The U.S. Department of Justice says it will not subject “trustworthy security investigations” to charges under anti-piracy laws, acknowledging long-standing concerns about the Computer Fraud and Abuse Act (CFAA). Prosecutors should also avoid prosecuting people for simply violating a website’s terms of service – including a minor violation such as beautifying an appointment profile – or using a work-related computer for personal tasks.
La new DOJ policy attempts to allay fears about the broad and ambiguous scope of the CFAA following a Supreme Court ruling in 2021 that prompted a reading of the law more closely. The verdict warned that an earlier interpretation by government prosecutors risked criminalizing “a staggering amount of ordinary computer activity,” exposing several hypothetical examples that the DOJ now promises will not prosecute. This change is accompanied by a safe harbor for researchers conducting “bona fide testing, investigation and / or correction of security breach or vulnerability”. The new rules take effect immediately, replacing old guidelines published in 2014.
“The policy clarifies that hypothetical CFAA violations that have affected some courts and commentators are not prosecutable.” says DOJ press release. “Improve an online appointment profile contrary to the terms and conditions of the appointment website; create fictitious accounts on employment, housing or rental websites; using a pseudonym on a social networking site that bans them; check sports scores at work; pay bills at work; or violating an access restriction contained in a period of service is not sufficient in itself to warrant federal criminal charges. “
These guidelines reflect a recently restricted interpretation of “exceeding authorized access” to a computer, a practice criminalized by the CFAA in 1986. writer and law professor Orin Kerr explained in 2021, there has been a decades-long controversy over whether people “exceed” their access by violating any rules set by a network or computer owner – or whether they must explicitly access unrestricted systems and information. The previous interpretation led to cases like United States v. Drew, where prosecutors accused a woman of creating a fake profile on Myspace. The Supreme Court has leaned towards the latter version, and now, the DOJ theoretically does too.
The policy does not address all of the CFAA’s criticisms, such as its potential for disproportionately long prison sentences. It does not make the law below less confusing because it only affects how prosecutors interpret it. The DOJ also warns that the security research exception is not a “free pass” for probing networks. Someone who found a bug and extorted the owner of the system using that knowledge, for example, could be charged with performing that research in bad faith. Even with these limitations, however, the regulation is a promise to avoid a slap in the face from punitive anti-hacking charges against anyone who uses a computer system in a way that its owner does not like.