New DOJ guidance on enforcing hacking laws carves out safe space for security research
Nearly a decade after the death of open-access advocate Aaron Schwartz, his legacy is still playing out in cybersecurity policy.
The Department of Justice has officially revised its policy regarding a controversial law in a bid to encourage more activity from security researchers—sometimes referred to as white-hat hackers—who can find cybersecurity bugs and alert authorities for remediation before adversaries get to them.
The law in question—the Computer Fraud and Abuse Act, or CFAA—gained notoriety within the vulnerability disclosure community following, among others’, the department’s prosecution of Aaron Schwartz. Schwarz was a Harvard University research fellow who was fined $1 million and sentenced to 50 years in prison under the law for siphoning documents from JSTOR, a digital repository of academic journals. In 2013, after over a year of negotiating with federal prosecutors, Schwartz—who at 26 was also credited with helping to create RSS feeds, co-founding Reddit and freely distributing millions of documents from the pay-walled Public Access to Court Electronic Records system—died of an apparent suicide.
The federal prosecutor who brought the charges was described as a villain in the press and the case contributed significantly to what some have described as a chilling effect that the overzealous application of the law has had on valuable security research. Hackers are thought to be reluctant to present bugs they’d found while gaining unauthorized access to federal systems.
In recent years, the government has made a concerted effort to engage the security research community, mandating authorized vulnerability disclosure programs at federal agencies, and in some cases proactively paying hackers through bug bounty programs, for example. But the CFAA remains a sticking point.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco in a press release on the guidance Thursday. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The full policy update Justice released also noted other ways the department plans to prioritize its resources in enforcing the CFAA.
“Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges,” the document reads. “The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer—such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”