Justice Department Revises Cyber Crime Charging Policy to Shield Good-Faith Security Research
Justice Department Revises Cyber Crime Charging Policy to Shield Good-Faith Security Research
On May 19, 2022, the Department of Justice (DOJ) updated its policy guiding charges under the Computer Fraud and Abuse Act (CFAA), the main law used by prosecutors to charge cyber‑based crimes. The policy changes answer longstanding questions about the language of the CFAA and its potential for broad application. The new policy further refines DOJ’s goals for enforcing the CFAA and establishes as policy DOJ’s longstanding informal position that it will not charge “good-faith security research” as a violation of the CFAA. The new policy also directs that DOJ will not bring CFAA charges in a number of other situations that implicate the Supreme Court’s 2021 decision in Van Buren v. United States[1] and have long concerned courts and legal commentators, such as violations of access restrictions contained in a contractual agreement or terms of service or violations of an employer’s policy against checking sports scores or paying bills at work.
Enacted in 1986, the CFAA remains the primary computer crime law in the United States. The CFAA generally prohibits accessing a protected computer “without authorization” or certain categories of conduct that involve “exceeding authorized access,” and it applies broadly in both criminal and civil contexts. The CFAA does not define “without authorization”—the prong of the CFAA that addresses situations in which a hacker breaks into a computer system. The CFAA, however, defines “exceeds authorized access” to mean accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[2]
Courts and legal commentators have frequently noted with concern the breadth of situations that could be considered a violation of the CFAA. In June 2021, the Supreme Court, in Van Buren, took its first serious look at the scope of the “exceeds authorized access” language in the CFAA and clarified that merely accessing information for “improper purposes” does not violate the CFAA. Our previous client alert on Van Buren provides a more detailed analysis of that decision. DOJ’s revised CFAA policy incorporates many of the hypotheticals raised by the Court in dicta in that opinion, directing that prosecutors not charge conduct that is analogous to providing false information on an online dating profile or checking sports scores on a work computer, even if such conduct violates a policy, contract, or term of service.[3]
The most noteworthy change to DOJ’s CFAA policy is that it establishes, for the first time in policy, DOJ’s longstanding position that it will not charge “good-faith security research” as a violation of the CFAA. According to the policy, “‘good-faith security research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety [of similar devices, services, and their users].” Such good-faith security research likely would include research conducted pursuant to a bug bounty program or other “white hat” research intended to promote security. Notably, the same “research” for other purposes, e.g., extortion using discovered vulnerabilities, would not be considered “good-faith” and could still be charged under the CFAA.
The policy reflects the broad recognition by the U.S. government and security community that vulnerability research, penetration testing, and other computer security research is an important contributor to cybersecurity. In announcing the policy, Deputy Attorney General Lisa O. Monaco noted: “Computer security research is a key driver of improved cybersecurity, . . . and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” The policy is also consistent with the U.S. government’s promotion of vulnerability disclosure programs as a component of an effective cybersecurity program. For example, in 2020, CISA issued a binding operational directive requiring federal government agencies to develop and publish a vulnerability disclosure policy, emphasizing that “cybersecurity is a public good that is strongest when the public is given the ability to contribute” and noting that “without clear, warm assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report at all.”[4]
The policy also sets out DOJ’s goals for CFAA enforcement, which are “to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.” Prosecutors are directed to consider whether a potential CFAA charge would serve these goals.
The comment to the new policy specifically identifies other situations where DOJ will not bring “exceeds authorized access” cases. Many of the common hypotheticals that have concerned courts and commentators are addressed. DOJ will not bring charges of “exceeding authorized access” for:
DOJ emphasized that, in either a “without authorization” or an “exceeds authorized access” case, the prosecutor must prove “the defendant knowingly accessed a computer or area of a computer to which he was not allowed access in order to obtain or alter information stored there, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.” Such proof would require that the defendant was aware of the facts that made his or her access unauthorized at the time of the conduct—including technology intended to limit unauthorized access even if unsuccessful.
While the new DOJ policy does not directly answer questions about the definition of “exceeds authorized access” in the CFAA, it will cabin some of the prosecutorial power that has concerned cybersecurity researchers, courts, and commentators throughout the history of the statute.
Under the new policy, DOJ will not bring CFAA charges where the access at issue was solely good-faith security research, a violation of access restrictions in a term of service, or in another situation where prosecution would not “promote privacy and cybersecurity” or otherwise serve the newly identified goals of DOJ.
[1] 141 S. Ct. 1648 (2021).
[2] 18 U.S.C. § 1030(e)(6).
[3] See Van Buren, 141 S. Ct. at 1661.
[4] Cybersecurity and Infrastructure Security Agency, Binding Operational Directive 20-01 (Sept. 2, 2020), https://www.cisa.gov/sites/default/files/bod-20-01.pdf.