Thu | May 19, 2022 | 3:29 PM PDT

The U.S. Department of Justice (DOJ) announced today a new revision to its policy on the Computer Fraud and Abuse Act (CFAA) that many security researchers will be pleased to see.

For the first time, federal prosecutors will not be able to charge security researchers who act in "good-faith." The DOJ defines good-faith security research as:

"Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

This has been an issue in the past, as many security researchers had to walk on egg shells when testing software or analyzing security flaws so as not to violate the previous CFAA. 

Deputy Attorney General Lisa Monaco discussed the policy revision:

"Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators will not be charged. This includes activities such as creating a fake online dating profile, using a pseudonym on a social media site that prohibits them, checking sports scores or paying bills while at work, etc. These examples by themselves are not sufficient to warrant criminal charges.

However, this change does not give a free pass to anyone claiming to be doing "security research" when in reality they are acting in bad faith. The DOJ uses the example of someone who is doing "security research" and discovers vulnerabilities in a device or application, but then attempts to extort the owner; that does not count as acting in good-faith.

[RELATED: Supreme Court Limits Hacking Law in Landmark Case]

With this change, prosecutors can now focus on cases in which a defendant is not authorized to access a computer, or one small part of a computer such as an email account, and while knowing this restriction chose to do so.

While the DOJ claims this new policy will be in-line with the Department's goals of promoting privacy and cybersecurity by upholding the legal rights of individuals, critics of CFAA may still be wary following one of the more famous violations in the case of Aaron Schwartz.

In 2013, Schwartz was acting in good-faith when he downloaded 4.8 million documents from MIT's JSTOR, an academic subscription service. After federal prosecutors brought charges against him for violating the CFAA, Schwartz committed suicide.

Since his death, many security researchers and policy makers have pushed to reform the CFAA. Perhaps the announcement from the DOJ is a step in the right direction.

Tags: Policy, DOJ, CFAA,
Comments