue is whether Explorica scraped “without authorization” or “exceeding authorized” access. Hacking tools such as crawlers may copy a substantial amount of confidential data, but this substantial amount of data does not necessarily constitute a CFAA violation. It is the duty of the original collector of the confidential data to protect it, or define its authorized access.
Businesses can define authorized access by contract. A broad confidentiality agreement signed by both parties in EF Cultural Travel BV v. Explorica, Inc. provided that the Explorica employees were to “maintain in strict confidence and not to disclose to any third party, either orally or in writing, any confidential or proprietary information...and never at any time directly or indirectly publish...any confidential or proprietary information” where the “confidential and proprietary information” was defined as “any technical, business or financial information.” EF’s CFAA claim violation was granted due to this contract accurately defining authorization.
Damages can be granted if a company brings a trade secrets case instead of a CFAA action. The CFAA’s language explicitly protects against those who knowingly and with intent to defraud, access a protected computer without authorization or exceed authorized access, and by this conduct obtain confidential data of value. Businesses are required to define the authorized access, either by a contract or password protection or some other affirmative step, in order to bring a claim under the CFAA. If this is not done, and a hacker obtains confidential information, trade secret lawsuits may be a better solution.
SHODAN-identified devices of the business will likely be knowingly and intentionally harmed in an effort to test new or old business cybersecurity systems. The CFAA does not only define violation where the party must “knowingly” transmit a program or command that “intentionally” causes harm. That party must also be guilty of unauthorized access. Once the SHODAN search results are available to staff, authorized users identify which online devices are at risk. Because SHODAN narrows search results to IP addresses, the users would identify online products by identified IP addresses. Once identified, the devices could be turned off to shut down the online presence, modified with firewalls, trigger secondary means access to cause shutdown of the device in case of unauthorized use, or install authentication systems/routers with Access Control Lists, all suggested by DHS for cybersecurity strategies.
Testing the modified and updated products or devices requires more complexity if done off-campus. External wireless points can be used to gain access to the internal workings of the network and so should be used to try to access the modified products, in order to prove system efficacy. However, by enabling an employee to gain access to the product from outside the system, the employee may be engaged in unauthorized access in violation of the CFAA. Section § 5(A)-(C) of the CFAA provides “that whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage” is at risk of violation. The CFAA further provides that this knowing and intentional cause of damage must be by a person who:
intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby (A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period . . . . .
This provision enables authorized employees, with the intent to test at risk devices and possibly damage the devices doing so, to do that without being charged for CFAA violation.
Using SHODAN in compliance with the CFAA as described above would combat cyberattacks by using a tool used by hackers, while remaining well within bounds of the law.