"Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act"
The US Department of Justice (DoJ) has announced that its policy on violations of the Computer Fraud and Abuse Act (CFAA) has been revised. For the first time, the policy states that good-faith security research should not be charged. According to the DoJ, good-faith security research means accessing a computer only for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a way that avoids harming individuals or the public. The information derived from good-faith security research activity must also primarily promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or services. Deputy Attorney General Lisa O. Monaco highlighted computer security research as a key driver of stronger cybersecurity. Monaco said the department has never been interested in charging good-faith computer security research as a crime. The announcement enhances cybersecurity by giving clarity for good-faith security researchers who identify vulnerabilities for the common good. However, the new policy recognizes that claiming to be undertaking security research does not give individuals acting in bad faith a pass. For example, identifying flaws in devices to extort their owners, even if disguised as "research," is not done in good faith. The policy instructs prosecutors to consult with the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) concerning specific applications of this criteria. All federal prosecutors who want to pursue cases under the CFAA must follow the new policy and consult with CCIPS before proceeding. This article continues to discuss the new policy for charging cases under the CFAA and what it means for cybersecurity research.