Department of Justice Announces New Charging Policy under the Computer Fraud and Abuse Act | Takeover bid
The Department of Justice today announced the revision of its policy regarding the charge of violations of the Computer Fraud and Abuse Act (CFAA).
The policy states for the first time that good faith security research should not be charged for. Good faith security research means accessing a computer solely for the purpose of good faith testing, investigation, and/or correction of a security breach or vulnerability, when such activity is conducted in a manner that prevent harm to persons or the public, and where the information derived from the activity is used primarily to promote the safety or security of the class of devices, machines or online services to which the computer accessed belongs, or those who use such devices, machines or online services.
“Computer security research is a key driver for improving cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity to bona fide security researchers who eliminate vulnerabilities. for the common good.”
However, the new policy recognizes that pretending to conduct security research is not a pass for those who act in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research”, is not bona fide. The policy advises prosecutors to consult with the Computer Crimes and Intellectual Property Section (CCIPS) of the Criminal Division on specific applications of this factor.
All federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy and consult with CCIPS before bringing charges. Prosecutors must notify the Deputy Attorney General (DAG), and in some cases receive approval from the DAG, before indicting a CFAA case if the CCIPS advises against it.
The new policy replaces a previous policy issued in 2014 and is effective immediately.