DOJ Pledges Not to Charge Security Researchers With Crimes

DOJ Pledges Not to Charge Security Researchers With Crimes

The act has undergone a number of amendments over the last few decades, but a general sense of anxiety persists. Smartphone users worry that violating any sliver of an app’s terms of service (ToS) could subject them to hefty fines, while cybersecurity researchers must investigate vulnerabilities with great caution for fear of breaking one of the CFAA’s poorly-worded rules. Even the Supreme Court has pushed the Department of Justice (DOJ) to narrow the CFAA’s scope. Now the DOJ has attempted to assuage these concerns by issuing a revised policy meant to protect everyday internet users and researchers.

Announced late last week, the policy outlines a number of factors the DOJ will use going forward to determine whether to pursue prosecution. Most of the factors relate to how likely the unauthorized or unconstrained access is to cause actual harm, particularly to “national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests.” If that risk is low and the access doesn’t appear to be related to a larger criminal threat, the DOJ is unlikely to prosecute. The DOJ is also explicitly advised to decline prosecution if the access is related to “good faith security research” of a security flaw or vulnerability. Of course, “good faith” means the researcher intends to report or fix the vulnerability; those hoping to exploit the security flaw aren’t protected here.

DOJ Pledges Not to Charge Security Researchers With Crimes

The DOJ’s document illustrates its point with real-life examples of acts it won’t prosecute. Even if a person’s employer issues them an employee computer for work use only, the DOJ won’t consider it a violation for the employee to use that computer to pay bills or look up sports scores. The agency won’t come after those who create fictional accounts on hiring or housing websites, nor will it target those who use pseudonyms on social networks that prohibit it. And as The Verge pointed out, lying on Tinder can no longer be considered a crime under the CFAA—while that sounds like a joke to most, the recent Tinder Swindler craze has shown us it has real effects, however rare or far-fetched those may be.

Few policy revisions are perfect, though; look to the DOJ’s fifth consideration, which states the agency may prosecute if it feels the need to deter others from conducting similar access. This could mean anything, even if the policy revision says this factor includes (but is not limited to) “new” areas of criminal activity or access techniques. But overall, this revision should signal a sigh of relief—even just for those of us who were looking forward to the next season of Catfish.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.