Takeaway: The DOJ’s recent revisions to their internal policy promote the Department’s goals that the CFAA is applied consistently by government attorneys and better understood by the public. These goals ensure that the law adequately responds to evolving cybersecurity and privacy challenges.
On May 19, 2022 the Department of Justice announced[1] revisions to their policy[2] that federal prosecutors must consult before bringing any charges under the Computer Fraud and Abuse Act (“CFAA”).[3] The CFAA provides protection against unauthorized access or damage to a protected computer such as hacking and imposes both civil and criminal penalties for violations. Because the definition of “protected computer” includes computers used in or affecting interstate or foreign commerce or communications, courts have held that any computer connected to the internet falls within the scope of this definition.[4] Thus, clarification on the scope of the potentially wide-reaching Act will ensure more consistent application and enforcement.
The revised policy states that “[t]he Department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”[5]
The revisions note for the first time that government attorneys should decline prosecution if the defendant’s conduct qualifies as “good-faith security research,” which is defined as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” Prosecutors must confer with the Computer Crime and Intellectual Property Section (“CCIPS”) of the Criminal Division prior to charging under the CFAA and accordingly can seek guidance as to whether the Defendant’s conduct falls within the definition of good faith research.[6]
Deputy Attorney General Lisa A. Monaco noted that “[c]omputer security research is a key driver of improved cybersecurity” and that “[t]he department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” [7]
The revisions also clarify issues that courts have addressed in recent years concerning the language of “exceeds authorized access.”[8] Actions such as embellishing online dating profiles or using pseudonyms on social networks do not warrant charges under the CFAA based on violation of user contracts. Likewise, checking sports scores or paying bills at work will not be penalized merely by virtue of an employee using an employer’s computer in violation of the employer’s policies. The policy revisions are in furtherance of the recognition that while technology and criminal behavior continues to evolve, federal prosecutors must apply the law consistently.
[1] https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act.
[2] USAM 9-48.000. https://www.justice.gov/jm/jm-9-48000-computer-fraud.
[3] 18 U.S.C. § 1030.
[4] See United States v. Nosal, 676 F.3d 854, 861 (9th Cir. 2012); United States v. Trotter, 478 F.3d 918, 921 (8th Cir. 2007).
[5] USAM 9-48.000 (B)(3).
[6] The policy also provides that “[s]ecurity research not conducted in good faith—for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith.”
[7] https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act.
[8] See Van Buren v. United States, 141 S. Ct. 1648, 1661, 210 L. Ed. 2d 26 (2021).
