The Department of Justice (DoJ) has announced a major policy shift to the Computer Fraud and Abuse Act (CFAA) that explicitly exempts good-faith security researchers from being prosecuted.
The controversial anti-hacking law, which has been around since 1986, has been widely criticized for being overly broad, opening the door for criminalizing white-hat hacking efforts that may be conducted to identify and correct security flaws or help organizations pinpoint their weak spots. The new changes, which take effect immediately, specify good-faith security research as activity that “is carried out in a manner designed to avoid any harm to individuals or the public.”
At the same time, the policy clarifies that “claiming to be conducting security research is not a free pass for those acting in bad faith,” including situations where an individual discovers vulnerabilities in devices in order to extort their owners under the guise of security research. The DoJ has also added several clarifications that shrink a gray area leading to varying hypothetical CFAA violations.
“Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges,” according to the DoJ.
Privacy experts agree that the policy change is a step in the right direction and represents a recognition of the value that security research has in helping to secure systems and organizations. However, the CFAA update doesn't mean total exemption for security researchers overall, who are still threatened by “copycat” cybercrime state laws, which are also notoriously vague, or by civil liability. Additionally, Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF), said she is very concerned that the updated policy's "narrow language" won’t protect anyone in practice.
“I’m not sure there will be a big shift at all,” said Cohn. “This is written so narrowly that I’m not sure who it would actually protect in a serious way.”
“For now, the bigger danger for security researchers are state laws and private liability under the CFAA.”
The CFAA was enacted 36 years ago, at a time when the concept of cybersecurity - and relationships between the security community and the government - were very different. Cohn said one of CFAA's primary issues is it cracks down on unauthorized access but doesn’t define what that same unauthorized access means. CFAA’s scope has left glaring holes in how "unauthorized access" should be applied, including if it is related to violations of websites' terms of service or even the concept of interoperability, she said.
“This problem is endemic in the statute,” said Cohn. “The CFAA is poorly written. Its intent is to be a breaking and entering statute, it’s meant to stop actual computer intrusions. But it’s written much more broadly.”
The CFAA’s scope has been the subject of heavy debate and criticism for decades, with critics arguing that the law could potentially criminalize many of the everyday activities of computer users. In 2013, a proposal called “Aaron’s Law” (named after the late Aaron Swartz) sought to amend the CFAA by tightening the vague language used in the statute; however, the bill never progressed. The CFAA’s narrow reading again came under the spotlight in 2020 in a U.S. Supreme Court case (Van Buren v. United States) that looked at the CFAA conviction of police officer Nathan Van Buren, who accessed personal data in a government database for personal reasons, which was deemed “improper purpose” and a violation of CFAA. In June, the Supreme Court reversed Van Buren’s conviction, arguing that under this CFAA violation, the interpretation of “exceeds authorized access” was overly broad.
Harley Geiger, senior director of Public Policy at Rapid7, said the changes that are happening through the court and the Department of Justice overall “are very welcome.”
“It’s worth noting that the CFAA is not just a criminal statute, it also allows for civil liability,” he said. “For now, the bigger danger for security researchers are state laws and private liability under the CFAA.”