Last week, the Justice Department announced a newly revised policy for when prosecutors should charge people under the Computer Fraud and Abuse Act, the decades-old, controversial anti-hacking law. Many of the fights around the CFAA have hinged on what is—and is not—illegal hacking: If a mother violates a website’s terms of service by creating a social media profile with a photo of someone else and a fake name, for instance, does that qualify? Or if a police officer searches a government license plate database for personal reasons, instead of work reasons, is that hacking? What about if a Major League Baseball team guesses a former employee’s password and uses it to download information about his new team? Or a college student tries to find bugs in a voting app as part of an election security course?
Each of these questions represents an actual time when law enforcement opened an investigation into alleged hacking—and in several of those cases the investigations led to criminal charges—because the definitions of illegal hacking in the act are pretty vague. They include accessing a computer without authorization or in a way that exceeds the user’s authorization. Over the years, courts have disagreed about what, exactly, it means just to access a computer, much less who gets to grant authorization for that access and how. Another big controversy surrounding the law has focused on the penalties for hacking charges—an issue that received particular attention around the case of Aaron Swartz, who downloaded millions of articles from the JSTOR database and faced possible penalties of up to 35 years in prison due to the resulting CFAA charges. Tragically, Swartz killed himself in January 2013, prior to his trial.
The more recent history of the CFAA has been slightly more hopeful, with some sensible, high-profile rulings restricting just how broadly the law can be interpreted and pushing for a much narrower, more technical understanding of what illegal hacking is. For instance, in 2021, in the case about the police officer search a license place database, the Supreme Court ruled that the police officer hadn’t violated the CFAA because his workplace gave him access to the database and he therefore didn’t have to bypass any restrictions to access it. This year, in a civil case, the 9th Circuit ruled that it was legal to scrape publicly available information posted on websites.
These all seem like steps in the right direction for a law that can be—and has been—interpreted very broadly to apply to all sorts of unwanted behavior involving computers. And the new Justice Department policy, similarly, seems like incremental progress towards trying to restrict some of the most egregious misapplications of the CFAA. For instance, under the new policy, the Justice Department advises against charging people for creating fake online dating profiles or social media accounts in violation of terms of service agreements and states that they should not be charged for using their work computers to check sports scores or pay their bills. (The latter might hypothetically have been construed as exceeding authorized access if your employer had a policy that only authorized you to use your work computer for work purposes, for instance.)
But set aside for a moment how insane it is that it took this long for the Justice Department to clarify that it’s not a crime to check the Red Sox score on your work computer, regardless of what kind of acceptable use policy your employer made you click through at orientation. After all, while it’s good to have the government specify that that sort of behavior shouldn’t lead to criminal charges, it hasn’t actually been the grounds for a lot of recent CFAA criminal cases, and it’s hard to imagine that anyone has actually changed their behavior in any way for fear of such charges. The more interesting—and potentially more important—elements of the new charging policy are the ones that focus on security research and what it means to exceed authorized access.
The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
Bad faith security research, the policy notes, would include such activities as discovering vulnerabilities “in order to extort the owners of such devices, machines, or services.” There’s still a fair bit of ambiguity in what exactly it means to do research “in a manner designed to avoid any harm to individuals or the public” that is “used primarily to promote … security or safety.” But presumably it would cover most researchers who find vulnerabilities in hardware or software, don’t exploit them for their own gain, and instead report them promptly to the organizations for patching. Extortionists, obviously, would not qualify, and it’s not entirely clear how the policy might apply to, say, researchers who published their findings before giving manufacturers a chance to patch the vulnerabilities they found. Still, it’s definitely guidance that shifts the Justice Department in the right general direction, and if it also has the impact of encouraging security researchers to adhere to stricter codes of ethical conduct and reporting, it might shift the research community in the right general direction, too.
The other interesting piece of the new guidelines is how it clarifies what it means for someone to exceed their authorized access to a computer. Parts of the new policy seem to just be the Justice Department reiterating the 2021 Supreme Court ruling and translating it into guidance for prosecutors, but at one point in the guidelines the Justice Department actually seems to go a little further than the Supreme Court did in narrowing what exactly constitutes exceeding authorized access. In the Van Buren case, in which then-police officer Nathan Van Buren used his work access to look up license plates for other people for a fee, the Supreme Court said he hadn’t violated the CFAA because he was authorized to search that database as part of his job. But the court stopped short of saying that in order to commit an act of illegal hacking, people have to circumvent a technical, or code-based restriction. (In fact, the court said explicitly in a footnote that it did not need to decide whether violations of the CFAA must be technical in nature—confusingly, leaving open the possibility that violations of written contracts or policies might also constitute unauthorized access.) In the new guidelines, the Justice Department comes one step closer to saying that illegal hacking must be technical in nature, saying that what it means to exceed authorized access to a computer is “established in a computational sense, that is, through computer code or configuration, rather than through contracts, terms of service agreements, or employee policies.”
That’s a narrower and better interpretation of the CFAA but, like the Supreme Court, the Justice Department stops short of fully endorsing it. It doesn’t, for instance, apply that interpretation to what it means to access a computer without authorization (only exceeding authorized access), and they even say later in the policy that cease and desist letters—which are decidedly not technical or computational—still count to revoke someone’s authorization to use a computer.
It’s worth pointing out that a new DOJ sentencing policy does not carry as much weight or go as far toward clarifying the law as a Supreme Court ruling or—even better—a revised CFAA passed by Congress could. The new policy merely offers guidance to prosecutors about how they should enforce the law and still leaves a fair bit to their discretion beyond the most extreme examples highlighted in the policy itself, like fake dating profiles and security researchers who extort the companies they research. But in the absence of a revised CFAA, it’s nice to see the Justice Department saying that they won’t be using the law to go after (most) security researchers and people who violate contracts, terms of service agreements, and employee policies.
So, in keeping with recent developments around the CFAA, the Justice Department’s new policy is a positive, long overdue step—a very incremental bit of progress in clarifying what illegal hacking is. But just because there’s still more work to be done clarifying and narrowing the CFAA doesn’t mean it’s not worth marking and celebrating each step along the way. At least we’re moving in the right direction.