DOJ Announces Non-Prosecution of Cyber Researchers and Pen Testers
On May 19, 2022, the Department of Justice (DOJ) announced a change in its policy for prosecution of violators of the Computer Fraud and Abuse Act (CFAA). Under the new policy, good-faith researchers, pen-testers, or bounty hunters will not be prosecuted. The announcement is a welcome clarification for researchers and computer security pen testers.
Until now, DOJ has remained silent on the application of the CFAA to researchers, testers, and investigators. Often such individuals have been reluctant to share their findings or information captured from the Dark Web with the public or investigators, or share their findings in published works. The concern has been that sharing such information only provides evidence of their possession of such information or vulnerabilities.
A secondary concern has been that researchers and/or computer security professionals are indirectly supporting hacking behavior by collecting and using information captured from hacking victims.
The DOJ, in announcing the change in policy, has stated that “[c]omputer security research is a key driver of improved cybersecurity.” To that end, the policy is intended to foster innovation and testing of current digital platforms and to encourage cybersecurity.
The new policy also is intended to answer critics who have long complained that the CFAA can be used to criminalize conduct which should not be criminalized. This type of conduct includes:
Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service…
These are actions which have technically been a violation of CFAA, but in practice have never been charged. In stating that such actions may never be charged, the DOJ is also acknowledging the recent Supreme Court decision in Van Buren v. United States[1]. In Van Buren, the court opined that the CFAA was never intended to criminalize agreements between private parties, such as employment agreements, which are designed to set appropriate boundaries for the workplace, but not establish standards for criminal behavior.
Finally, the DOJ reiterated that acting in bad faith will not be tolerated under the new policy and such activity cannot be shielded from prosecution under the guise of research. Future charges in such cases will need to be approved by, and in consultation with, the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS).
[1] 141 S. Ct. 1648