Today, the Department of Justice (“DOJ”) updated its policy regarding charging violations under the Computer Fraud and Abuse Act (“CFAA”). This is the first update to the DOJ’s policy since 2014, and it is effective immediately. The policy states that all federal prosecutors who wish to charge cases under the CFAA must follow the new policy and consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges. Importantly, the policy delineates what activities should not be criminal violations of the CFAA and emphasizes that DOJ’s “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”
Good-Faith Security Research Should Not Trigger Criminal Charges Under The CFAA.
For the first time, the policy now expressly states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” As noted by Deputy Attorney General Lisa O. Monaco, “today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” The policy defines “good-faith security research” as accessing a system “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” However, “claiming to be conducting security research is not a free pass,” and DOJ re-affirms that any attempt at extortion is not good-faith research.
The Policy Clarifies (And Narrows) What It Means To “Exceed Authorized Access.”
Courts interpreting the CFAA have often expressed concern over hypothetical violations of the CFAA for “exceed[ing] authorized access.” In a nod to the Supreme Court’s decision in United States v. Van Buren (2021), the new policy prohibits CFAA prosecutions based on a theory that the “defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy,” such as a website’s terms and conditions. Yet, the new policy leaves open a “narrow exception” that would allow a CFAA prosecution based on a contractual limitation if the owner of the accessed computer had a “contract[], agreement[], or polic[y] that entirely prohibit[s] defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances.” Such a prosecution would raise a question that the Supreme Court expressly reserved in Van Buren and would likely be hotly contested.