DOJ Pledges Not to Charge Security Researchers With Crimes
The act has undergone a number of amendments over the last few decades, but a general sense of anxiety persists. Smartphone users worry that violating any sliver of an app’s terms of service (ToS) could subject them to hefty fines, while cybersecurity researchers must investigate vulnerabilities with great caution for fear of breaking one of the CFAA’s poorly-worded rules. Even the Supreme Court has pushed the Department of Justice (DOJ) to narrow the CFAA’s scope. Now the DOJ has attempted to assuage these concerns by issuing a revised policy meant to protect everyday internet users and researchers.
Announced late last week, the policy outlines a number of factors the DOJ will use going forward to determine whether to pursue prosecution. Most of the factors relate to how likely the unauthorized or unconstrained access is to cause actual harm, particularly to “national security, critical infrastructure, public health and safety, market integrity, international relations, or other considerations having a broad or significant impact on national or economic interests.” If that risk is low and the access doesn’t appear to be related to a larger criminal threat, the DOJ is unlikely to prosecute. The DOJ is also explicitly advised to decline prosecution if the access is related to “good faith security research” of a security flaw or vulnerability. Of course, “good faith” means the researcher intends to report or fix the vulnerability; those hoping to exploit the security flaw aren’t protected here.
The DOJ’s document illustrates its point with real-life examples of acts it won’t prosecute. Even if a person’s employer issues them an employee computer for work use only, the DOJ won’t consider it a violation for the employee to use that computer to pay bills or look up sports scores. The agency won’t come after those who create fictional accounts on hiring or housing websites, nor will it target those who use pseudonyms on social networks that prohibit it. And as The Verge pointed out, lying on Tinder can no longer be considered a crime under the CFAA—while that sounds like a joke to most, the recent Tinder Swindler craze has shown us it has real effects, however rare or far-fetched those may be.
Few policy revisions are perfect, though; look to the DOJ’s fifth consideration, which states the agency may prosecute if it feels the need to deter others from conducting similar access. This could mean anything, even if the policy revision says this factor includes (but is not limited to) “new” areas of criminal activity or access techniques. But overall, this revision should signal a sigh of relief—even just for those of us who were looking forward to the next season of Catfish.
Continue reading
Riot Games Will Pay $100 million to Settle Discrimination Lawsuit
A majority of the settlement will go to 1,065 female Riot employees and 1,300 female contractors who have endured discrimination and harassment at the company.
Meta Settles with DOJ Over Discriminatory Ad Algorithms
A new lawsuit alleges Meta’s marketing tools have allowed and encouraged advertisers to target housing ads based on demographic characteristics, which is prohibited by the Fair Housing Act.
Uber Avoids Criminal Charges by Admitting to Data Breach Cover-Up
The data breach occurred back in 2016, and Uber has faced the possibility of criminal prosecution ever since.
Interpol Launches ‘Police Metaverse’ to Train Officers on Virtual Crime Fighting
The metaverse officially has weddings, Chipotle, and now, cops.