DOJ changes to CFAA guidance are overhyped, lawyers say
There are not many things that Andrew Crocker, who has long fought against the Computer Fraud and Abuse Act (CFAA) as an attorney at the digital rights nonprofit Electronic Frontier Foundation, and Aaron Cooper, a former Department of Justice (DOJ) cybercrimes lawyer who prosecuted CFAA cases, would agree on.
But they agree that the CFAA reforms just announced by DOJ will have little substantive impact in terms of protecting so-called “good faith,” or ethical, security researchers and mainly generated good press for the DOJ on a topic it has long taken heat for.
When DOJ announced the new guidance updating the 1986 law last month, the news was met with nearly universal praise and no small amount of enthusiasm. “Huge news—well done, Team DOJ!” Cybersecurity and Infrastructure Security Agency Director Jen Easterly tweeted. Many security researchers praised the decision. Media coverage was glowing.
The new guidance updates the CFAA charging policy to explicitly discourage prosecuting good-faith security researchers. Now, Deputy Attorney General Lisa Monaco must sign off before federal prosecutors who seek to bring charges under CFAA can move forward.
The changes at DOJ follow an October 2020 Supreme Court ruling that found that CFAA could not be used to prosecute a Georgia police officer who was improperly paid to search a license plate database. Because the officer was authorized to use the database, the court asserted that he could not be prosecuted for misusing it.
Policy change as public relations move
Crocker and Cooper say the changes to CFAA are nowhere near substantive enough to merit the hoopla the announcement generated, particularly since good-faith researchers can still be criminally prosecuted at the state level and face civil lawsuits.
“The changes announced by DOJ on their policy … were intended to generate good PR for the Department of Justice — and I think they’ve been pretty successful in doing that,” Crocker said. “DOJ is getting more credit than it deserves because they’re really not providing a lot of protection for security research.”
Crocker said that since the policy can be waived by DOJ at any time and has no effect on civil cases or state prosecutions, “it’s a pretty small step forward.”
Despite DOJ’s announcement, he added, not much has been done to “eliminate a lot of the vagueness and uncertainty.”
A Department of Justice spokesperson declined to comment on the criticism and could not provide a tally of the total number of DOJ prosecutions of good-faith security researchers since CFAA became law.
Aaron Cooper, now a corporate lawyer at Jenner & Block, was a DOJ cybercrimes prosecutor for five years. Cooper said DOJ never prosecuted “good-faith” security researchers under the CFAA to begin with and said he doesn’t believe that the announcement meaningfully changes DOJ’s approach on that point.
“What has actually changed with the policy and then what are the consequences of that change?” Cooper asked. “This aligns with their pre-existing practice and putting it in writing certainly helps to provide some clarity and predictability in a tough area. At the same time, however, there are still gray areas in the way the language is written — especially the factors that DOJ will use to evaluate whether research is conducted in ‘good faith’ — which leave ambiguities in how it will ultimately be applied.”
Cooper also worried that open questions about how prosecutors will assess whether security researchers are acting in good faith could discourage system owners from reaching out to law enforcement.
“DOJ has been really strident in trying to get victims of cybercrimes to report,” Cooper said. “This maybe creates some mixed messaging on that, especially if system owners are unable to independently evaluate whether something is good faith or not and so are not sure whether to report.”
Conflating criminal charges with civil lawsuits
The Department of Justice has fielded complaints about CFAA from good-faith researchers for years, according to Leonard Bailey, the head of DOJ’s Cybersecurity Unit and a special counsel for national security. He said that in response to these complaints, a few years ago the DOJ began to review how often it had prosecuted such cases.
“One of the things we discovered was that we weren’t,” Bailey said in remarks made Monday at RSA, a security conference being held in San Francisco this week. “Over a decade, we count one instance of prosecuting a computer security researcher for employing computer security research.”
Bailey said he believes many researchers conflate criminal prosecutions with threats of being sued in civil court.
“It’s certainly common for individual actors to get a cease and desist letter from a private company that cites the CFAA and so that is often the source [of researchers fearing CFAA] rather than actual prosecution,” Bailey said.
Harley Geiger, Bailey’s co-panelist and a public policy director at a software firm, agreed, saying that CFAA has become a boogeyman of sorts and a “catch all for other laws, other hacking laws that are out there.”
Ambiguity about when CFAA can be applied hasn’t gone away
Cooper’s firm, Jenner & Block, recently published a brief for clients describing the nuance of the DOJ’s announcement. Co-written with other Jenner & Block lawyers, including former principal deputy assistant attorney general for the criminal division at Justice, David Bitkower, the brief suggests the policy change is not as significant as the press announcement suggested.
“Although the announcement regarding security research made a splash in the press, it is unclear to what degree the policy represents a change in how DOJ will approach cases,” the brief says. “It remains unclear where DOJ will draw the line in harder cases … The policy’s definition of “good faith” leaves much to be determined.”
The brief notes that the new policy requires that a person act “solely for purposes of good faith” research but it is unclear how strictly DOJ interprets the word “solely.” Similarly, the brief notes, the policy requires that the activity be “carried out in a manner designed to avoid any harm,” but does not specify whether such harm would include, for instance, “viewing—and therefore violating the confidentiality of—sensitive personal information or intellectual property.” And the brief argues that the policy requires information gathered be “used primarily to promote the security or safety” of the system without offering a standard for determining how that manifests.
“While extortion is clearly not in ‘good faith,’ there are likely a variety of instances in which the boundaries between good faith research and less noble goals are blurred, and application of the policy is ambiguous,” the brief says.
The new policy merely formalizes longstanding practice
Still, at least one former DOJ cyber prosecutor said the policy guidance change is welcome news. Sujit Raman, whose last position at DOJ after 12 years with the agency was as Associate Deputy Attorney General, said that because the Supreme Court narrowed CFAA in its 2020 decision, DOJ had to respond.
“This policy change is important because it just clarifies that the DOJ is only going to be pursuing cases that merit prosecution,” said Raman, who testified before the Senate in 2018 arguing for CFAA reform.
He said the policy guidance formalizes an existing practice but added that formality is important because it gives more security to good faith researchers. For a long time, Raman said, senior DOJ officials would informally assure white hat hackers that they wouldn’t be prosecuted.
“It’s one thing when it’s just one guy at a conference or it’s kind of unofficial doctrine,” Raman said. “But for the department now to come out and put it in the US Attorneys Manual, now they call it the Justice Manual, that’s binding guidance on every federal prosecutor in the country so I do think that is significant.”
Tim Starks contributed to this story.