New Justice Department guidelines promise not to prosecute security researchers under anti-hacking laws
face palm: Don’t worry. The Justice Department will not hunt you down for finding a security vulnerability or making a fake Facebook profile. It has decided to take the advice of the SCOTUS and not make federal cases out of violations of company or website policy. Under new DoJ rules, misusing a computer system you have authorized access to is not prosecutable.
The US Department of Justice (DoJ or Justice Department) issued a press release Thursday clarifying the crimes falling under the Computer Fraud and Abuse Act (CFAA). The law was passed in 1984 and updated in 1986. However, the language of the legislation is so broad that people doing security research — something barely even existed at the time — or using their company’s computer for personal reasons could constitute a federal crime.
Under the CFAA, anyone attempting to access files, computers, systems, or even websites owned by someone else could face charges, even if they have authorization to use the system. However, the Justice Department says it will not pursue “good-faith security research,” which is still vague but better than the original language.
The policy change follows a US Supreme Court (SCOTUS) ruling in June of last year that whittled down the scope of the law. The case involved a police officer who accessed and sold license plate information obtained from his squad car’s computer. He was convicted and sentenced to 18 months in prison.
An appeal to the Eleventh Circuit upheld the conviction, but the SCOTUS overturned it in a 6-3 ruling last year. The justices’ opinions came to the law’s becoming, which forbids “exceeding authorized access.” The high court believes that exceeding authorized access is overly broad and should not cover those misusing a system they have legal permissions to use. The court said it criminalizes a “breathtaking amount” of everyday computer use.
The Supreme Court gave several examples in its opinion demonstrating how the letter of the law could go awry of the color of the law. Taking heed of these hypothetical situations, the DoJ formally issued policy changes to ensure it would not overextend the purpose of the 36-year-old legislation.
“Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” said the Department. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”
Instead, the policy will focus on instances where the defendant is not authorized access entirely or breaches a forbidden part of an otherwise authorized system. For example, a user can access and even misuse his work email, but not a coworker’s. The misuse of his email might violate company policies, but it does not violate the CFAA under this new interpretation.