In a development that many activists see as long overdue, and that will likely provide a shot in the arm to the country’s general cyber defenses, the Department of Justice (DOJ) has ruled that security researchers hacking in “good faith” to find and report vulnerabilities are no longer subject to prosecution under the Computer Fraud and Abuse Act (CFAA).
Passed in 1986 with terms reflecting the relative technical ignorance of the time and very vague language in places, the CFAA itself has not always been used in good faith by both government prosecutors and private parties bringing charges against individuals. This follows a throttling of some of the act’s power due to a Supreme Court decision in 2021.
Troubled CFAA, at time labeled as “the worst technology law” and “insane,” no longer applicable to white hats
While the CFAA and all of its troubled language remains in place, the DOJ has announced that security researchers who do not have malicious intent do not have anything to fear under its new policy.
Security researchers previously were considered fair game for finding and reporting vulnerabilities, something that added layers of complication to services like penetration testing and sometimes discouraged the individual reporting of bugs that might be encountered in the wild. The DOJ’s new no-charges policy applies to security researchers that “avoid any harm to individuals or the public” and primarily use the information they uncover to “promote the security or safety … of devices, machines or online services.”
The CFAA criminalized the unauthorized access (or “access in excess of authorization”) of essentially any computer in very broad language, creating all sorts of situations ripe for misunderstanding or even malicious abuse. Lack of technical understanding among members of Congress and a certain level of paranoia was clear, perhaps best illustrated by a House report claiming that the 1983 movie WarGames was a “realistic representation” of hacker capabilities.
The CFAA has been amended a number of times since 1986, but in almost all cases it was to extend the scope of activities that it covers rather than rein in its excesses. It took until 2021 for a case involving the CFAA’s scope and terms to get in front of the Supreme Court, and the Court responded by curbing some of the worst of its “excess of authorized access” terms: for example the possibility of a particularly mean-spirited web service prosecuting a user for violating its terms of service, or an employer prosecuting an employee for engaging in personal activities on work systems.
While this is a welcome development for security researchers, it is a matter of flexible policy rather than a permanent fix for the CFAA’s problematic terms. It also does not protect researchers from prosecution under state laws, some of which opted to mirror CFAA language in developing their own cybersecurity terms.
More permanent fix still sought by security researchers, activists
Essentially a promise from the DOJ to not be malicious or excessive toward “white hat” security researchers, the policy change does not clear up all the issues with the CFAA. The community is still looking for serious legislative reform, particularly with the 2021 Supreme Court decision opening the law up for further review.
Activists and advocates have been given many reasons to be upset at the CFAA over the years, primarily along two major lines: government prosecutors using the bill’s vague terms to bring excessive charges, and corporations using it to punish journalists and researchers that pursue cybersecurity-related stories that stand to bring them bad press. The Electronic Frontier Foundation notes that LinkedIn and Facebook have been particularly prone to attempt to leverage violations of terms of service into CFAA charges.
Perhaps the most famous example of federal prosecutors going overboard with the CFAA was the case of Aaron Swartz, who was charged with downloading and distributing over four million academic research papers from paywalled service JSTOR. JSTOR ended up declining to press charges, but federal prosecutors insisted on bringing the case anyway, which drove Swartz to suicide.
Another issue with the CFAA that is frequently attacked by critics is the very large penalties it allows for. A single count of “damaging a computer” can result in years in prison, depending upon how vicious prosecutors want to be. The law also allows for sentencing enhancements to be tacked on for use of “sophisticated” tools and techniques that are really anything but, such as preparing a simple script to automate actions.
Some critics are already pointing out that the DOJ’s promise may not even be worth much to security researchers. The legal definition of “good faith” it leans on comes from the similarly outdated Digital Millennium Copyright Act, which allows for some amount of independent security testing; however, that section of law has also been heavily criticized for being too vague and open to potential abuse.