DoJ Decision Gives Good Faith Hackers Relief From CFAA
After years of being hamstrung by the threat of prosecution under The Computer Fraud and Abuse Act (CFAA), security researchers and hackers operating in good faith have gotten some relief after the U.S. Justice Department said it would not bring charges against them using the law.
The federal regulation had, at least theoretically, threatened researchers acting in good faith, even those participating in bug bounty programs and who are some of the most creative, innovative minds in security.
“Researchers often complained that, even when firms have a coordinated disclosure or ‘bug bounty’ program, too much push-back or friction exists; they often feel slighted or pushed off,” said Archie Agarwal, founder and CEO, ThreatModeler. “Organizations, for their part, are often stuck when presented with a disclosure because the researcher found a fatal design flaw that will require months of concerted effort to mitigate—perhaps some researchers preferred such flaws would stay buried out of sight.”
John Bambenek, principal threat hunter at Netenrich, has personal experience with this conundrum. He noted that “on two occasions, a major organization attempted to get the FBI to prosecute me for otherwise benign behavior. I got lucky that the case agent took a pass.” Others, he pointed out, “have not been as lucky.”
“I did pro bono expert witness work for a journalist who was taken to court under California’s CFAA version simply for downloading documents from an unprotected Dropbox folder,” said Bambenek. “The long history of government overreach with regard to this statute is both well-known and tragic. The cost of misuse of the CFAA can be measured, quite literally, in dead bodies.” While Bambenek “would rather have the law changed to close this door for good, in the absence of congressional action,” he “celebrate[s] the decision of [the Department of] Justice in this matter.”
Researchers, lawmakers and others pushed for CFAA reform, particularly after the death of Aaron Swartz, whose suicide in 2013—after the DoJ decided to charge him with theft for downloading 4.8 million documents from JSTOR—prompted an outcry and massive pushback. Aaron’s Law, which would reform the act, has been circulating for years.
Calling the DOJ decision an “historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation,” Ilia Kolochenko, founder of ImmuniWeb, said it “will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now handle critical data.”
The Justice Department’s new policy is an acknowledgment that “computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa Monaco.
The agency, she said, “has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The policy now bolsters a longstanding practice at the department that its “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators and other persons to ensure the confidentiality, integrity and availability of information stored in their information systems.”
The department has essentially clarified that hypothetical CFAA violations won’t be charged. For instance, things like embellishing an online dating profile in direct conflict with the site’s terms of service or creating fake accounts on hiring or rental websites are not, in and of themselves, enough to bring criminal charges. Instead, DoJ will focus “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer—such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails,” according to a release from Justice.
“Explicitly legitimizing coordination and disclosure by well-intentioned security researchers is a good thing,” said Agarwal.
And it’s long overdue, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“The fact that researchers have, for years, tried to find and help correct security flaws under a regime that amounted to “no good deed goes unpunished” shows the dedication they had to doing the right thing, even if doing the right thing meant risking fines and jail time,” said Parkin. “This policy change removes a fairly substantial obstacle to vulnerability research, and we can hope it will quickly pay dividends with more people searching for bugs in good faith without the threat of jail time for doing so.”
But the public policy shift does not let researchers completely off the hook—they could still face charges from other quarters.
“Cybersecurity researchers should also bear in mind that, apart from the CFAA, they may face civil lawsuits, namely for breach of contract or intellectual property infringement,” said Kolochenko. “Moreover, due to the international nature of many tech vendors, criminal charges may be brought in other jurisdictions. Therefore, security research remains shark-infested waters.”
And the DOJ stance leaves quite a bit of gray area, said Agarwal.
“The DoJ may unwittingly open Pandora’s box: The definition of ‘good faith’ could vary broadly among security researchers,” added Kolochenko.
“Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad—albeit sincere—interpretation of ‘good faith,’ or let creative cybercriminals off the hook,” he said. “We should wait for a couple of years to monitor the evolution of the CFAA enforcement.”