The U.S. Department of Justice is changing its policy around a controversial anti-hacking law, addressing longstanding complaints from cybersecurity researchers that the law could criminalize good-faith efforts to improve technology.
The Computer Fraud and Abuse Act, or CFAA, is a federal statute outlawing unauthorized access to computers and networks. While prosecutors have used the law to convict thousands of people, critics have long said the statute, enacted in 1986, is overly broad and gives prosecutors the flexibility to charge defendants for innocuous digital activity.
Such concerns are largely theoretical, but legal experts and activists point to numerous instances in which they believe the law was misused, and they maintain it creates a chilling effect that inhibits efforts to improve security.
In particular, ambiguous language about what constitutes “authorized access” to a “protected computer” has created potential criminal liability for cybersecurity researchers—sometimes called “white hat hackers”—who seek out software flaws and then report them to the developer to encourage them to fix the problem. Under a new policy, the department is advising prosecutors to not use CFAA to pursue criminal penalties for security researchers who are trying to improve technology.
Members of the security research community have so far welcomed the update.
“This is a demonstration from DOJ that the conversation around good-faith security researchers, white-hat hackers, has really changed in the past 10 years,” said Harley Geiger, a senior director for public policy at the security firm Rapid7. “The U.S. is trying to walk a fine line between allowing good-faith security research to benefit society and avoiding giving criminals a loophole to break the law.”
CFAA has been a hotly debated topic since Aaron Swartz, an entrepreneur and Internet activist, took his own life in 2013 while facing prison time. Swartz was accused of improperly accessing the Internet at the Massachusetts Institute of Technology to download millions of academic papers from the JSTOR subscription service.
His case has frequently been cited by the Electronic Frontier Foundation and others as an example of the heavy penalties that are possible when prosecutors broadly apply CFAA to broad kinds of Internet activity.
The new policy would’ve discouraged prosecution of Christian Sandvig, a University of Michigan professor who planned to use fake online accounts to study whether social media services discriminated against users from different backgrounds. The tactic would have violated sites’ terms of service, a potential CFAA violation, resulting in Sandvig and the American Civil Liberties Union suing the Justice Department to challenge the law.
A district court ruled in Sandvig’s favor in 2020, a decision that factored into the new DOJ policy, Justice Department officials said.
In addition, about a year ago, the U.S. Supreme Court ruled against the DOJ in a case that narrowed the scope of the law. The case, Van Buren v. U.S., involved a former Georgia police officer who was accused of exceeding “authorized access” under CFAA by looking up license plate data in a police database in exchange for a bribe. In a 6-3 opinion, the court said such an interpretation of the law “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
Importantly, according to Rapid7’s Geiger, the Justice Department’s update only clarifies federal prosecution. Corporations still can use CFAA to take legal action against researchers who find flaws in corporate software, and state laws still enable local prosecutors to take up cases that federal prosecutors won’t.
“This is a positive step, but it will take an act of Congress to really rebalance the law in the way it needs,” Geiger said.
The DOJ’s change also aims to focus prosecutors’ attention on more pressing threats, such as ransomware, distributed denial-of-service attacks and foreign cybercriminal threats.
It also strengthens a consultation requirement for prosecutors who try to bring charges under CFAA.
U.S. attorneys must consult with CCIPS on how to proceed. If CCIPS recommends against a prosecution, the charging attorney must notify the deputy attorney general to move forward with a case. The deputy attorney general has the power to stop a case from being charged.
“If you’re moving fast and you need to charge a case, and then all of a sudden you need to deal with the deputy attorney general, that sounds a little stressful,” said Kamal Ghali, a former U.S. cybercrime prosecutor who now is a partner at Bondurant Mixon & Elmore LLP.
“These are new factors that will force prosecutors to think about where they’re going to spend their resources.”