For years, courts and commentators have pondered hypothetical violations of the Computer Fraud and Abuse Act (CFAA) by computer security researchers. On May 19, 2022, the United States Department of Justice (DOJ) released changes to its CFAA Enforcement Policy, effective immediately, addressing these concerns and giving comfort to white hat security researchers. However, the guidance leaves gray areas, especially when individuals find security flaws and vulnerabilities at companies that don’t offer rewards for information about their findings through a bug bounty program. Likewise, the advice can encourage threat actors to pose as bona fide security researchers, which means companies must continue to be vigilant in their cybersecurity efforts. The updated DOJ policy, key considerations for security researchers, and recommendations for businesses are described in more detail below.
Updated DOJ Policy
The new policy says federal prosecutors should deny prosecution if available evidence shows the actor’s conduct consisted of and was intended to engage in bona fide security research. Under the policy, good faith security research means:
“Accessing a computer solely for the purpose of testing, investigating, and/or correcting a security breach or vulnerability in good faith, when such activity is carried out in a manner that prevents harm to persons or the public, and where the activity-derived information is used primarily to promote the safety or security of the class of devices, machines, or online services to which the accessing computer belongs, or those using such devices, machines or online services.
The policy update further clarifies what will not be considered “good faith security research” by stating that security research “for the purpose of discovering security vulnerabilities in devices, machines or services in order to extort owners of such devices, machines or services” would not be considered bona fide. This is a critical clarification given the year-over-year increase in ransomware attacks and cyber-extortion gang activity. This signals that the CFAA remains a viable tool in the DOJ’s fight against cybercrime, as cybercriminals cannot avoid prosecution simply by claiming their actions were bona fide security research.
Consistent with Van Buren, revised pricing guidelines limit enforcement for “exceeds authorized access” cases. According to the guidelines, a prosecutor cannot charge a defendant with “exceeding authorized access” unless a protected computer system is divided in a “computer sense” by “computer code or configuration, rather than by contracts, terms of service agreements, or employee policies.” For example, users who check sports scores or pay bills at work do not violate the CFAA.Furthermore, a defendant does not “exceed authorized access” by simply violating a website’s terms of service, which follows the Ninth Circuit’s decision in hiQ Labs, Inc. vs. LinkedIn Corp. regarding the “scraping” of publicly available information from a website. Likewise, a user does not violate the CFAA when they embellish an online dating profile or use a handle on a social media site that prohibits such use. However, a defendant “exceeds authorized access” when accessing someone else’s account on a multi-user computer system or website. This user is only authorized to access their own account on this system or service.
To avoid criminalizing ordinary activity, the councils require a high mental state. Prosecutors must prove that a defendant “was aware of the facts that rendered the defendant’s access unauthorized at the time of the defendant’s conduct.” Evidence that a network owner or operator unambiguously informed a defendant that they did not have permission to access the computer or area of the computer, such as a written letter to cease and to abstain, may be sufficient to discharge the burden of proof. Thus, companies should try to warn threat actors that their actions are not authorized.
Considerations for Security Researchers
Overall, the revised pricing guidelines seem welcome, as they further the DOJ’s enforcement goals while providing some peace of mind for white hat security researchers. The change should help promote cybersecurity by allowing bona fide researchers to uncover security vulnerabilities.
But language referring to extortion may give some security researchers pause. Participation in a traditional bug bounty program should not be risky under this updated policy, as a company that offers a bounty upfront is not extorted. However, various security researchers regularly analyze and research exploits, approaching companies without bug bounty programs and offering to disclose their findings for a fee. In most cases, if the company doesn’t pay for the exploit, the security researcher will leak it to a security blogger, publish the exploit, strengthen their credentials by getting credit for the discovery and publicly shame the company, potentially alerting the public to a security incident. Such behavior falls into a gray area and may not be protected by the DOJ’s updated policy.
Additionally, it is important for security researchers to recognize that this updated policy only pertains to CFAA charges brought by the DOJ. This does not exclude the possibility of criminal or civil penalties in other jurisdictions (eg, under state or international law) or other liabilities.
Recommendations for companies
One of the side effects of the DOJ’s new pricing policy could be that companies are seeing an increase in not only good faith actors, but also threat actors trying to gain access to their environments and sensitive information. Threat actors and scammers may attempt to use this policy to disguise their illegal activities as those expressly authorized by the policy. They may claim that the policy protects their attempts to infiltrate businesses or offer to disclose vulnerabilities in exchange for payment. Threat actors may also attempt to impersonate “security researchers” to gain access to sensitive information.
Given this risk, companies should:
- Implement or update bug bounty programs.
- Take all contacts from outside actors who claim to be security researchers seriously and treat these contacts as potential security incidents.
- Determine the internal team members and third-party resources needed to assess the validity of a security researcher’s findings.
- Proactively implement an effective security incident response program and perform regular security assessments.
- Regularly train employees on phishing, spear phishing, smishing and social engineering attacks to reduce the risk that a malicious actor can manipulate an employee into disclosing sensitive information or granting access to systems .
The authors would like to acknowledge the contribution of Lauren Hudon, 1L law student at Marquette University Law School and summer assistant at Foley & Lardner LLP.