On Nov. 21, 2024, the Virginia Supreme Court issued a pivotal ruling with significant implications for corporate security, ethical hacking, and everyday computer users. The Commonwealth v. Wallace decision greatly expands the scope of Virginia’s computer fraud law, turning any unauthorized use of a computer into a state hacking crime. 

The Hacking Policy Council previously warned that overly broad state laws risk conflating security research and ordinary internet activities with malicious cybercrime. While substantial progress on this issue has been made at the federal level, sweeping state statute language and court decisions, such as Commonwealth v. Wallace, demonstrates the need to focus enforcement of state anti-hacking laws on actual criminal behavior. 

In the meantime, state laws continue to be a legal minefield for ethical hackers who test systems to identify vulnerabilities in an effort to improve cybersecurity. Prosecutorial discretion and guidelines will be key to focusing broad state computer crime laws on malicious behavior and not good faith security researchers.

Case background

The Virginia Computer Crimes Act (VCCA) prohibits a person from using or attempting to use a computer “without authority.” Under the VCCA, a person is without authority if they know or should have known they lack permission or exceed their permission to cause a computer or network to perform operations. VCCA violations carry criminal and civil penalties.

In the Commonwealth v. Wallace case, the defendant (Wallace) was convicted at trial of computer fraud under the VCCA after using a drive-through ATM to deposit forged checks. A central issue in the appeal of the case was whether Wallace’s use of the ATM was using a computer “without authority,” as prohibited by the VCCA. 

The Court of Appeals of Virginia overturned the computer fraud conviction, finding that — as a bank customer — Wallace was authorized to use the ATM, and therefore Wallace’s conduct did not violate the VCCA. However, the dissenting appellate judges argued that Wallace knew or should have known that her conduct exceeded her permission to use the ATM because the bank does not authorize customers to deposit false checks.

The case then moved on to the Virginia Supreme Court. In a short and undetailed opinion, the Virginia Supreme Court reversed the Court of Appeals and sided with the dissenting opinion. An expansive interpretation of the VCCA is now the law of the state of Virginia.

Case implications

The Virginia Supreme Court’s opinion has potentially far-reaching implications. Under the precedent set by Wallace, the VCCA would criminalize persons who have authorization to use a computer or network but who use the computer for an unauthorized purpose. This may include the use of one’s own computer when the activity is in violation of terms of service or written agreements.

While this “prohibited conduct” approach may seem sensible in some situations, it is difficult to apply broadly without absurd results regarding what qualifies as a “hacking” crime. For example, this approach addresses the “insider threat” problem, such as employees misusing sensitive data which they are otherwise authorized to access. However, this “prohibited conduct” approach would also seem to criminalize a wide range of ordinary internet behavior – a classic example is lying about one’s age or identity on a social network. 

At the federal level, the Computer Fraud and Abuse Act (CFAA) operated for several years with a circuit split on this precise issue. Several federal circuits interpreted the CFAA as prohibiting unauthorized conduct on computers, while several other circuits saw the CFAA as prohibiting unauthorized access to computers. Much was written regarding the overcriminalization effects of the former approach: in most cases warranting prosecution, unauthorized conduct – like forging checks or stealing sensitive information – is already illegal and need not be extra illegal just because a computer was involved.

In the context of the CFAA, the U.S. Supreme Court agreed that a broad interpretation of the CFAA was too problematic for commonplace computer activity. In its Van Buren v. United States opinion, SCOTUS held that it is not a CFAA violation to use a computer for impermissible purposes, so long as the user is authorized to access the computer in the first place.

However, the CFAA is a federal law and SCOTUS’ opinion does not bind state computer crime laws like VCCA. Under the Wallace decision, Virginia has decidedly taken the approach rejected by the U.S. Supreme Court as overbroad. It remains to be seen if other states – many of whom also have expansive and unclear computer crime laws – will do the same.

Impact on Cybersecurity Research 

Security researchers play a crucial role in identifying vulnerabilities and helping organizations strengthen their defenses before malicious actors can exploit them. In many instances, individuals act independently and in good faith to find and report vulnerabilities for mitigation, thereby strengthening the cybersecurity of products and services for the good of the community. However, their efforts may not always align with terms of service or formal permissions, as most system owners do not explicitly grant authorization to probe systems for vulnerabilities.

Under the Wallace decision, good faith security research could be misinterpreted as computer trespass or other computer crimes, potentially leading to criminal and civil liability under the VCCA. This risks a chilling effect that deters researchers from pursuing their work, potentially allowing critical vulnerabilities to go undetected and unreported.

Advocacy for State Charging Policies

The Hacking Policy Council has been a leading voice in advocating for clearer legal protections for ethical hackers and pushing for greater consistency in how security research is treated across jurisdictions. Many other states, including Missouri, Iowa, and Maryland, have broad criminal laws that fail to make this distinction, creating significant legal uncertainty for ethical hackers.

In response, the Hacking Policy Council has urged state attorney generals (AGs) to adopt charging policies that curb unnecessary enforcement of computer crime laws against legitimate vulnerability testing. Specifically, the Hacking Policy Council has recommended that state AGs leverage existing legal definitions and the precedent set by the Department of Justice (DOJ). The DOJ issued a charging policy for CFAA enforcement which directs prosecutors to decline to charge individuals for good faith security research while discouraging hackers from bad behavior and preserving flexibility for prosecutorial discretion. 

***

While Virginia’s Wallace ruling strengthens safeguards for many businesses, the decision risks overbroad application of the state’s computer crime laws to commonplace internet behavior and ethical hackers. Federal and international law increasingly recognize the value of good faith security research, bug bounties, and offensive security for protecting systems from malicious actors. States should consider taking steps to do the same, rather than risk penalizing security researchers for conduct that is protected by federal policies. 

‍