DOJ revises computer fraud prosecution standards to ease off ‘good-faith’ research
Security researchers working in “good faith” to find and expose computer security issues may have less to worry about after the U.S. Department of Justice announced a revision Thursday to its historically broad approach to prosecuting crimes under the Computer Fraud and Abuse Act.
“The policy for the first time directs that good-faith security research should not be charged,” the agency said in a statement, noting that “good faith” in this context refers to accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability in ways that minimize harm to individuals or the public or promote security and safety.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa Monaco said in the statement. “The department has never been interested in prosecuting good-faith computer research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The law, known commonly as the CFAA, emerged in 1984 in the wake of the 1983 thriller ‘WarGames,’ but was fully enacted in 1986. In the film, Matthew Broderick played a teenager who was able to hack into the North American Aerospace Defense Command and nearly cause World War III. In the years since a broad range of legal experts and lawyers have decried the broad applications of the law and how prosecutors used it to charge defendants.
Under the new policy, “hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” the agency said in the statement.
“However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith,” the statement continued. “For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed ‘research,’ is not good faith.”
Some pointed to other limitations of the policy shift, from what specific kinds of activities it might cover to how state law might differ.
Perhaps the most notorious CFAA prosecution for the law’s critics was the 2011 indictment of internet activist and pioneer Aaron Swartz, who was charged with 13 felony counts under the law for downloading academic journal papers in an effort to make them free. Swartz faced up to 50 years in prison and a $1 million fine, and he took his own life in 2013 before the trial began.
Bloomberg first reported the policy change, which follows last summer’s Supreme Court ruling that curtailed the scope of CFAA.
Updated, 5/19/22: to include additional outside perspective.