Department of Justice Announces New Charging Policy under the Computer Fraud and Abuse Act | Takeover bid

The Department of Justice today announced the revision of its policy regarding the charge of violations of the Computer Fraud and Abuse Act (CFAA).

The policy states for the first time that good faith security research should not be charged for. Good faith security research means accessing a computer solely for the purpose of good faith testing, investigation, and/or correction of a security breach or vulnerability, when such activity is conducted in a manner that prevent harm to persons or the public, and where the information derived from the activity is used primarily to promote the safety or security of the class of devices, machines or online services to which the computer accessed belongs, or those who use such devices, machines or online services.

“Computer security research is a key driver for improving cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity to bona fide security researchers who eliminate vulnerabilities. for the common good.”

The new policy explicitly sets out the long-standing practice that “the department’s objectives in enforcing the CFAA are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators and others to ensure the confidentiality, integrity and availability of stored information. in their information systems. Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned certain courts and commentators should not be charged. Embellishing an online dating profile contrary to the dating site’s terms of use; create fictitious accounts on hiring, housing, or rental websites; use a pseudonym on a social networking site that prohibits them; checking sports scores at work; pay bills at work; or violation of an access restriction contained in a condition of service are not in themselves sufficient to warrant federal criminal charges. The policy focuses departmental resources on cases where a respondent is not authorized to access a computer at all or has been authorized to access part of a computer – such as an email account – and, despite the knowledge of this restriction, accessed a part of the computer to which his authorized access did not extend, such as the emails of other users.

However, the new policy recognizes that pretending to conduct security research is not a pass for those who act in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research”, is not bona fide. The policy advises prosecutors to consult with the Computer Crimes and Intellectual Property Section (CCIPS) of the Criminal Division on specific applications of this factor.

All federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy and consult with CCIPS before bringing charges. Prosecutors must notify the Deputy Attorney General (DAG), and in some cases receive approval from the DAG, before indicting a CFAA case if the CCIPS advises against it.

The new policy replaces a previous policy issued in 2014 and is effective immediately.

Comments are closed.