Thursday, May 26, 2022

DOJ Will No Longer Charge Security Researchers

Adi Robertson (in June 2021):

The Computer Fraud and Abuse Act (CFAA), a controversial anti-hacking law which bans “exceeding authorized access” on a computer system, was narrowed by the Supreme Court on Thursday in a 6-3 ruling. The court said the law shouldn’t cover people misusing systems they’re allowed to access — and that claiming otherwise would criminalize a “breathtaking amount” of everyday computer use.

Department of Justice (via Bruce Schneier):

The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA).

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.


So they’re saying security research actually is A Crime under CFAA, but they just promise they won’t go after you for committing that Crime, right?

Doesn’t give me a warm and fuzzy feeling…


No, that’s not correct. The policy memo is a straightforward, good-faith instruction to USAs not to prosecute certain categories of potential CFAA cases because (a) SCOTUS’s new Van Buren precedent says they do not fit within the CFAA, or (b) they are near enough to Van Buren that, if called upon to resolve such a case, courts would likely say they do not fit within the CFAA, or (c) even if a court could maybe be convinced not to dismiss the case under Van Buren, such a prosecution wouldn’t serve to vindicate the government’s interest in “promot[ing] privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

Comments RSS · Twitter

Leave a Comment