The Department of Justice is significantly revising how it interprets and brings cases under the nation’s premier hacking law, saying it will no longer bring cases against “good faith” security researchers or individuals who violate trivial or non-material parts of a company’s policies or terms of service.
The Computer Fraud and Abuse Act is the primary law used to prosecute hacking crimes. It’s leveraged in both large criminal and national security cases, like indictments brought against Russian intelligence operatives for the 2016 hack and leak operation around the Democratic National Committee, and individual cases, like the prosecution of security researcher Aaron Swartz.
In a significant shift, the department announced Thursday that it will no longer pursue cases under the CFAA for individuals engaged in "good faith" security research.
“The Department will not bring ‘exceeds authorized access’ cases based on the theory that a defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances,” the department said.
An overdue CFAA shift for researchers
The decision marks a major change in how the federal government views its prosecutorial powers under the CFAA. It also is the culmination of years of activism by the information security community and others to convince the government that a healthy, functional national ecosystem for finding, disclosing and fixing damaging software and hardware vulnerabilities won't happen if researchers are constantly looking over their shoulder.
Often times, prosecutors will bring CFAA charges based in part on the claim that the defendant “exceeded authorized access” to a particular device, system or data based on rules set down in private contractual agreements or terms of service agreements (that nobody actually reads) between a company and its user base.
That has put outside security researchers, who are responsible for finding and fixing many of the security vulnerabilities that lead to data breaches or ransomware, in a bind because it allows companies to set down their own rules that make third-party scrutiny of their products difficult, impossible or only possible through process that gives the company near-complete control over the remediation and disclosure process.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa Monaco in a statement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Understanding 'good faith'
It also alters DoJ charging guidelines to cease prosecutions for cases that allege general violations of private terms of service agreements, though those who violate specific rules may still be prosecuted. Nor will it argue that a using a work computer to pay your personal online bills constitutes a violation of the CFAA.
"Thus, embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; or using a pseudonym on a social networking site that prohibits them, might all violate a user’s contract with the owner of the protected computer, but the Department will not take the position that a mere contractual violation caused the user’s previous authorization to be automatically withdrawn and that the user was from that point onward acting in violation of the CFAA."
The term “good faith” is crucial, because the department is still reserving the right to go after individuals or groups who hack into systems or break specific contractual clauses that are relevant to cybersecurity, like accessing someone else’s account on a shared computer without their permission.
The case brought against Swartz, who committed suicide in 2013 while awaiting trial, became a poster child for a long-simmering dispute between the government and an information security over the scope of the CFAA. The charges he faced were related to systematically downloading documents from JSTOR, a digital library of academic journals that are available to researchers. His death renewed the argument that the CFAA is an overly broad, ambiguous law that can be used to sweep up malicious hackers as well people who are innocent, ignorant about the terms of services they have signed or simply, not engaging in the kind of damaging criminal activity the law was designed to address.
However, the move is merely a change of internal policy by the Biden administration. Digital rights organizations lauded the announcement but say it's temporary, and a future administration could decide to interpret the CFAA differently or more harshly.
Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation, said it was "a good start, but it is no substitute for comprehensive CFAA reform" and fails to address a range of other activities they view as legitimate.
"We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on 'unauthorized access'—deters researchers from discovering and disclosing vulnerabilities in these systems," Crocker said in a statement sent to SC Media. "However, the DOJ's new policy does not go nearly far enough: by exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators."
The changes set a new bar for bringing cases under the CFAA Act, with the department now defining “access without authorization” as accessing a device or system when no authorized party has given permission and the user is aware of and knows they are not authorized at the time of access. Even still, the department won’t bring charges unless it believes the case “would serve the department’s goals for CFAA enforcement.”
DoJ lays down eight different considerations for determining if a prosecution would serve those goals, such as whether the action was done in good faith, sensitivity of the data or devices impacted and potential harm from the violation, the impact on victims, the activity’s relationship to U.S. national security and whether it was done as part of a larger criminal operation.
“In either a ‘without authorization’ case or an ‘exceeds authorized access’ case, the attorney for the government must be prepared to prove that the defendant knowingly accessed a computer or area of a computer to which he was not allowed access in order to obtain or alter information stored there, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it,” the department stated.