DOJ Pledges Not to Charge Security Researchers With Crimes

Ever since the Computer Fraud and Abuse Act (CFAA) was signed into law in 1986, its vague wording has posed potential legal implications for everyone from cybersecurity researchers and legal experts to the casual web surfer. Though it was intended to address the ever-increasing threat of computer fraud (and was originally only applicable to government computers and those owned by financial institutions), the CFAA’s ambiguity meant anyone found “intentionally accessing a computer without authorization or in excess of authorization” was subject to harsh penalties—including if they committed the “offense” on a personal device. Relatively small acts like password sharing can be considered felonies under the CFAA. The act has undergone a number of amendments over the last few decades, but a general sense of anxiety persists. Smartphone users worry that violating any sliver of an app’s terms of service (ToS) could subject them to hefty fines, while cybersecurity researchers must investigate vulnerabilities with great caution for fear of breaking one of the CFAA’s poorly-worded rules. Even the Supreme Court has pushed the Department of Justice (DOJ) to narrow the CFAA’s scope. Now the DOJ has attempted to assuage these concerns by issuing a revised policy meant to protect everyday internet users and researchers. Announced late last week, the policy outlines a number of factors the DOJ will use going forward to determine whether to pursue prosecution. Most of the factors relate to how likely the unauthorized or unconstrained access is to cause actual harm, particularly to “national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests.” If that risk is low and the access doesn’t appear to be related to a larger criminal threat, the DOJ is unlikely to prosecute. The DOJ is also explicitly advised to decline prosecution if the access is related to “good faith security research” of a security flaw or vulnerability. Of course, “good faith” means the researcher intends to report or fix the vulnerability; those hoping to exploit the security flaw aren’t protected here.

(Photo: FLY:D/Unsplash) The DOJ’s document illustrates its point with real-life examples of acts it won’t prosecute. Even if a person’s employer issues them an employee computer for work use only, the DOJ won’t consider it a violation for the employee to use that computer to pay bills or look up sports scores. The agency won’t come after those who create fictional accounts on hiring or housing websites, nor will it target those who use pseudonyms on social networks that prohibit it. And as The Verge pointed out, lying on Tinder can no longer be considered a crime under the CFAA—while that sounds like a joke to most, the recent Tinder Swindler craze has shown us it has real effects, however rare or far-fetched those may be. Few policy revisions are perfect, though; look to the DOJ’s fifth consideration, which states the agency may prosecute if it feels the need to deter others from conducting similar access. This could mean anything, even if the policy revision says this factor includes (but is not limited to) “new” areas of criminal activity or access techniques. But overall, this revision should signal a sigh of relief—even just for those of us who were looking forward to the next season of Catfish. Now Read:

DOJ Pledges Not to Charge Security Researchers With Crimes

Tagged In

More from Internet & Security