Long a bane of security researchers looking to identify potential dangerous vulnerabilities in apps and websites, the Computer Fraud and Abuse Act (CFAA) is being toned down somewhat by an official change in Department of Justice (DOJ) policy. While the language of the controversial law will not be changing, the DOJ is promising that it will no longer be applied to security researchers that are not acting in a malicious way.
No real change to CFAA’s questionable terms, but security professionals given more freedom to work
Now over 35 years old, the CFAA has been broadly criticized throughout the technology world for its vague terms, harsh punishments and latitude for abuse by both overbearing prosecutors and unscrupulous companies. Activists and critics will have to continue to wait for true legislative reform, but the DOJ policy change indicates at least some recognition of a need for their terms to be updated to fit modern circumstances.
The change in policy ultimately amounts to a promise by the DOJ, and one that could be rescinded by another CFAA policy change in the future. There is still some reason for security researchers to be wary, as the wording draws on a legal definition of “good faith” established by the Digital Millennium Copyright Act that has rather vague terms of its own. It does offer at least some assurance that “white hat” researchers looking for bugs and vulnerabilities to improve security will not have legal retaliation from an embarrassed company or agency to deal with, however.
CFAA to no longer apply to security researchers “avoiding harm,” “promoting security” with their actions
It remains to be seen how the DOJ applies the new policy, but for now it appears that security researchers who act without “malicious intent” will not have to worry about prosecution. At times, the law has had something of a chilling effect on independent research that might have led good actors to vulnerabilities before bad actors found them.
The DOJ did provide some clarity to the “good faith” definition by stating that charges would not be brought if security researchers were determined to be promoting security and safety with their explorations of devices, networks and services. They should also be safe under the new policy if they are attempting to avoid any harm to individuals or to the general public.
While the CFAA still has harsh punishments in store for those that fall outside of this definition, some of its terms relating to “access in excess of authorization” were weakened by a 2021 Supreme Court ruling (Van Buren v. United States). If an end user has been given legitimate access to a service or database, the circumstances under which the CFAA can be applied to misuse or unintended use of that resource are now much narrower.
Security researchers should also note that the DOJ policy has no influence on state laws, some of which mirror the CFAA terms. Strong charges might still be brought in these states.