Department of Justice Announces New Policy to Indict Cases Under Computer Fraud and Abuse Act | OPA

Today, the Ministry of Justice announced review its policy on indictment of Computer Fraud and Abuse Act (CFAA) violations.

The policy directs for the first time that no fees should be charged for bona fide security research. bona fide security research means accessing a computer solely for the purposes of testing, investigating and/or correcting a vulnerability or security vulnerabilities in good faith, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where information derived from the activity is used in a Essential to enhance the security or security of the class of devices, devices, or online services to which the accessed computer belongs, or those who use such devices, devices, or online services.

“Computer security research is a major driver for improving cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never cared about prosecuting bona fide computer security research as a crime, and today’s announcement advances cybersecurity by providing clarity to well-intentioned security researchers who root out security holes for the greater good.”

The new policy explicitly states the long-standing practice that “the department’s objectives for CFAA enforcement are to enhance privacy and cyber security by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.” Accordingly, the policy makes clear that default CFAA violations of interest to some courts and commentators will not be charged. decorating an online dating profile is against the dating site’s terms of service; Create fictional accounts on employment, housing or rental sites; Using a pseudonym on a social media site that is blocking them; checking sports results at work; pay bills at work; Or violating the access restrictions contained in the length of service is not by itself sufficient to justify federal criminal charges. The policy focuses the department’s resources on cases in which a respondent is either not at all authorized to access a computer or is authorized to access a single part of a computer—such as a single email account—and, although aware of this limitation, has had access to a portion of a computer. From a computer to which authorized access has not been extended, such as other users’ emails.

However, the new policy acknowledges that claiming a security search is not a free pass for those who act in bad faith. For example, discovering vulnerabilities in devices in order to blackmail their owners, even if it is claimed as “research”, is not in good faith. The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property (CCIPS) division about specific applications of this agent.

All federal prosecutors who wish to indict cases under the Computer Fraud and Abuse Act are required to follow the new policy and consult with CCIPS before filing any charges. Plaintiffs must inform the Deputy Attorney General (DAG), and in some cases obtain consent from the DAG, before indicting a CFAA case if CCIPS recommends against it.

The new policy replaces an earlier policy issued in 2014, and takes effect immediately.

Leave a Reply

Your email address will not be published.