DOJ Changes CFAA Policy, Will No Longer Bring Criminal Charges Against Security Researchers
from the beware-the-private-sector,-however dept
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
That doesn’t mean everything called “security research” will be given a free pass. The policy revision notes at least one exception from the new rule:
Security research not conducted in good faith—for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith. CCIPS can consult with prosecutors about specific applications of this factor.
This is a welcome improvement over the past several years of inconsistent application by the DOJ, something it has used in the past to go after a number of people just because the law — as interpreted by the DOJ — allowed it to, even if it appeared to be a vindictive waste of federal resources. Prior to this reboot of CFAA prosecution guidance, a lot was delegated to prosecutorial discretion, which wasn’t anything close to the much clearer standard being set here.
The policy revamp also clarifies much of the gray area surrounding the letter of the broadly written (and broadly interpreted) law that criminalizes plenty of everyday activity. This clarification aligns the DOJ with the spirit of the law, which is supposed to address serious criminal acts, rather than things like password-sharing or surfing the web while at work.
The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.
Some of this gray area was addressed by DOJ statements in the past. This release gathers up all of the DOJ’s concessions into a single document, making it that much easier for the public to understand and that much less likely for DOJ prosecutors to pretend they don’t. This removes a lot of the discretion that generated complaints about the law and the DOJ’s pursuit of alleged violators. It doesn’t codify anything and the DOJ remains free to roll it back, but for now, it’s a tremendous improvement over what we’ve had for the past three decades.
Unfortunately, it won’t do anything to prevent the private sector from abusing the CFAA to threaten software developers, security researchers, and third-party services with lawsuits over alleged violations. Private companies will still be able to punish people who use or access their systems/platforms in unexpected ways by dragging them to court. Hopefully, judges will make use of the DOJ’s new guidance to dump bogus CFAA lawsuits by pointing out the long list of actions the federal government no longer believes are violations of the law.