Justice Department pledges not to charge security researchers with hacking crimes

The US Department of Justice says it won’t subject “good-faith security research” to charges under anti-hacking laws, acknowledging long-standing concerns around the Computer Fraud and Abuse Act (CFAA). Prosecutors must also avoid charging people for simply violating a website’s terms of service — including minor rule-breaking like embellishing a dating profile — or using a work-related computer for personal tasks.

The new DOJ policy attempts to allay fears about the CFAA’s broad and ambiguous scope following a 2021 Supreme Court ruling that encouraged reading the law more narrowly. The ruling warned that government prosecutors’ earlier interpretation risked criminalizing a “breathtaking amount of commonplace computer activity,” laying out several hypothetical examples that the DOJ now promises it won’t prosecute. That change is paired with a safe harbor for researchers carrying out “good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The new rules take effect immediately, replacing old guidelines issued in 2014.

“The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” says a DOJ press release. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”

These guidelines reflect a newly limited interpretation of “exceeding authorized access” to a computer, a practice criminalized by the CFAA in 1986. As writer and law professor Orin Kerr explained in 2021, there’s been a decades-long conflict over whether people “exceed” their access by violating any rule laid down by a network or computer owner — or if they have to access explicitly off-limits systems and information. The former interpretation has led to cases like US v. Drew, where prosecutors charged a woman for creating a fake profile on Myspace. The Supreme Court leaned toward the latter version, and now, the DOJ theoretically does, too.

The policy doesn’t settle all criticisms of the CFAA, like its potential for disproportionately long prison sentences. It doesn’t make the underlying law any less vague since it only affects how prosecutors interpret it. The DOJ also warns that the security research exception isn’t a “free pass” for probing networks. Someone who found a bug and extorted the system’s owner using that knowledge, for instance, could be charged for performing that research in bad faith. Even with these limits, though, the rulemaking is a pledge to avoid slapping punitive anti-hacking charges on anyone who uses a computer system in a way its owner doesn’t like.

The US Department of Justice says it won’t subject “good-faith security research” to charges under anti-hacking laws, acknowledging long-standing concerns around the Computer Fraud and Abuse Act (CFAA). Prosecutors must also avoid charging people for simply violating a website’s terms of service — including minor rule-breaking like embellishing a dating profile — or using a work-related computer for personal tasks.

The new DOJ policy attempts to allay fears about the CFAA’s broad and ambiguous scope following a 2021 Supreme Court ruling that encouraged reading the law more narrowly. The ruling warned that government prosecutors’ earlier interpretation risked criminalizing a “breathtaking amount of commonplace computer activity,” laying out several hypothetical examples that the DOJ now promises it won’t prosecute. That change is paired with a safe harbor for researchers carrying out “good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The new rules take effect immediately, replacing old guidelines issued in 2014.

“The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” says a DOJ press release. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”

These guidelines reflect a newly limited interpretation of “exceeding authorized access” to a computer, a practice criminalized by the CFAA in 1986. As writer and law professor Orin Kerr explained in 2021, there’s been a decades-long conflict over whether people “exceed” their access by violating any rule laid down by a network or computer owner — or if they have to access explicitly off-limits systems and information. The former interpretation has led to cases like US v. Drew, where prosecutors charged a woman for creating a fake profile on Myspace. The Supreme Court leaned toward the latter version, and now, the DOJ theoretically does, too.

The policy doesn’t settle all criticisms of the CFAA, like its potential for disproportionately long prison sentences. It doesn’t make the underlying law any less vague since it only affects how prosecutors interpret it. The DOJ also warns that the security research exception isn’t a “free pass” for probing networks. Someone who found a bug and extorted the system’s owner using that knowledge, for instance, could be charged for performing that research in bad faith. Even with these limits, though, the rulemaking is a pledge to avoid slapping punitive anti-hacking charges on anyone who uses a computer system in a way its owner doesn’t like.