DOJ Clarifies Security Research Protected Under CFAA

Interesting to read the sensible conclusions being reached by the U.S. department established by President Grant.

Justice Department urges prosecutors not to bring cases against legitimate cybersecurity researchers under main U.S. anti-hacking law, enacted in 1986

The reporter uses a powerful method called the “sandwich” to push the message here.

The policy change is a victory for the many cyber professionals and academics who have criticized the Computer Fraud and Abuse Act for potentially criminalizing research that security experts see as key to protecting computer systems from cyberattacks.

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Deputy Attorney General Lisa Monaco said in a statement.

The revised policy directs federal prosecutors to avoid bringing cases if individuals accessed computers to test, investigate or correct vulnerabilities “in a manner designed to avoid any harm to individuals or the public.”

See what just happened?

1) The policy change
2) DoJ says “never been interested”
3) The revised policy

Next comes the reporter trying to explain why a new policy is really just clarification of overly broad computer language from 1980s.

Critics in the cybersecurity industry say the language is ambiguous and could be used to prosecute routine activity…

Updating vague language from the dinosaur days of computers arguably doesn’t rise to the level of changing a policy, but the DoJ themselves want it to be seen as a clean break because the prior policy didn’t accurately represent their intentions.

The official DoJ announcement text ends with this:

All federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy, and to consult with CCIPS before bringing any charges. Prosecutors must inform the Deputy Attorney General (DAG), and in some cases receive approval from the DAG, before charging a CFAA case if CCIPS recommends against it. The new policy replaces an earlier policy that was issued in 2014, and takes effect immediately.

And that follows the reasonable doctrines of accuracy and efficiency in justice.

The new policy states explicitly the longstanding practice that “the department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.” Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. […] The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.

In related news, some people have all the fun.

Former special forces operative Guillaume runs a company called Golem Protection that tests the defences of high profile business people or wealthy VIPs from all over the world. His team “breaks into” well-guarded homes, using paintball guns and marker pen “knives” to demonstrate just how terrifyingly close they can get to their targets. […] “Obviously, we simulate the killing part,” he jokes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.