DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers

Posted on May 21, 2022 by Dissent

Andrew Crocker of EFF responds to the announcement this week by DOJ about its revised policy for enforcement of the Computer Fraud and Abuse Act:

The Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The Department of Justice (DOJ) today announced a new policy under which it will not bring CFAA prosecutions against those engaged “solely” in “good faith” security research.

It’s an important step forward that the DOJ recognizes the invaluable contribution security research plays in strengthening the security of messaging and social media applications, financial systems, and other digital systems used by hundreds of millions of people every day. But its new policy, which is only an agreement for the DOJ to exercise restraint, falls far short of protecting security researchers from overzealous threats, prosecutions, and the CFAA’s disproportionally harsh prison sentences. We still need comprehensive legislative reform to address the harms of this dangerous law.

In part, DOJ’s policy change is forced by the Supreme Court’s ruling last year in Van Buren v. U.S., which provided clarification of the meaning of “exceeding authorized access” under the CFAA. The law makes it a crime to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer,” but does not define what authorization means. Previously, the law had been interpreted to allow criminal charges against individuals for violating a website’s terms of service or violating an employer’s computer use policy, leading to criminal charges that have nothing to do with hacking. In Van Buren, the Supreme Court cut back on that interpretation, holding that the defendant did not “exceed authorized access” when he obtained information he was entitled to search for work purposes but used that information for other, nonapproved activities.

The new DOJ policy adopts this interpretation—as it must—but like the Supreme Court, it stops far short of requiring that a defendant defeat a technological restriction in order to exceed authorized access. That would do more to protect security researchers, journalists, and others whose work requires accessing computers in ways that contravene terms of service or go against the wishes of the computer owner.

Instead of this clear line, the new policy explicitly names scenarios in which written policies may give rise to a criminal CFAA charge, such as when an employee violates a contract that puts certain files off limits in all situations, or when an outsider receives a cease-and-desist (C&Ds) letter informing them that their access is now unauthorized. We’ve seen companies like Facebook and LinkedIn abuse the CFAA in exactly that way—sending C&Ds to researchers and journalists whose access they don’t like. Regardless of the merit of these private disputes, it is unacceptable to give these tech companies discretion to turn their far less powerful adversaries into potential federal criminals.

The new DOJ policy also promises more than it delivers in its exemption from prosecution for security research. It limits the exemption to research conducted “solely” in “good faith,” which could leave out a lot of how security research happens in the real world. That word “solely” leaves open to interpretation whether hackers who discover and disclose a vulnerability so that it can be fixed but also get paid, speak at a security conference like DEF CON, or have other secondary motivations, can still be prosecuted.

Moreover, the policy adopts the definition of “good faith security research” put forth by the Copyright Office in its triennial rulemaking about the Digital Millennium Copyright Act (DMCA) Section 1201, which purports to provide an exemption for good faith security testing, including using technological means. But that exemption is both too narrow and too vague. The DMCA prohibits providing technologies, tools, or services to the public that circumvent technological protection measures to access copyrighted software without the permission of the software owner. To avoid violating the DMCA, any tools used must be for the “sole purpose” of security testing, with additional limitations interpreted at the government’s discretion.

Like the DMCA’s language, the DOJ policy fails to provide concrete, detailed provisions to prevent the CFAA from being misused to prosecute beneficial and important online activity. The CFAA should protect security researchers and give them incentives to continue their vital work. Security researchers should not have to fear that their work protecting all of us from flaws in computer systems in cars, electronic voting systems, and medical devices like insulin pumps and pacemakers, are going to land them prison. The DOJ’s policy simply does not go far enough to prevent this.

As an agency policy, the DOJ’s new rules do not bind courts, and can be rescinded at any time, such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. Nor does it address the threats posed by state anti-hacking laws, some of which are even more overbroad than the CFAA itself. The policy is a good start, but it is no substitute for comprehensive CFAA reform, whether by Congress or by the courts in continuing the work of Van Buren to narrow its reach.

Source: EFF

Category: Commentaries and AnalysesFederalLegislationU.S.

Post navigation

← Greenland hit by cyber attack, finds its health service crippled
Decisions by the Personal Data Protection Commissioner of Singapore →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.