DOJ Changes CFAA Policy, Will No Longer Bring Criminal Charges Against Security Researchers
from the beware-the-private-sector,-however dept
The much-abused Computer Fraud and Abuse Act (passed in 1986) will no longer be abused quite as much… at least by the Department of Justice.
The DOJ recently issued a revised policy [PDF] on CFAA prosecutions — one that states the DOJ will no longer bring charges against security researchers operating in good faith.
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
That doesn’t mean everything called “security research” will be given a free pass. The policy revision notes at least one exception from the new rule:
Security research not conducted in good faith—for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith. CCIPS can consult with prosecutors about specific applications of this factor.
This is a welcome improvement over the past several years of inconsistent application by the DOJ, something it has used in the past to go after a number of people just because the law — as interpreted by the DOJ — allowed it to, even if it appeared to be a vindictive waste of federal resources. Prior to this reboot of CFAA prosecution guidance, a lot was delegated to prosecutorial discretion, which wasn’t anything close to the much clearer standard being set here.
The policy revamp also clarifies much of the gray area surrounding the letter of the broadly written (and broadly interpreted) law that criminalizes plenty of everyday activity. This clarification aligns the DOJ with the spirit of the law, which is supposed to address serious criminal acts, rather than things like password-sharing or surfing the web while at work.
The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.
Some of this gray area was addressed by DOJ statements in the past. This release gathers up all of the DOJ’s concessions into a single document, making it that much easier for the public to understand and that much less likely for DOJ prosecutors to pretend they don’t. This removes a lot of the discretion that generated complaints about the law and the DOJ’s pursuit of alleged violators. It doesn’t codify anything and the DOJ remains free to roll it back, but for now, it’s a tremendous improvement over what we’ve had for the past three decades.
Unfortunately, it won’t do anything to prevent the private sector from abusing the CFAA to threaten software developers, security researchers, and third-party services with lawsuits over alleged violations. Private companies will still be able to punish people who use or access their systems/platforms in unexpected ways by dragging them to court. Hopefully, judges will make use of the DOJ’s new guidance to dump bogus CFAA lawsuits by pointing out the long list of actions the federal government no longer believes are violations of the law.
Filed Under: cfaa, doj, security research
Comments on “DOJ Changes CFAA Policy, Will No Longer Bring Criminal Charges Against Security Researchers”
“that good-faith security research”
“Security research not conducted in good faith—for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith.”
So it is in the eye of the company, who more often than not believes the worst possibility is the only reason for things.
Does “extortion” include demands that they disclose the flaw & repair it?
Will the DOJ pursue cases against companies who use the ostrich defense?
Re:
Does “extortion” include demands that they disclose the flaw & repair it?
The way I read it, the caveat refers to ransomware and other such malware rather than someone discovering a security hole through research and demanding that the developer patch it.
Re: Re:
The problem is extortion is in the eye of the beholder.
I called copyright trolls shaking down people extortion, they called it avoiding court with settlements.
While in a perfect world a researcher would be able to reach out to a clearly labelled connection point to share what they found, that almost never happens.
We’ve seen researchers have their homes raided because the company claimed extortion because they were trying to disclose what they knew the right way & the company went batshit.
The request to get a hole plugged/patched can be seen as a demand they do something or else.
Lots of ‘tech’ companies believe they can’t make a mistake & are hostile to researchers findings, some are dumb enough to demand the researcher pay for the fix.
Re: Re: Re:
I called copyright trolls shaking down people extortion, they called it avoiding court with settlements.
And the courts recognised that it was indeed extortion. Your point?
The request to get a hole plugged/patched can be seen as a demand they do something or else.
Yes. Patch the hole or risk exploitation of it, potentially ruining the reputation of the developer. Still not extortion.
Re: Re: Re:
The phrase “the right way” suggests you might be tasting the corporate koolaid. Somehow they’ve convinced many researchers that, when a company is careless and puts all of their users at risk, the researchers somehow owe the company something—specifically, time and silence. That’s only “responsible”, whereas apparently nobody has any responsibility toward the users.
Disclose to the users first. Especially if the company’s chosen to leave the users helpless to detect and fix the problems, maybe going so far as to ban security research (generally a subset of “reverse engineering”).
Re: Re:
Caveat emptor.
The policy today is just that. The policy has changed in the past. The policy will change in the future.
The policy is not the law.
Re: Re: Re:
But the policy as it stands today is what’s under discussion. Either respond with a real point or fuck off out of the debate. 😡
Re: Re: Re:2
He’s right though. This is a workaround to a bad law, not a fix.
Re: Re: Re:3
Because a law being interpreted too broadly by those relying on it always makes the law bad, right? Q-/
From comments elsewhere it seems people are cynical of this new guidance, with some considering this a 4D-chess by the DoJ in attempted entrapment to others pointing out private lawsuits and prosecutions by companies is still a major wildcard.
The sad thing is I believe we will not see the implications of these changes until someone acting in ‘good-faith’ is either a suspect or brought-up on certain charges in a court. In today’s world merely being suspected of a crime can have life altering consequences.
Re:
Forgot to add: it is unclear how much the phrase ‘No Longer Bring Charges’ is the word of DoJ versus the journalists but it does come off as Orwellian.
‘You have to no longer fear’
I’m not a lawyer, but I don’t think that’s how that works. The DOJ doesn’t get to decide what the law means, only what they will and will not prosecute.