U.S. DOJ will No Longer Prosecute Ethical Hackers Under CFAA
The U.S. Department of Justice (DOJ) has announced a revision of its policy on how federal prosecutors should charge violations of the Computer Fraud and Abuse Act (CFAA), carving out “good-fath” security research from being prosecuted.
With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area.
Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco.
“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Good faith security research is defined as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
The new policy focuses specifically on deliberate breaches of access limitations on computers and networks or even on online accounts of other users.
However, it does not give a pass to hacking under the pretense of conducting security research while using said research to extort companies. As such, federal prosecutors will view all cases under an ethical lens to determine the actor’s intentions.
“The attorney for the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” – U.S. DOJ.
For example, if someone finds a critical vulnerability on a product and then extorts the software vendor to pay them an amount for not disclosing it to the public, that would still be regarded as a CFAA violation and charged accordingly.
Similarly, publicly leaking the data found in an exposed database or selling it to others cannot be justified even if the owner was unresponsive, so it will still be prosecuted.
While this is good news for security researchers, it will still be determined by federal prosecutors whether a researcher was acting in good faith. Due to this, it is still strongly advised that researchers join bug bounty programs and contact companies for vulnerability research guidelines that they may have in place.
The goal for CFAA enforcement remains to promote privacy and cybersecurity, so the case here is to protect security researchers from legal action launched by firms that don’t distinguish between ethical reports and aggressive breaches.
A recent example is that of Rob Dyke, a cloud security engineer, who ethically reported a data leak to a UK-based non-profit and soon after faced an investigation over “Computer Misuse” from the local police.
The Computer Misuse Act in the U.K. has acted as an intimidating force against the infosec community, and the story is very similar to the CFAA in the U.S.
The DOJ also made additional clarifications in the new policies regarding cases of breaking terms of service, creating multiple pseudonymous accounts on a platform, and using work computers for personal purposes.
While these cases may be a contractual violation, the U.S. government will not consider these a violation of the CFAA’s “exceeds authorized access” prohibition. However, if a user’s permission to access these services were expressly revoked by the company through a legal means, such as a cease and desist letter, then it could fall under the federal cybercrime laws.
A prominent example of a case that might not be prosecutable based on this is that of Aaron Schwartz, who violated the terms of MIT’s JSTOR paper hosting portal by downloading millions of documents.
Schwartz was charged with CFAA “exceeds authorized access” violations and eventually succumbed to the pressure of facing prison time by committing suicide.