DOJ Pledges Not to Charge Security Researchers With Crimes

DOJ Pledges Not to Charge Security Researchers With Crimes

The act has undergone a number of amendments over the last few decades, but a general sense of anxiety persists. Smartphone users worry that violating any sliver of an app’s terms of service (ToS) could subject them to hefty fines, while cybersecurity researchers must investigate vulnerabilities with great caution for fear of breaking one of the CFAA’s poorly-worded rules. Even the Supreme Court has pushed the Department of Justice (DOJ) to narrow the CFAA’s scope. Now the DOJ has attempted to assuage these concerns by issuing a revised policy meant to protect everyday internet users and researchers.

Announced late last week, the policy outlines a number of factors the DOJ will use going forward to determine whether to pursue prosecution. Most of the factors relate to how likely the unauthorized or unconstrained access is to cause actual harm, particularly to “national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests.” If that risk is low and the access doesn’t appear to be related to a larger criminal threat, the DOJ is unlikely to prosecute. The DOJ is also explicitly advised to decline prosecution if the access is related to “good faith security research” of a security flaw or vulnerability. Of course, “good faith” means the researcher intends to report or fix the vulnerability; those hoping to exploit the security flaw aren’t protected here.

DOJ Pledges Not to Charge Security Researchers With Crimes

The DOJ’s document illustrates its point with real-life examples of acts it won’t prosecute. Even if a person’s employer issues them an employee computer for work use only, the DOJ won’t consider it a violation for the employee to use that computer to pay bills or look up sports scores. The agency won’t come after those who create fictional accounts on hiring or housing websites, nor will it target those who use pseudonyms on social networks that prohibit it. And as The Verge pointed out, lying on Tinder can no longer be considered a crime under the CFAA—while that sounds like a joke to most, the recent Tinder Swindler craze has shown us it has real effects, however rare or far-fetched those may be.

Few policy revisions are perfect, though; look to the DOJ’s fifth consideration, which states the agency may prosecute if it feels the need to deter others from conducting similar access. This could mean anything, even if the policy revision says this factor includes (but is not limited to) “new” areas of criminal activity or access techniques. But overall, this revision should signal a sigh of relief—even just for those of us who were looking forward to the next season of Catfish.

Continue reading

Protect Your Online Privacy With the 5 Best VPNs
Protect Your Online Privacy With the 5 Best VPNs

Investing in a VPN is a smart choice right now, but the options are vast. To help narrow things down a bit, we've rounded up five of our very favorite consumer services.

RISC-V Tiptoes Towards Mainstream With SiFive Dev Board, High-Performance CPU
RISC-V Tiptoes Towards Mainstream With SiFive Dev Board, High-Performance CPU

RISC V continues to make inroads across the market, this time with a cheaper and more fully-featured test motherboard.

The PlayStation 5 Will Only Be Available Online for Launch Day
The PlayStation 5 Will Only Be Available Online for Launch Day

The PlayStation 5 isn't going to be available in stores on launch day, and if you want to pick up an M.2 SSD to expand its storage, you'll have some time to figure out that purchase.

ARMing for War: New Cortex-A78C Will Challenge x86 in the Laptop Market
ARMing for War: New Cortex-A78C Will Challenge x86 in the Laptop Market

ARM took another step towards challenging x86 in its own right with the debut of the Cortex-A78C this week. The new chip packs up to eight "big" CPU cores and up to an 8MB L3 cache.