On May 19, 2022, the U.S. Department of Justice (DOJ) revised its policy regarding charging decisions under the Computer Fraud and Abuse Act (CFAA). The new policy makes clear, "for the first time," that the DOJ "should decline prosecution" of "good faith" security research, even if said research involves a technical violation of the CFAA.1 The new policy also limits prosecutions based on terms of service (TOS) or other boilerplate contractual violations, in recognition of the U.S. Supreme Court's decision in Van Buren v. United States, 593 U.S. __ (2021).
DOJ's Policy Against Charging "Good Faith" Security Researchers
The CFAA prohibits obtaining information through "unauthorized access" to computers, as well as obtaining information by "exceeding authorized access" to computers.2
The security community has long been concerned that the CFAA could be interpreted to prohibit many forms of legitimate research, such as research designed to identify security vulnerabilities in internet-facing computer networks.3 The concern is not hypothetical. The law has been cited in civil suits against security researchers—and, in one case in 2000, the DOJ filed charges against an individual who discovered a vulnerability in an email system and reported it to the email provider. The DOJ's criminal charges were later dropped, but only after the defendant appealed.
The new policy, which declares that "good faith" security research should not be prosecuted, is a significant step that should provide some comfort to researchers who have feared prosecution. However, it does not provide any concrete legal protections. First, because it only applies to conduct that is "solely" for the purpose of "good-faith" research, federal prosecutors appear to retain discretion to prosecute research which they perceive as involving "ulterior" or "mixed motives." Second, because revisions only impact DOJ policy (and not any statute or regulation), future administrations will have authority to unilaterally reverse course. Third, although the policy revision has no direct impact on civil cases, it arguably increases the likelihood of civil exposure, because it highlights the DOJ's view that the CFAA technically applies to research activities.
Common TOS Violations Do Not Amount to CFAA Violations, but Cease-and-Desist Letters Might Impact the Analysis
Historically, courts have wrestled with whether the prohibition against "exceeding authorized access" could apply to common violations of website TOS or other boilerplate agreements. The DOJ's policy update recognizes that, after Van Buren, such violations are insufficient to support a charge. For example, the policy recognizes that use of a "pseudonym on a social networking site that prohibits them" does not automatically amount to a CFAA violation.
However, under the new policy, a TOS violation following an unambiguous cease-and-desist letter might be sufficient to trigger CFAA liability. The policy expressly permits charges against defendants who continue accessing a computer (or website) after receiving and understanding "unambiguous written cease and desist communications."
Finally, even without a cease-and-desist letter, the revised policy permits charges against defendants who access particular computers (or files) in violation of "contracts, agreements, or policies that entirely prohibit" them from accessing said computers (or files). The policy characterizes this as a "narrow exception" to the general policy against prosecutions based on contractual violations, but it remains to be seen how the DOJ will apply the policy in practice.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and cybersecurity issues, including assisting numerous clients with claims under the CFAA. For more information on the CFAA or legal limitations of cybersecurity research, please contact Beth George, Demian Ahn, Megan Kayo, or Nick Contarino.
[1] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act.
[2] The CFAA uses the term “protected computers,” which is defined to include, among other things, any computer “which is used in or affecting interstate or foreign commerce or communication.” This definition has been interpreted broadly, to include nearly any internet-connected computer.
[3]A number of organizations described these concerns through amicus briefs to the Supreme Court. See, e.g., Van Buren v. United States, Brief Amicus Curiae of Technology Companies at 11 (July 8, 2020). (“[W]hat companies think is ordinary testing behavior may well look like malicious hacking to a prosecutor unversed in computer security.”). The DOJ has previously recognized the concern as well. See, e.g., Department of Justice, Report of the Attorney General’s Cyber Digital Task Force 110 (2018).