As previously reviewed here, in 2021 the U.S. Supreme Court issued its ruling in Van Buren v. United States, which reined in the criminalization of the Computer Fraud and Abuse Act of 1986 (“CFAA”) – a federal statute imposing criminal and civil penalties for certain types of computer hacking. Last month the Department of Justice (“DOJ”) updated the Justice Manual pertaining to prosecution of alleged CFAA violations. The Justice Manual, which guides charging decisions and sets parameters for federal prosecutors, now more closely aligns with Van Buren in that it reflects a more restrictive and narrow criminal application of the CFAA.
The new guidelines also provide clarity to professionals in the computer and cybersecurity industry as to what conduct constitutes a CFAA violation. Specifically, the guidelines are a resource for those engaged in “good faith security research,” which is sometimes referred to as “white hat security research.”
Limited Exceptions for White Hat Security Research
The DOJ’s now-updated guidelines advise against prosecution for “good-faith security research” conducted by cyber security consultants who might otherwise be in technical violation of either the “access without authorization” or “exceed authorized use” provisions of the CFAA. Good faith security research is defined as:
accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Certainly not all security research is lawful or will qualify as “good faith.” The DOJ policy specifies that research not conducted in good faith should not be exempt from criminal prosecution when CFAA violations occur. Bad faith research is classified as cybersecurity activity intended to “discover[] security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services.” (emphasis added). For example, the unsolicited identification of vulnerabilities in systems by researchers who hope to sell fixes to system owners is likely not a valid good-faith exception to CFAA violations. Additionally, deliberate or egregious criminal violations of the CFAA and situations where national security issues are implicated are unlikely to be affected by the policy changes.
Limited Exceptions for Terms of Use or Company Policy Violations
According to the DOJ’s now-updated guidelines, violations of private contractual agreements, such as “terms of use” or “terms of service” agreements, between users and internet service providers, users and public web service providers (such as social media websites), and employers and employees should not be prosecuted under the CFAA. The Justice Department policy advises against prosecution where a computer user exceeded authorized access solely by violating a restriction contained in a contractual agreement, or where an employee used an assigned computer in a way prohibited by the employer’s policies. Examples include instances where an employee checked social media or sports scores on a work-issued computer. While such conduct may potentially violate an employer’s computer use policies, it is unlikely to result in criminal liability under the CFAA. While these parameters lessen the risk of criminal prosecution, users are cautioned that policy violations could still lead to civil liability under the CFAA and/or associated federal and state anti-hacking and computer trespass statutes.
Civil and criminal liability for computer system access violations can be nuanced and complicated. System owners, managers, researchers, or others with questions about CFAA violations should talk with an experienced attorney if you believe your system has been accessed without authorization, or that authorization has been exceeded by users. Similarly, individuals concerned about their own potential criminal or civil exposure, or those that have been accused of computer policy violations, should immediately seek legal counsel.
