Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers’ personal information from Capital One is standing trial in a case that will test the power of American anti-hacking law.
Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers. In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said.
The data came from applications for credit cards, and included 140,000 Social Security numbers and 80,000 bank account numbers. She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began on Tuesday in Seattle.
The methods Ms. Thompson used to discover the information, and what she planned to do with it, will be closely scrutinized in the case. Ms. Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Ms. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a “novice white-hat hacker.”
Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, like using a pseudonym on a social media site that requires users to go by their real names.
In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in “good-faith security research.”
Ms. Thompson’s trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Ms. Thompson had planned to use the information she gathered for identity theft, and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency. But her lawyers have argued that Ms. Thompson’s discovery of flaws in Capital One’s data storage system reflected the same practices used by legitimate security researchers and should not be considered criminal activity.
“They are interpreting a statute so broadly that it captures conduct that is innocent and as a society we should be supporting, which is security researchers going out on the internet and trying…