The press release accompanying the new DOJ policy explicitly states that the new policy does not give a free pass to those who merely claim to be conducting security research but in actuality were acting in bad faith. Where there is some question as to whether specific conduct was in good faith, the new policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section.
There has been much discussion of the scope of the CFAA, which was first enacted in 1986. Some critics have raised concerns that “the law could potentially criminalize many of the everyday activities of computer users.” The DOJ’s May 2022 notice specifically addresses these concerns, noting that some of the hypothetical violations that have concerned some courts and commentators are not to be charged, such as “checking sports scores or paying bills at work” or “embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; or using a pseudonym on a social networking site that prohibits them. . . .”
The Supreme Court Provides Additional Guidance on Cybersecurity
The goal of the DOJ’s enforcement of the CFAA is to “promote privacy and cybersecurity.” The DOJ’s new policy comes after the Supreme Court decided the case of Van Buren v. United States, in which the Court considered whether an individual “exceeds authorized access” in accessing a computer with authorization but then obtains information located in particular off-limit areas of a computer, such as files, folders, or databases, in violation of the CFAA. The CFAA provides that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
This case arose from a former Georgia police sergeant’s access of a law enforcement database to gather information about a specific license plate number in exchange for money. Although the former sergeant used his own, valid credentials when searching for this information, he was in violation of a department policy against obtaining information from the database for non-law-enforcement purposes.
The former sergeant was subsequently charged with a felony violation of the CFAA because he had intentionally accessed “a computer without authorization” or in excess of “authorized access.” The Supreme Court reversed and remanded to the Eleventh Circuit, finding that an individual “exceeds authorized access” when he or she accesses a computer with authorization but obtains information located in specific areas of a computer that the individual is not authorized to access. Because the parties agreed that the former sergeant accessed the law enforcement database system with authorization, the only question was whether he could use the system to retrieve license plate information, which both sides agreed he could. Accordingly, the court found that he “did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.”
The Van Buren decision narrowed the scope of the CFAA and applied a gates-up or gates-down approach—one either is or is not authorized to access a computer system or certain areas of a computer system—which reinforces the cybersecurity concepts of authentication, authorization, and access control. Essentially, this approach relies on information technology permissions to determine whether the access to information related to the question of civil or criminal liability under the CFAA “exceeds authorized access.” For example, if an individual was not authorized to access a specific folder within a computer system, then the fact that that individual accessed that folder would be considered exceeding that individual’s authorized access. In addition, the Van Buren decision puts some onus on the companies themselves, instead of individuals, in that it obligates companies to consider which users should have access to sensitive information and requires that companies have a robust security system to control that access.
The DOJ’s May 2022 notice builds on Van Buren, further limiting the scope of prosecutable violations of the CFAA. White hat hackers, with ethical intent but not necessarily authorization to enter a business’s computer system to test its vulnerabilities, are no longer at risk of prosecution, given that ethical hacking done in the name of security research will not be considered a violation of the CFAA. This provides support for cyber insurers that wish to require potential insureds to conduct red teaming or pen testing. Or, where insurers want more control and direct reporting, the insurers can send in teams of their own—though it is often wise for an insurer to have consent for such tests included within the coverage contract. Now companies and individuals have clearer guidelines to follow to ensure adequate compliance with the CFAA.