The revised policy, which takes effect immediately, seeks to avoid unnecessarily punishing true “good faith” security research while bolstering U.S. national privacy and cybersecurity efforts. It will also allow the DoJ to focus its resources on cases that clearly violate the CFAA.
“Good Faith” Security Research Not Prosecutable
This is the first time the DoJ has revised this policy since it was issued in 2014, with new appropriate considerations for prosecutors contemplating charges under the CFAA. The CFAA, enacted in 1986, has been amended several times over the years to keep up with the constantly evolving technology and cybersecurity landscape. According to the DoJ’s statement, good-faith security research includes ethical hacking as well as accessing a computer solely for investigation, and/or mitigating security flaws or vulnerabilities. The revised policy covers such activities provided they are carried out to avoid individual or public harm, and strengthen the security of the system(s) being tested. The DoJ acknowledged the distinction between “good faith” research and misuse of access — such as when owners of devices are extorted, or where access was not authorized in the first place. Prosecutors are to consult the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) to determine instances where the revised policy applies. All prosecutors looking to charge defendants under the CFAA will have to adhere to the new policy as well as inform the Deputy Attorney General, the DoJ said.
Sigh of Relief for Security Researchers
The DoJ’s new policy allows the cybersecurity community to breathe a sigh of relief. “This CFAA guidance will hopefully improve the lives of people (like me) who fear retaliation for trying to do the right thing,” data breach hunter Chris Vickery tweeted. “The CFAA, the nation’s main cybercrime law, has been the subject of intense scrutiny over the years amid allegations of prosecutorial overreach,” Politico cybersecurity reporter Eric Geller remarked in a tweet. Legal experts have argued against overly expansive interpretations of the CFAA. In one instance, police officer Nathan Van Buren was convicted for exceeding authorized access after accessing a license plate database for a case, according to his lawyers. The Supreme Court later overturned the conviction following a 6-3 vote in Van Buren’s favor. Perhaps the worst known case of CFAA overreach is that of freedom hacktivist Aaron Swartz, who committed suicide in jail in 2013 while awaiting trial with the possibility of a decades-long jail sentence. Swartz was charged with violating the CFAA after downloading millions of journal articles from JSTOR. His lawyers argued he had authorization from the Massachusetts Institute of Technology (MIT) to do so.
U.S. Deputy Attorney General’s Remarks
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in the statement. The revisions to the CFAA are going to support good-faith security researchers who “root out vulnerabilities for the common good,” she added. By eliminating ambiguity and confusion with a much clearer policy, the DoJ will be able to focus its resources solely on cases where a system was accessed without authorization, or where a security researcher accessed an additional part of a system that their authorization did not extend to. Charging security researchers with CFAA violations now “requires a nuanced understanding of technology.” However, claiming to be conducting security research “is not a free pass for those acting in bad faith,” the statement reads. If you would like to learn more about the different types of hackers and what qualifies for ethical hacking, check out our guide to hacking.