New DOJ CFAA Enforcement Policy Offers Solace to White Hat Computer Security Researchers

For years, courts and commentators have mused about hypothetical Computer Fraud and Abuse Act (CFAA) violations by computer security researchers. On May 19, 2022, the United States Department of Justice (DOJ) published changes to its CFAA enforcement policy, which are effective immediately, addressing these concerns and giving some comfort to white hat security researchers. However, the guidance leaves gray areas, especially when individuals find security flaws and vulnerabilities in businesses that do not offer rewards for information about their findings through a bug bounty program. Likewise, the guidance may incentivize threat actors to pose as bona fide security researchers, meaning businesses must continue to be vigilant in their cybersecurity efforts. The DOJ’s updated policy, key considerations for security researchers, and recommendations for businesses are further discussed below.

The DOJ’s Updated Policy

The new policy indicates federal prosecutors should decline prosecution if available evidence shows the actor’s conduct consisted of, and intended to, engage in good-faith security research. Under the policy, good-faith security research means:

“Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the access computer belongs, or those who use such devices, machines, or online services.”

The policy update further clarifies what will not be considered “good-faith security research” by stating that security research “for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services” would not be considered good faith. This is a critical clarification with the year-over-year increase in ransomware attacks and cyber extortion gang activity. It signals that the CFAA remains a viable tool in DOJ’s fight against cybercrime as cybercriminals cannot avoid prosecution merely by claiming their actions were good-faith security research.

This policy update also tracks the Supreme Court’s decision in Van Buren v. United States. In Van Buren, the Court limited the scope of liability under the CFAA for unauthorized use of computer systems. The Court held that an individual does not “exceed authorized access” under the CFAA when the individual is authorized to access certain areas of a computer system but uses that access for a prohibited purpose. The Court was concerned that a broad interpretation of “exceeds authorized access” would attach criminal penalties to “commonplace computer activity.” The new DOJ policy heeds the Court’s concerns by defining and limiting the scope of enforcement such that users will not face federal criminal charges under the CFAA for violating a purely contractual access restriction, such as those in a website’s terms of use or a company’s acceptable use policy.

Consistent with Van Buren, the revised charging guidance narrows enforcement for “exceeds authorized access” cases. Under the guidance, a prosecutor may not charge a defendant with “exceeding authorized access” unless a protected computer system is divided in a “computational sense” through “computer code or configuration, rather than through contracts, terms of service agreements, or employee policies.” For example, users who check sports scores or pay bills at work do not violate the CFAA. Further, a defendant does not “exceed authorized access” by merely violating a website’s terms of use, which follows the Ninth Circuit’s decision in hiQ Labs, Inc. v. LinkedIn Corp. regarding “scraping” publicly accessible information from a website. Likewise, a user does not violate the CFAA when they embellish an online dating profile or use a pseudonym on a social media site that prohibits such use. However, a defendant “exceeds authorized access” when the defendant gains access to someone else’s account on a multi-user computer system or website. Such user is only permitted to access their own account on that system or service.

To avoid criminalizing ordinary activity, the guidance requires a high showing of mental state. Prosecutors must prove a defendant “was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct.” Evidence that a network owner or operator unambiguously informed a defendant that they did not have the authorization to access the computer or area of the computer, such as a written cease and desist letter, may be sufficient to meet the burden of proof. Thus, businesses should try putting threat actors on notice that their actions are not authorized.

Considerations for Security Researchers

Overall, the revised charging guidance appears welcome, as it furthers the DOJ’s enforcement goals while providing some peace of mind to white hat security researchers. The change should help promote cybersecurity by allowing good-faith researchers to discover security vulnerabilities.

But the language referencing extortion may give some security researchers pause. Participating in a traditional bug bounty program should not carry risks under this updated policy because a company that offers a bounty in advance is not being extorted. However, various security researchers regularly scan for and seek out exploits, reaching out to companies without bug bounty programs and offering to disclose their findings for a fee. In most cases, if the company does not pay for the exploit the security researcher will disclose it to a security blogger, publishing the exploit, building their credentials by getting credit for the finding, and publicly shaming the company, potentially alerting the public to a security incident. Such behavior falls into a gray area and may not be protected by DOJ’s updated policy.

In addition, it is important for security researchers to recognize this updated policy only pertains to CFAA charges brought by the DOJ. It does not preclude the possibility of criminal or civil penalties in other jurisdictions (e.g., under state or international statutes) or other liability.

Recommendations for Businesses

One side effect of DOJ’s new charging policy may be that businesses see an uptick of not only good-faith actors, but also threat actors attempting to access their environments and sensitive information. Threat actors and scammers may try to use this policy to mask their unlawful activities as those expressly permitted by the policy. They may claim the policy protects their attempts to infiltrate businesses or offer to disclose vulnerabilities in exchange for payment. Threat actors may also attempt to portray themselves as “security researchers” to access sensitive information.

Given that risk, businesses should:

Implement or update bug bounty programs.
Take all contacts by outside actors who claim to be security researchers seriously and treat those contacts as potential security incidents.
Determine the internal team members and third-party resources needed to assess the validity of a security researcher’s findings.
Proactively implement an effective security incident response program, and conduct regular security assessments.
Regularly train employees on phishing, spear phishing, smishing, and social engineering attacks to reduce the chances that a threat actor can manipulate an employee into divulging sensitive information or granting access to systems.

For more information about security measures that your organization can deploy or for assistance in responding to a cyberattack, please contact one of the authors or a partner or senior counsel member of Foley & Lardner LLP’s Cybersecurity and Privacy Team.

The authors gratefully acknowledge the contribution of Lauren Hudon, 1L law student, Marquette University Law School, and summer clerk at Foley & Lardner LLP.

Disclaimer

Deze blog wordt ter beschikking gesteld door Foley & Lardner LLP ("Foley" of "het kantoor") voor informatieve doeleinden. Het is niet bedoeld om het juridische standpunt van het kantoor namens een cliënt over te brengen, noch is het bedoeld om specifiek juridisch advies te geven. Eventuele meningen in dit artikel weerspiegelen niet noodzakelijkerwijs de standpunten van Foley & Lardner LLP, haar partners of haar cliënten. Handel daarom niet op basis van deze informatie zonder advies te vragen aan een bevoegde advocaat. Deze blog is niet bedoeld om een advocaat-cliënt relatie te creëren en de ontvangst ervan vormt geen advocaat-cliënt relatie. Communicatie met Foley via deze website per e-mail, blogbericht of anderszins creëert geen advocaat-cliënt relatie voor welke juridische kwestie dan ook. Daarom wordt communicatie of materiaal dat u via deze blog naar Foley verzendt, hetzij via e-mail, blogpost of op een andere manier, niet behandeld als vertrouwelijk of als eigendom. De informatie op deze blog wordt gepubliceerd "AS IS" en is niet gegarandeerd volledig, nauwkeurig en/of up-to-date. Foley geeft geen verklaringen of garanties van welke aard dan ook, expliciet of impliciet, met betrekking tot de werking of inhoud van de site. Foley wijst uitdrukkelijk alle andere garanties, waarborgen, voorwaarden en verklaringen van welke aard dan ook af, hetzij uitdrukkelijk of impliciet, hetzij voortvloeiend uit een wet, wet, commercieel gebruik of anderszins, met inbegrip van impliciete garanties van verkoopbaarheid, geschiktheid voor een bepaald doel, titel en niet-inbreuk. In geen geval zal Foley of een van haar partners, functionarissen, werknemers, agenten of filialen aansprakelijk zijn, direct of indirect, onder welke rechtsleer dan ook (contract, onrechtmatige daad, nalatigheid of anderszins), jegens u of iemand anders, voor claims, verliezen of schade, direct, indirect speciaal, incidenteel, bestraffend of gevolgschade, voortvloeiend uit of veroorzaakt door de creatie, het gebruik van of het vertrouwen op deze site (inclusief informatie en andere inhoud) of websites van derden of de informatie, middelen of het materiaal waartoe toegang wordt verkregen via dergelijke websites. In sommige rechtsgebieden kan de inhoud van deze blog worden beschouwd als advocaatreclame. Houd er, indien van toepassing, rekening mee dat eerdere resultaten geen garantie bieden voor een vergelijkbaar resultaat. Foto's zijn alleen voor dramaturgische doeleinden en kunnen modellen bevatten. Afbeeldingen impliceren niet noodzakelijkerwijs een huidige status als cliënt, partner of werknemer.