US won’t prosecute ‘good faith’ security researchers under CFAA

The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, "is not in good faith."

Hopefully, the policy changes will make security researchers' lives less stressful

"Computer security research is a key driver of improved cybersecurity," stated Deputy Attorney General Lisa Monaco. "The Department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy clarifies CFAA language that prohibits accessing a computer "without authorization," but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.

Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for downloading millions of research papers. Two earlier attempts at legislative reform, known as Aaron's Law, never made it out of Congress. And it's worth noting that the updated policy is not a legislative fix to the problem.

Lying on your dating profile: still OK

Under the new policy, the Justice Department says it won't prosecute researchers for accessing computer systems "without authorization" unless:

• The defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization;
• The defendant knew of the facts that made the defendant's access without authorization; and 
• Prosecution would serve the Department's goals for CFAA enforcement.

These enforcement goals "are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems," the Department states.

Additionally, the updates clarify some hypothetical CFAA violations. For example, prosecutors won't charge you for embellishing an online data profile, using a pseudonym on a social networking site that prohibits fake names, or checking sports scores or paying bills at work.

While security researchers agree the updated policy is a step in the right direction, most contacted by The Register say the changes don't go far enough to protect them while they simply do their jobs.

New policy doesn't go 'nearly far enough'

The Electronic Frontier Foundation (EFF), which has long called for CFAA reform, noted it was "pleased" that the Department was recognizing the role that researchers play in making the entire internet more secure. 

"However, the DOJ's new policy does not go nearly far enough: by exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution," EFF Senior Staff Attorney Andrew Crocker told The Register. 

The agency policy isn't binding, and can also be changed at any time by a future administration, he added.

"And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators," Crocker said. "The policy is a good start, but it is no substitute for comprehensive CFAA reform."

• Scraping public data from the web still OK: US court
• Journo who went to prison for 2 years for breaking US cyber-security law is jailed again
• Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in
• CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America

Self-described hacker Nate Warfield, who previously worked as a senior security researcher for Microsoft, also called the changes a positive move.

"There are risks in doing security research in that depending on the research target, the response to one's findings may not be taken as being well intended," he told The Register, noting Aaron Schwartz, and, more recently the Missouri reporter who was threatened with prosecution after reporting social security numbers exposed on a State government website.

"It's a fine line to demonstrate what a malicious actor could do in an attempt to warn an organization," Warfield continued. 

"Think of it as if I walked up to your home, saw it was unlocked, let myself in and used your home phone to call you and let you know you'd left your house unlocked," he said. "While it was done with good intentions, in the eyes of the law it's breaking and entering." 

No protection at the state level

Additionally, the policy doesn't protect researchers from prosecution at the State level, nor does it shield them from corporations that decide to take action.

"I don't think this will address people being arrested, search warrants issued or their names being smeared in the public eye," Warfield said. "While they may eventually be cleared of any wrongdoing, the damage to their lives will have already been done." 

While the policy changes are an "improvement," Forrester security analyst Allie Mellen noted the "hacker community has a long and challenging history with the CFAA." 

Because of this, the phrase "good-faith research" and other vaguely worded sections in the policy leave a good amount of prosecutorial wiggle room, and "should give security researchers pause," Mellen told The Register. "It's important for researchers to keep records of any agreements made with the companies they are researching and any other relevant paperwork."

Ministry of good faith?

Hopefully, the policy changes will make independent security researchers'' lives "a little less stressful by giving them more freedom to work on bug hunting and responsible disclosure, without the overhanging threat of the legal system," added Kev Breen, Immersive Labs' director of cyber threat research. 

Still, this doesn't give independent bug hunters a free pass. "If they do find vulnerabilities and report them — especially if they tipped over the lines — they may still find themselves in hot water," Breen told The Register. "I urge them to still apply the same level of caution and ethics we would have expected from them before this announcement." 

And he, like several others, takes issue with "good faith," which Breen called "a bit of a fuzzy statement."

Full disclosure: Breen is British, but while he's not bound by US policy, he noted that the UK does have similar laws. 

"My nationality aside, it wouldn't make much of a difference for any security researcher that is working on behalf of an organization," he said.

Here's what Breen means: the first thing that he does when beginning a research project or responsible disclosure is to call up the company's general counsel, "especially when the organization sits outside of the UK," he said.

"This is to ensure I'm not straying too far from those virtual lines on the digital ground, but more importantly, I have some top cover if things go a little 'pear-shaped' or a company doesn't understand responsible disclosure," Breen explained. ®