DOJ Revises CFAA Charging Policy To Provide Clarity For Cybersecurity Research And Terms Of Use

• Published date: 02 June 2022
• Subject Matter: Criminal Law, Technology, White Collar Crime, Anti-Corruption & Fraud, Security, Fin Tech
• Law Firm: Jenner & Block
• Author: Mr David Bitkower, Aaron R. Cooper, Shoba Pillay and Ashwini Bharatkumar

On May 19, 2022, the Department of Justice (DOJ) issued revisions to its existing policy for charging offenses under the Computer Fraud and Abuse Act (CFAA) (2022 CFAA Policy). ¹ The revisions state that "good-faith" security research will not be charged as a criminal CFAA violation. Comments accompanying the revised policy statement also highlight the importance of technical barriers'in addition to contractual limits'to determinations of when access exceeds authorization. Although the announcement regarding security research made a splash in the press, it is unclear to what degree the policy represents a change in how DOJ will approach cases. Nor can security researchers rely on the guidance for concrete assurances against liability, because the policy revision has no effect on civil CFAA liability or state laws that provide for criminal or civil liability for unauthorized access to computer systems. The revision may also introduce uncertainty for system owners, who may be left wondering how the new policy will be applied, and how federal law enforcement will react to conduct viewed by some as good-faith research and by others as in a gray area. ²

The Policy's Background

The 2022 CFAA Policy updates a 2014 policy that outlined the factors DOJ considered when charging CFAA violations. A point of tension recurring both before and after introduction of the 2014 policy has been the theoretical applicability of the CFAA to legitimate work by computer security researchers, and more generally whether DOJ would prosecute violations of a website's terms of service or data use policies under the CFAA's "exceeds authorized access" prong.

Although DOJ does not have a regular practice of charging security researchers criminally (despite some controversial matters), to address concerns about security research-related liability, the 2014 charging policy required DOJ prosecutors to consult with its Computer Crime and Intellectual Property Section before initiating any charges under the "exceeds authorized access" prong of the CFAA, observing that "[c]ases under the CFAA are often complex, and analysis of whether a particular investigation or prosecution is warranted often requires a nuanced understanding of technology, the sensitivity of information involved, tools for lawful evidence gathering. . . ." ³ The 2014 policy outlined several factors to guide DOJ's assessment of whether such a prosecution should be initiated. A comment to the policy explained special factors that DOJ would consider in charging "exceeds authorized access" cases, including: "if the defendant exceeded authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or website, federal prosecution may not be warranted." ⁴

Despite the policy, researchers continued to assert that DOJ's interpretation of the CFAA is overly broad and creates a chilling effect on their work. Most recently, in an amicus brief submitted to the Supreme Court in Van...