DOJ Revises Policy for Good-Faith Security ResearchersSpecifies That White Hats Cannot Be Charged Under Computer Fraud and Abuse Act
The U.S. Department of Justice has revised its policy on who it charges with violations under the Computer Fraud and Abuse Act. The DOJ now specifies that good-faith security research and researchers cannot be charged under the CFAA because they help improve cybersecurity standards.
Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act https://t.co/6PtBNd7xtW— Criminal Division (@DOJCrimDiv) May 19, 2022
"Computer security research is a key driver of improved cybersecurity,” says Deputy Attorney General Lisa Monaco. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
The DOJ says the CFAA enforcement aims to "promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators and other persons to ensure the confidentiality, integrity and availability of information stored in their information systems."
Defining Good-Faith Research
Hackers rejoice! We applaud this wise and just decision. https://t.co/p5U5lZXypu— bugcrowd (@Bugcrowd) May 19, 2022
Ethical hacking group HackerOne’s spokesperson, Alex Rice, agreed telling Information Security Media Group, "A well-defined program helps circumvent the law's ambiguity and provides clear guidelines, so hackers do not fear criminal or civil prosecution when finding and fixing vulnerabilities." He adds, "The update establishes bug bounty and vulnerability disclosure as best practices for all organizations. There’s now one more reason for hackers to engage in good-faith research since the chance of prosecution is significantly reduced. While private companies can still cite the law in civil suits, these clarifications make it much harder for companies to interpret the law in their favor if the researcher is demonstrably acting in good faith."
But some others have raised concerns that "good faith" is currently subjective and needs to be defined in no uncertain terms to avoid misuse.
The DOJ appears to have borrowed the definition of good-faith security research from Section 1201 of the Digital Millennium Copyright Act, which is issued by the Copyright Office, says Rapid7's Geiger, who is also a cyber lawyer.
According to the Copyright Office's definition, good-faith security research means "accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."
Why the Policy Change?
In 2021, Gov. Michael Parson, R-Mo., called for criminal charges against a newspaper journalist who responsibly reported a website that had revealed teachers' Social Security numbers on a state government website.
Parson called it a "serious matter" and said that it was "clearly a hack." But his remarks drew widespread derision at the time for their technical awkwardness and mischaracterizations (see: Missouri Refers Coordinated Bug Disclosure to Prosecutors).
Citing this as an example, Geiger says: "For true good-faith security researchers, state computer crime laws and private lawsuits seem to be more significant threats than the CFAA. Remember that CFAA carries both a criminal and private civil liability."
Rice also told ISMG that while HackerOne has never been sued, it has declined to do business with companies that refused to offer safe harbor and, in the case of Voatz, removed a customer from the platform when they threatened legal action against a security researcher.
Geiger says instance such as this are the reason behind the policy change and adds that the revision was not done overnight. In fact, the DOJ directed the Copyright Office to further strengthen its protections for security researchers through two separate rulings over the years - one made in 2018 and the other in 2021. "These letters made a big difference in the success of this effort," Geiger says.
He adds that prior to this, the DOJ had also updated its CFAA policy to sharply limit prosecutions based on terms of service or contractual violations. "Such prosecutions are forbidden when the computer is available to the general public, as mentioned in section C of the Computer Fraud and Abuse Act.
The reason behind this, Geiger says, is the ruling by the Supreme Court in the Van Buren v. United States case (see: Supreme Court Votes to Limit Computer Fraud and Abuse Act).
The Supreme Court, in a 6-3 decision, ruled that a police officer had not violated the law when he searched a government-owned license plate database for an acquaintance in exchange for cash. The ruling put to rest some concerns that a broad interpretation of the CFAA could over-criminalize such activities, Geiger says.
What About Bad-Faith Actors?
Based on the revised policy changes, the DOJ says that it will not pursue cases under CFAA that include "embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service."
The DOJ says the policy focuses the department's resources on cases in which a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer - such as one email account - and despite knowing about that restriction, accessed a part of the computer to which their authorized access did not extend, such as other users' emails.
But this does not give a "free pass" for those acting in bad faith, the DOJ says. "For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as research, is not in good faith."
Rice adds, "This update also isn’t drastic enough that the deceptive “researcher” would have protection if the DOJ suspected malicious intent. These CFAA changes more narrowly define the DOJ’s interpretation of the law, but this law continues to have clear criminal and civil penalties. The DOJ can still pursue charges, and private companies can still cite the law when suing researchers."
Rice says that the more conservatives Enterprises have struggled to rationalize the disconnect between the clear benefit of encouraging security research and the legal uncertainty of requiring a "Safe Harbor" statement. However, these updates by the Department of Justice (DOJ) offer one less reason for companies to hesitate about disclosure programs and bug bounty in an industry that desperately needs more transparency. He told ISMG, "We’ve found that 64% of organizations still maintain a culture of security through obscurity, and 38% aren’t open about their cybersecurity practices."
The immediate next step after the implementation of this revised policy is for the DOJ to ask Congress for new CFAA authorities to tackle insider threats, since Van Buren limits this. "But it will be tricky to draft legislation targeting only malicious insiders without creating liability for ordinary internet users or white hat hackers. Still, these recent protections for security researchers help demonstrate that the DOJ intends to target actual threats, not beneficial hacking. So we'll just have to review the details of new proposals as they come," Geiger says.
According to the DOJ, the revised policy replaces one from 2014 and comes into effect immediately. But to avoid the confusion while defining a good- or a bad-faith actor to pursue cases under CFAA, the DOJ has asked all federal prosecutors to "consult with CCIPS before bringing any charges."
"Prosecutors must inform the Deputy Attorney General, and in some cases receive approval from the DAG, before charging a CFAA case if CCIPS recommends against it," the DOJ says.
Rice says he’d love for these definitions to go even further to protect ethical hackers nonetheless, says, "This is a great step forward for the community, but as the EFF has effectively argued, lawmakers now need to take this policy a step further.
"The fear of retribution from companies and the government partially drives the anonymous personas built by ethical hackers to do their work. More protections for hackers will incentivize good-faith research to secure the internet and create an environment where it is increasingly difficult for threat actors to succeed in their goals.”