The U.S. Department of Justice has announced Reconsideration Its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), which states that, among other things, well-trusted security researchers will no longer be charged or prosecuted.
Good faith security research means simply accessing a computer for the purpose of testing, investigating, and / or correcting security flaws or vulnerabilities, where such activities are conducted to avoid harm to individuals or the public, and where information obtained from the activity is primarily devices, machines. Or to promote the safety or security of online service classes with access computers, or those who use such devices, machines or online services.
Claiming “safety research” is not a free pass for those working in bad faith
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney Generals Lisa and Monaco. “The Department has never been interested in judging well-trusted computer security research as a crime, and today’s announcement eliminates vulnerabilities for the common good that provide clarity for well-trusted security researchers promoting cyber security.”
The new policy explicitly states that the department’s goals for enforcing the CFAA are to promote privacy and cybersecurity while maintaining the legal rights of individuals, network owners, operators and others to ensure the confidentiality, integrity and accessibility of information in their information systems. ”
Accordingly, the policy clarifies that presumptive CFAA violations will not be charged for some of the concerns that have been raised by courts and commentators. Decorating an online dating profile as opposed to the terms of service of the dating website; Create fictitious accounts on recruitment, housing, or rental websites; A social networking site uses a pseudonym that prohibits them; Checking sports scores in the workplace; Pay bills at work; Or a breach of an access restriction during the term of service is not sufficient for a federal criminal complaint. The policy focuses on departmental resources where a defendant is either not allowed to access the computer at all or was allowed to access a portion of the computer – such as an email account – and despite knowing the limitations, accessed a portion of it Not extended, such as other users’ emails.
However, the new policy acknowledges that claiming to conduct safety research is not a free pass for actors in bad faith. For example, it is not a good idea to discover vulnerabilities in devices to collect fees from their owners, even if they are claimed to be “research”. The policy advises prosecutors to consult the Computer Crime and Intellectual Property Section (CCIPS) of the criminal department regarding the specific application of this factor.
All federal prosecutors who wish to prosecute under the Computer Fraud and Abuse Act must follow the new policy, and consult with CCIPS before filing a complaint. Prosecutors must notify the Deputy Attorney General (DAG), and in some cases seek approval from the DAG before charging a CFAA case if it makes a recommendation against CCIPS.
The new policy replaces the previous policy issued in 2014 and is effective immediately
