The Department of Justice recently announced a revision of its policy concerning charging violations of the Computer Fraud and Abuse Act (the “CFAA”). Following recent decision from the Supreme Court and appellate courts that seemingly narrow the scope of civil liability under the CFAA, the DOJ’s new policy may likewise limit criminal prosecutions under the law.
As regular readers of this blog are well aware, the CFAA provides that “[w]hoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished” by fine or imprisonment.” The DOJ’s announced policy, however, now directs that “good-faith security research” should not be charged. “Good faith security research” means “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
The new policy highlights the DOJ’s goal to promote privacy and cybersecurity by upholding the legal rights of individuals and network owners to ensure confidentiality and availability of information stored in their information systems. Thus, the DOJ will consider several factors in determining whether CFAA prosecution should be pursued, including
- the sensitivity of the affected computer system and harm associated with unauthorized access;
- concerns pertaining to national security, critical infrastructure, public self and safety, market integrity, international relations, or other considerations having broad impact on national economic interests;
- if the activity was in furtherance of a larger criminal endeavor or posed risk of bodily harm or a threat to national security;
- the impact of the crime and prosecution on third parties;
- the deterrent value of an investigation or prosecution;
- the nature of the impact has on a particular community;
- whether another jurisdiction is likely to prosecute the criminal conduct effectively; and
- the defendant’s conduct consisted of good-faith security research.
Consistent with a recent decision from the Ninth Circuit that scraping information from public LinkedIn accounts did not amount to a violation of the CFAA, the DOJ will not prosecute if the defendant’s authorization to access a particular file was conditioned by a contract or agreement, nor will a prosecution be brought if a defendant exceeds authorized access solely by violating an access restriction contained in a contractual agreement or term of service with an Internet service provider or we service available to the general public. Prosecution may, however, be brought against a defendant who accesses a multi-user web service, and is authorized to access only his own account on that service, but instead accesses someone else’s account.