On May 19, the US Department of Justice (DOJ) announced a revised policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA), directing its prosecutors not to charge "good-faith" computer security research. In the announcement, Deputy Attorney General Lisa Monaco noted that "[c]omputer security research is a key driver of improved cybersecurity." DOJ "has never been interested in prosecuting good-faith computer security research as a crime," she continued, and "today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
The revised policy defines "good-faith security research" as "accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability," under two conditions. First, the activity must be "carried out in a manner designed to avoid any harm to individuals or the public." And second, the information derived from the activity must be "used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services." DOJ's policy directs prosecutors to use the definition of "good-faith research" that the Register of Copyrights proposed in an October 2021 rulemaking recommendation for exceptions to federal prohibitions on the circumvention of digital copyright protections.
DOJ warned, though, that claiming to be conducting cybersecurity research "is not a free pass." Under the policy, individuals who research security vulnerabilities in order to extort their owners or for other nefarious purposes may still be charged. The policy leaves open the question of whether a cybersecurity researcher can meet the criteria for good-faith security research—e.g., "accessing a computer solely for purposes of good-faith testing" and using any information "primarily to promote the security or safety" of the technology (emphases added)—while receiving remuneration, such as compensation under responsible vulnerability disclosure programs, for example. In sum, DOJ's "good faith" requirement may protect research conducted in the public interest, but only time will tell how prosecutors choose to apply it to individual cases.
As a procedural matter, all federal prosecutors who seek to charge cases under the CFAA are required to consult with DOJ's Computer Crime and Intellectual Property Section (CCIPS) before bringing charges. If the prosecutor intends to charge a case contrary to CCIPS's written recommendation, she must inform the Deputy Attorney General's office before charging and, in some cases, seek approval.
If you have questions about this new policy or cybersecurity research generally, please contact any of the authors or members of Arnold & Porter's Privacy, Cybersecurity & Data Strategy group. We'll continue to update you about new developments in CFAA and cybersecurity enforcement here on Enforcement Edge. In fact, coming up, we'll provide an update on what DOJ's revised CFAA policy means for the "exceeds authorized access" debate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
