DOJ Announces Revised Policy on Charging CFAA Cases

The U.S. Department of Justice (DOJ) recently announced a new policy regarding the Computer Fraud and Abuse Act (CFAA), revising how the department charges CFAA cases. This policy directs, for the first time, that good-faith security research should not be charged. The DOJ’s newly-announced policy replaces an earlier 2014 CFAA charging policy. The revised policy on charging CFAA cases takes effect immediately. Earlier this year, the DOJ announced a plan to combat ongoing cyber threats, citing an increase in ransomware and abuse of cryptocurrency.

Background on the Policy on Charging CFAA Cases

The 2014 charging policy listed factors to consider when determining whether to charge a violation of the CFAA. The policy recognized that a cyber event’s significance could vary depending on facts and circumstantial evidence. In addition to considerations within the Principles of Federal Prosecution USAM 9-27.000, the 2014 charging policy advised federal prosecutors to consider the following factors:

• Sensitivity of the affected computer system or information
• Potential for broad or significant impact on national or economic interests
• Connection to other criminal activity or risk of bodily harm
• Impact of the crime and prosecution on the victim or other third parties
• Exceeded authorized access
• The deterrent value of an investigation or prosecution
• Extent of harm to a particular district or community
• Possibility of effective prosecution in another jurisdiction

However, the 2014 policy for charging CFAA cases did not address how the CFAA applies to legitimate computer security research. The DOJ’s updated policy seeks to clarify how the CFAA applies to such cases.

Revised Policy on Charging CFAA Cases

The new charging policy for CFAA cases establishes that federal prosecutors should not charge instances of good-faith security research as CFAA violations. Specifically, the revised policy explains that “good-faith security research” entails accessing a computer solely for legitimate:

• testing,
• investigation, and/or
• the correction of a security flaw or vulnerability.

Furthermore, the computer security research activity must, by design, avoid harm to individuals or the public. Information acquired through the activity must also strictly promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. Under these stipulations, some hypothetical CFAA violations are not, by themselves, sufficient to warrant federal criminal charges. These may include using a pseudonym on a social networking site that prohibits them, checking sports scores at work, or violating an access restriction in a term of service.

In Conclusion

In the end, the DOJ’s new policy on charging CFAA cases does not give a free pass to individuals who simply claim to be conducting security research, but do so in bad faith. For example, using a vulnerable device for extortion, even when claimed as research, does not qualify as “good faith. The policy focuses on charging CFAA cases where a defendant illegally accessed a part of a computer without authorization. Federal prosecutors should consult the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing charges in potential CFAA cases. Meanwhile, employers will benefit from a few tips on how to protect their business against cybersecurity threats, in general.