The nation’s highest court will begin hearing arguments on Monday in a case with the potential to significantly reshape America’s existing computer hacking legislation—and subsequently, influence the way countless individuals utilize computers and access services online.

Enacted in 1986, the Computer Fraud and Abuse Act is a federal law that, while preceding the contemporary internet, continues to define what constitutes hacking, or “unauthorized” computer or network access. Though initially intended to prosecute malicious hackers, the law has drawn criticism for being outdated and its imprecise wording, leading some to label it the “worst law” in technology, and raising concerns about the potential for hindering legitimate security research.

The case revolves around Nathan Van Buren, a former police sergeant from Georgia. Van Buren leveraged his authorized access to a police license plate database to conduct a search for an associate in return for payment. He was subsequently charged and convicted on two counts: accepting a bribe for database access and violating the CFAA. While the first conviction was reversed, the CFAA conviction stood.

Although Van Buren possessed legitimate access to the database through his employment, the central legal issue concerns whether his actions constituted an exceeding of that authorized access.

Orin Kerr, a professor of law at the University of California, Berkeley, characterized Van Buren vs. United States as an “ideal case” for the Supreme Court to consider. He asserted in an April blog post that “the core question is presented with exceptional clarity.”

The Supreme Court’s objective is to clarify the meaning of “unauthorized” access within the decades-old law, a task that is not straightforward.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s law school, explained that the Court’s decision could determine whether numerous everyday computer users are unknowingly committing a federal offense when engaging in activities that, while common, contravene an online service’s or employer’s terms of use. (Pfefferkorn’s colleague, Jeff Fisher, is representing Van Buren before the Supreme Court.)

The Court’s interpretation of “unauthorized” remains uncertain. It could range from violating a website’s terms of service to accessing a system without a valid user account.

Pfefferkorn suggested that a broad interpretation of the CFAA could potentially criminalize actions such as misrepresentation on a dating profile, sharing streaming service login credentials, or utilizing a company computer for personal purposes against company policy.

However, the Supreme Court’s ultimate ruling will also have significant implications for ethical hackers and security researchers who intentionally exploit system vulnerabilities to enhance security. These individuals have historically operated in a legal gray area, as the existing law exposes their work to potential prosecution, even when motivated by cybersecurity improvements.

For years, technology companies have encouraged hackers to confidentially report security flaws. In exchange, these companies address the vulnerabilities and compensate the hackers for their efforts. Companies like Mozilla, Dropbox, and Tesla have taken further steps by pledging not to pursue legal action against good-faith hackers under the CFAA. Conversely, some companies have resisted such scrutiny, threatening legal action against researchers and even initiating lawsuits to suppress unfavorable findings.

Security researchers are accustomed to legal challenges, but a Supreme Court decision unfavorable to Van Buren could discourage their work and push vulnerability disclosure into secrecy.

“If violating a computerized system’s usage policy carries potential criminal (and civil) penalties, it would empower system owners to prohibit legitimate security research and silence researchers from disclosing discovered vulnerabilities,” Pfefferkorn stated. “Even unintentional deviations from bug bounty program guidelines could expose a researcher to legal liability.”

“The Court has an opportunity to resolve the ambiguity surrounding the law’s scope and create a safer environment for security researchers to conduct their crucial work by adopting a narrow interpretation of the CFAA,” Pfefferkorn added. “We cannot afford to deter individuals dedicated to improving cybersecurity.”

The Supreme Court is expected to issue a ruling in this case later this year or in early 2021.

Read more:

• Tesla’s new bug bounty protects hackers — and your warranty
• A court ruled that it could be a federal crime to share your Netflix password
• Talkspace threatened to sue a security researcher over a bug report