The Department of Justice has announced via press release its updated policies for charging cases under the Computer Fraud and Abuse Act. The updated policy comes in light of the Supreme Court’s decision in Van Buren v. United States, where the Court held that the provisions of the Act prohibiting “unauthorized access” do not apply to individuals who have authorized access to data but access the data for impermissible purposes. Rather, the Court narrowed the scope of the law to target only those who access data without having any level of authorization, such as through hacking. The Electronic Frontier Foundation has lauded the new policies as a “good start,” while cautioning that the updates do not “go far enough.”
Notably, the DOJ’s policy, for the first time, “directs that good-faith security research should not be charged,” and it defines such research as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” This is a significant policy that protects people who hack into networks without authorization, as long as they do so as part of a good faith effort to alert companies and networks to cyber risks. As one executive of a “security testing” firm observed: “For well over a decade now, cybersecurity leaders have recognized the critical role of hackers as the internet’s immune system. We enthusiastically applaud the Department of Justice for codifying what we’ve long known to be true: good-faith security research is not a crime.”
The DOJ will now focus on prosecuting security testing that is done in “bad faith” or that is actually unauthorized access dressed as security testing. Otherwise, the DOJ will continue applying most of its prosecutorial resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”
Click here to read the DOJ press release
Click here to read the new policy.
Click here to read the article by the Electronic Frontier Foundation.