New DOJ CFAA Enforcement Policy Offers Solace to White Hat Computer Security Researchers

For years, courts and commentators have mused about hypothetical Computer Fraud and Abuse Act (CFAA) violations by computer security researchers. On May 19, 2022, the United States Department of Justice (DOJ) published changes to its CFAA enforcement policy, which are effective immediately, addressing these concerns and giving some comfort to white hat security researchers. However, the guidance leaves gray areas, especially when individuals find security flaws and vulnerabilities in businesses that do not offer rewards for information about their findings through a bug bounty program. Likewise, the guidance may incentivize threat actors to pose as bona fide security researchers, meaning businesses must continue to be vigilant in their cybersecurity efforts. The DOJ’s updated policy, key considerations for security researchers, and recommendations for businesses are further discussed below.

The DOJ’s Updated Policy

The new policy indicates federal prosecutors should decline prosecution if available evidence shows the actor’s conduct consisted of, and intended to, engage in good-faith security research. Under the policy, good-faith security research means:

“Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the access computer belongs, or those who use such devices, machines, or online services.” 

The policy update further clarifies what will not be considered “good-faith security research” by stating that security research “for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services” would not be considered good faith. This is a critical clarification with the year-over-year increase in ransomware attacks and cyber extortion gang activity. It signals that the CFAA remains a viable tool in DOJ’s fight against cybercrime as cybercriminals cannot avoid prosecution merely by claiming their actions were good-faith security research.

This policy update also tracks the Supreme Court’s decision in Van Buren v. United States. In Van Buren, the Court limited the scope of liability under the CFAA for unauthorized use of computer systems. The Court held that an individual does not “exceed authorized access” under the CFAA when the individual is authorized to access certain areas of a computer system but uses that access for a prohibited purpose. The Court was concerned that a broad interpretation of “exceeds authorized access” would attach criminal penalties to “commonplace computer activity.” The new DOJ policy heeds the Court’s concerns by defining and limiting the scope of enforcement such that users will not face federal criminal charges under the CFAA for violating a purely contractual access restriction, such as those in a website’s terms of use or a company’s acceptable use policy.

Consistent with Van Buren, the revised charging guidance narrows enforcement for “exceeds authorized access” cases. Under the guidance, a prosecutor may not charge a defendant with “exceeding authorized access” unless a protected computer system is divided in a “computational sense” through “computer code or configuration, rather than through contracts, terms of service agreements, or employee policies.” For example, users who check sports scores or pay bills at work do not violate the CFAA. Further, a defendant does not “exceed authorized access” by merely violating a website’s terms of use, which follows the Ninth Circuit’s decision in hiQ Labs, Inc. v. LinkedIn Corp. regarding “scraping” publicly accessible information from a website. Likewise, a user does not violate the CFAA when they embellish an online dating profile or use a pseudonym on a social media site that prohibits such use. However, a defendant “exceeds authorized access” when the defendant gains access to someone else’s account on a multi-user computer system or website. Such user is only permitted to access their own account on that system or service.

To avoid criminalizing ordinary activity, the guidance requires a high showing of mental state. Prosecutors must prove a defendant “was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct.” Evidence that a network owner or operator unambiguously informed a defendant that they did not have the authorization to access the computer or area of the computer, such as a written cease and desist letter, may be sufficient to meet the burden of proof. Thus, businesses should try putting threat actors on notice that their actions are not authorized.

Considerations for Security Researchers

Overall, the revised charging guidance appears welcome, as it furthers the DOJ’s enforcement goals while providing some peace of mind to white hat security researchers. The change should help promote cybersecurity by allowing good-faith researchers to discover security vulnerabilities.

But the language referencing extortion may give some security researchers pause. Participating in a traditional bug bounty program should not carry risks under this updated policy because a company that offers a bounty in advance is not being extorted. However, various security researchers regularly scan for and seek out exploits, reaching out to companies without bug bounty programs and offering to disclose their findings for a fee. In most cases, if the company does not pay for the exploit the security researcher will disclose it to a security blogger, publishing the exploit, building their credentials by getting credit for the finding, and publicly shaming the company, potentially alerting the public to a security incident. Such behavior falls into a gray area and may not be protected by DOJ’s updated policy.

In addition, it is important for security researchers to recognize this updated policy only pertains to CFAA charges brought by the DOJ. It does not preclude the possibility of criminal or civil penalties in other jurisdictions (e.g., under state or international statutes) or other liability.

Recommendations for Businesses

One side effect of DOJ’s new charging policy may be that businesses see an uptick of not only good-faith actors, but also threat actors attempting to access their environments and sensitive information. Threat actors and scammers may try to use this policy to mask their unlawful activities as those expressly permitted by the policy. They may claim the policy protects their attempts to infiltrate businesses or offer to disclose vulnerabilities in exchange for payment. Threat actors may also attempt to portray themselves as “security researchers” to access sensitive information.

Given that risk, businesses should:

• Implement or update bug bounty programs.
• Take all contacts by outside actors who claim to be security researchers seriously and treat those contacts as potential security incidents. 
• Determine the internal team members and third-party resources needed to assess the validity of a security researcher’s findings.
• Proactively implement an effective security incident response program, and conduct regular security assessments.
• Regularly train employees on phishing, spear phishing, smishing, and social engineering attacks to reduce the chances that a threat actor can manipulate an employee into divulging sensitive information or granting access to systems.

For more information about security measures that your organization can deploy or for assistance in responding to a cyberattack, please contact one of the authors or a partner or senior counsel member of Foley & Lardner LLP’s Cybersecurity and Privacy Team.

The authors gratefully acknowledge the contribution of Lauren Hudon, 1L law student, Marquette University Law School, and summer clerk at Foley & Lardner LLP.