In a significant development in anti-hacking criminal enforcement, the Department of Justice last week released new guidance for charging violations of the Computer Fraud and Abuse Act (“CFAA”), the nation’s premier computer crime law. Coming on the heels of a series of closely-watched legal decisions, including the Supreme Court’s 2021 decision in Van Buren v. United States, No. 19-783, the guidance clarifies the Department’s priorities for CFAA-related criminal prosecutions and seeks to create nationwide uniformity in charging decisions. In the newly-released policy, the Department makes clear its position that CFAA prosecutions should focus on unauthorized cyber intrusions made in bad faith—rather than hyper-technical or hypothetical violations of the law.
Enacted in 1986 as a targeted measure to combat a fairly circumscribed category of “computer trespassing” crimes, the CFAA’s reach has, over time, been greatly expanded to prosecute hackers. CFAA has been the basis for several high-profile cases involving WikiLeaks founder Julian Assange, Aaron Swartz (co-founder of Reddit), Gilberto Valle (the “Cannibal Cop”), and Lori Drew (whose MySpace hoax was blamed for the suicide of a 13-year-old neighbor).
These cases, in turn, led to a circuit split in the interpretation of the CFAA’s prohibition on “exceeding authorized access” to computer systems. 18 U.S.C. § 1030(a)(2). Some Circuits, including the Second, Fourth, and Ninth Circuits, narrowly interpreted the prong to criminalize only unauthorized access to a computer system, regardless of the purpose of that use. By contrast, the First, Fifth, Seventh, and Eleventh Circuits more broadly interpreted the statute to prohibit the misuse of data, even if the offender gained access to the information permissibly. Notably, the plain text of the CFAA also does not require that the person who accesses the computer actually do anything with the data seen or obtained, leading many legal commentators to express concern that the CFAA could prompt selective felony prosecutions even when the charged activity caused little or no harm.
In June 2021, the United States Supreme Court weighed in, issuing a 6-3 opinion in Van Buren v. United States, resolving the circuit split regarding what it means to “exceed[] authorization.” As we reported, the Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover situations where a person accesses information which she is authorized to access but does so for improper purposes.
Writing for the majority, Justice Barrett opined that while the Court’s decision was driven by the statute’s text, the government’s proposed reading of the statute also had to be rejected as untenable because it “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” The Court thus disallowed an overly-broad interpretation of the “exceeds authorized access” prong on the theory that it could criminalize every violation of a computer-use policy, creating criminals out of “millions of otherwise law-abiding citizens” who are, for example, sending personal e-mails or reading the news on work computers.
Against this backdrop and seemingly in response to the Court’s concerns, the Department’s revised guidance confirms that prosecutors will not seek criminal prosecutions for technical CFAA violations, such as simple violations of a website’s terms of service or basic access restrictions. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges,” says a DOJ press release. Consistent with the Van Buren decision, the guidance thus affirms that prosecutors will not seek to criminalize ordinary activities that otherwise might have resulted in criminal prosecution under an expansive application of the CFAA.
For the first time, the guidance also makes clear that the DOJ will not prosecute so-called “white-hat hackers,” or security researchers who access a computer system solely for the purposes of good-faith testing, investigation, or correction of a security flaw. As we have discussed, these researchers often perform a vital, albeit controversial, role in unearthing security vulnerabilities in existing cyber infrastructure. Under the newly-issued guidance, researchers who “root out vulnerabilities for the common good” are entitled to certain protections, which may allay fears that the disclosure of discovered vulnerabilities could result in legal consequences. But the new policy only goes so far, recognizing that searching for vulnerabilities in devices to extort bounties from their owners, even if claimed as “research,” is not in good faith and might still result in criminal prosecution. Inasmuch as it encourages good-faith disclosure of potential security flaws, however, the new policy has the potential to lead to a more secure and robust cybersecurity eco-system.
Notably, the Department’s guidance is just that, and remains subject to modification, particularly as new political administrations take the reins of power. For the time being, however, it does offer a uniform approach to guide prosecutorial charging decisions on a going-forward basis. Indeed, to “promote consistency,” the guidance requires individual prosecutor offices to consult with the Computer Crime and Intellectual Property Section (“CCIPS”) of the Criminal Division before bringing any CFAA charges and requires notice to the Deputy Attorney General (“DAG”) of any deviations from the guidelines in charging. Moreover, approval from the DAG must be obtained when an office seeks to charge a defendant with “exceeding authorized access” in a manner contrary to a recommendation from CCIPS.
Perhaps most important, the policy imposes a stringent burden of proof on prosecutors, requiring that they prove that “the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct.” The revised guidance thus reinforces the importance of establishing unambiguous permission policies and internal firewalls to protect sensitive information and put would-be intruders on notice to potential access violations that could trigger criminal penalties.
We will continue to monitor developments in this area.
