The US Department of Justice has revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA). The amendment clarifies what can be considered “good-faith” security research, so that security researchers don’t end up getting charged for simply doing their job.
The addendum says good faith security research means accessing a computer solely for good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where the activity is carried out primarily to strengthen the security of devices and services and in a manner designed to avoid harm to individuals or the public.
Under the revisions, some actions that have fallen into a grey area, leaving many authorities uncertain whether to press charges, now do not merit federal criminal charges. The DOJ offered the following scenarios:
- Embellishing an online dating profile contrary to the terms of service of the dating website
- Creating fictional accounts on hiring, housing or rental websites
- Using a pseudonym on a social networking site that prohibits them
- Checking sports scores or paying bills at work
- Violating an access restriction contained in a term of service
These circumstances are “not themselves sufficient to warrant federal criminal charges,” the DOJ maintains, adding that charges should only be considered in cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer.
However, the DOJ notes that claiming to be conducting security research is not a free pass for those acting in bad faith.
“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith,” according to the press release.
The policy advises prosecutors to keep the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) at arm’s length for specific applications.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Starting now, all federal prosecutors seeking to press charges under the CFAA are required to consult with CCIPS first, and to follow the new policy.