Stock Catalog - Flickr

DOJ’s New CFAA Policy is a Good Start

The DOJ announced a new policy under which it will not bring CFAA prosecutions against “good faith” security researchers

By guest author Andrew Crocker
June 2, 2022

The Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The Department of Justice (DOJ) today announced a new policy under which it will not bring CFAA prosecutions against those engaged “solely” in “good faith” security research.

It’s an important step forward that the DOJ recognizes the invaluable contribution security research plays in strengthening the security of messaging and social media applications, financial systems, and other digital systems used by hundreds of millions of people every day. But its new policy, which is only an agreement for the DOJ to exercise restraint, falls far short of protecting security researchers from overzealous threats, prosecutions, and the CFAA’s disproportionally harsh prison sentences. We still need comprehensive legislative reform to address the harms of this dangerous law.

In part, DOJ’s policy change is forced by the Supreme Court’s ruling last year in Van Buren v. U.S., which provided clarification of the meaning of “exceeding authorized access” under the CFAA. The law makes it a crime to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer,” but does not define what authorization means. Previously, the law had been interpreted to allow criminal charges against individuals for violating a website’s terms of service or violating an employer’s computer use policy, leading to criminal charges that have nothing to do with hacking. In Van Buren, the Supreme Court cut back on that interpretation, holding that the defendant did not “exceed authorized access” when he obtained information he was entitled to search for work purposes but used that information for other, nonapproved activities.

The new DOJ policy adopts this interpretation—as it must—but like the Supreme Court, it stops far short of requiring that a defendant defeat a technological restriction in order to exceed authorized access. That would do more to protect security researchers, journalists, and others whose work requires accessing computers in ways that contravene terms of service or go against the wishes of the computer owner.

Instead of this clear line, the new policy explicitly names scenarios in which written policies may give rise to a criminal CFAA charge, such as when an employee violates a contract that puts certain files off limits in all situations, or when an outsider receives a cease-and-desist (C&Ds) letter informing them that their access is now unauthorized. We’ve seen companies like Facebook and LinkedIn abuse the CFAA in exactly that way—sending C&Ds to researchers and journalists whose access they don’t like. Regardless of the merit of these private disputes, it is unacceptable to give these tech companies discretion to turn their far less powerful adversaries into potential federal criminals.

The new DOJ policy also promises more than it delivers in its exemption from prosecution for security research. It limits the exemption to research conducted “solely” in “good faith,” which could leave out a lot of how security research happens in the real world. That word “solely” leaves open to interpretation whether hackers who discover and disclose a vulnerability so that it can be fixed but also get paid, speak at a security conference like DEF CON, or have other secondary motivations, can still be prosecuted.

Moreover, the policy adopts the definition of “good faith security research” put forth by the Copyright Office in its triennial rulemaking about the Digital Millennium Copyright Act (DMCA) Section 1201, which purports to provide an exemption for good faith security testing, including using technological means. But that exemption is both too narrow and too vague. The DMCA prohibits providing technologies, tools, or services to the public that circumvent technological protection measures to access copyrighted software without the permission of the software owner. To avoid violating the DMCA, any tools used must be for the “sole purpose” of security testing, with additional limitations interpreted at the government’s discretion.

Like the DMCA’s language, the DOJ policy fails to provide concrete, detailed provisions to prevent the CFAA from being misused to prosecute beneficial and important online activity. The CFAA should protect security researchers and give them incentives to continue their vital work. Security researchers should not have to fear that their work protecting all of us from flaws in computer systems in cars, electronic voting systems, and medical devices like insulin pumps and pacemakers, are going to land them prison. The DOJ’s policy simply does not go far enough to prevent this.

As an agency policy, the DOJ’s new rules do not bind courts, and can be rescinded at any time, such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. Nor does it address the threats posed by state anti-hacking laws, some of which are even more overbroad than the CFAA itself. The policy is a good start, but it is no substitute for comprehensive CFAA reform, whether by Congress or by the courts in continuing the work of Van Buren to narrow its reach.

This piece originally appeared on EFF.org under the title, DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers