An announcement by the Department of Justice (DOJ) on Thursday made known its intentions not to pursue Computer Fraud and Abuse Act (CFAA) charges against those conducting good-faith cybersecurity research. The policy revision is the first directive of its kind and both provides clarity on the Department’s position and affirms its belief that security research drives improvements.
According to the news release, the revision takes the place of a 2014 policy and solidifies the department’s CFAA enforcement goals to “promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.” Moreover, the new policy assuages concerns on part of some courts and commentators over hypothetical CFAA liability.
The policy also enumerates certain activities that do not warrant criminal charges like checking sports scores at work or violating an access restriction contained in a term of service. Instead, it says that the DOJ aims to focus resources on cases where a defendant knowingly accesses a restricted computer or component thereof.
The DOJ adds that under the new policy, merely claiming to be conducting security research is not a “free pass” for those acting in bad faith. For example, the announcement says, discovering a vulnerability in order to extort the device owner, even if claimed as “research,” does not qualify as acting in good faith.
The policy will take immediate effect. Federal prosecutors seeking to bring charges under the CFAA must adhere to the new policy and consult with the Criminal Division’s Computer Crime and Intellectual Property Section before filing them, among other procedural checks.