DOJ clarifies policy on computer fraud and abuse law


On May 19, 2022, the Department of Justice (“DOJ”) announced important clarifications to its policy on charging violations of the Computer Fraud and Abuse Act (“CFAA”) that provide reassurance to cybersecurity consultants who perform network testing and related operations. . Such activity has long been a gray area for white hat hackers.

The CFAA, 18 USC, §1030, empowers the government to prosecute cyber crimes by criminalizing “intentional access to[ ] a computer without permission or exceed[ ] authorized access and thus obtain[ ] (A) information contained in a financial record of a financial institution… (B) information from any department or agency of the United States; or, (C) information from any protected computer. Most computers have the potential to fall under Section 1030’s definition of a “protected computer,” which includes any computer “used in or affecting interstate or foreign commerce or communication.” The new guidelines demonstrate an evolving view of how the law should be applied with the ultimate goal of making the public safer as an overall result of government action. In this regard, the DOJ guideline specifically states that good faith security seeking should not be pursued.

Good faith security research is defined by the DOJ as “access to a computer solely for the purpose of testing, investigating, and/or correcting a security breach or vulnerability in good faith” . The update further clarifies that “this activity is conducted in a manner that prevents harm to persons or the public, and when the information derived from the activity is used primarily to promote the safety or security of the device class , machines, or online services to which the computer consulted belongs, or those who use these devices, machines or online services.

The updated policy further explains that, generally speaking, safety research is not itself conducted in good faith. For example, research conducted for the purpose of identifying security vulnerabilities in devices and then profiting from the owners of those devices does not constitute bona fide security research. This is important because much of the cybersecurity industry was built on the model of identifying exploits and selling fixes.

Following the Supreme Court’s decision in Van Buren v. United Statesthe update also aims to address concerns about the scope of the DOJ’s enforcement of Section 1030.1 For example, in a press release issued on May 19, 2022, the DOJ acknowledged that “hypothetical CFAA violations,” such as “[e]embellishing an online dating profile contrary to the terms of use of the dating site; create fictitious accounts on hiring, housing, or rental websites; use a screen name on a social networking site that prohibits them; checking sports scores at work; pay bills at work; or violating an access restriction contained in a condition of service,” alone should not result in federal criminal charges. Due to continued ambiguity about the precise conduct that should warrant federal enforcement action, prosecutors were encouraged to consult with the Criminal Division’s Computer Crime and Intellectual Property Section in deciding whether to prosecute. such offences, hoping for some consistency in how these guidelines are interpreted on the ground.

Consistent with the current administration’s focus on emerging technologies, and cyber-enforcement in particular, Deputy Attorney General Lisa Monaco observed that “[c]computer security research is a key driver of improved cybersecurity,” and that the announcement “promotes cybersecurity by providing insights to bona fide security researchers who eliminate vulnerabilities for the common good.” The review also addressed the prioritization of departmental resources in the event of violations of the CFAA.

Despite criticism from some industry professionals that the clarification does not go far enough to protect security researchers, the update signals the continued evolution of DOJ policy, as individuals and companies devote increasing resources to find the safe path between the carrot of rewards for strong cybersecurity practices and the stick of regulatory and enforcement measures.

1. Van Buren v. United States, 141 S.Ct. 1648 (2021).


Comments are closed.