RSAC, Threat Management, Threat Management

The (still) unanswered questions around the CFAA and ‘good faith’ security research

U.S. Attorney General Merrick Garland, center, announces a resolution of a foreign-bribery investigation during a news conference. The past year has brought a number of court-imposed and policy changes to the nation’s premier hacking law, the Computer Fraud and Abuse Act (CFAA). (Photo by Chip Somodevilla/Getty Images)

The federal government has further work to do defining what constitutes "good faith" security research when applying the Computer Fraud and Abuse Act. But in the meantime, security researchers should "take the W" and embrace recent victories, a Justice official said Monday.

A Supreme Court opinion issued last year, Van Buren vs. United States, significantly narrowed the scope of the CFAA’s application to incidents where an individual accessed a computer “in excess of authorization.” More recently, the department formalized a policy that officials say it has long followed informally: not charging hackers who conduct “good faith” security under the CFAA.

Both of those changes signal that after years of ambiguity, the legal system is coming around to the idea that third-party researchers scrutinizing products and systems are a vital part of the United States’ cybersecurity ecosystem.

“DoJ takes computer security research quite seriously — we do value it,” said Leonard Bailey, head of the cybersecurity unit and special counsel for national security in the Computer Crime and Intellectual property section at DoJ. “We believe that cybersecurity is complicated enough to not take certain players off the playing field when they’re helping.”

Click here for all the coverage coming out of RSAC.

Despite this sentiment, the CFAA remains one of the most feared laws in the cybersecurity community, one that some security researchers say still creates a chilling effect around their work. That view initially caused confusion within DoJ because in responding to those concerns, the department went back to look at the last decade of cases it has prosecuted and found only one in which the CFAA was used against a security researcher for doing computer security research.

“We took a look at our practices to figure out where we might be — for example, going after security researchers — and one of the things we discovered was that we weren’t,” he said.

However, further discussions with the information security community caused Bailey to realize ethical hackers did, in fact, have a legitimate beef with being pursued under the CFAA, just not by the federal government.

That’s because in addition to allowing for the criminal prosecution of hackers who violate the law, the CFAA also allows private individuals and organizations to bring legal action against those same researchers. Until recently, businesses could legally bring a claim for trivial or absurd violations of their terms of service, such as creating fictional accounts on their website or posting under a pseudonym on a social networking site.

Circuit courts around the country have interpreted those laws differently, with most either reining in the way the CFAA defines “in excess of authorization” or endorsing it. But the end result is a series of split decisions that only add to the confusion and the sense that “the exact scope of your liability was really determined by where your courthouse was,” said Haley Geiger, senior director for public policy at Rapid7.

A welcome but "insufficient" change to the Computer Fraud and Abuse Act

After DoJ announced its policy, Andrew Crocker, an attorney with the digital rights non-profit Electronic Frontier Foundation said that it was a welcome move but insufficient to meaningfully reduce the burdens on security researchers because it “does nothing to lessen the risk of frivolous or over-broad CFAA civil litigation against security researchers, journalists, and innovators.”

It’s also just a policy change, meaning DoJ under a future administration could opt to change course rescind the charging guidance, or even interpret the CFAA in a harsher light. Crocker and others have called for a legislative update to the law through Congress, saying it is the only way to ensure that security researchers can do their work.

When asked to respond, Bailey told SC Media that it was “a fair concern” and one that he has been discussing with security researchers since at least 2014. It’s true, he said, that another administration could opt to change course or interpret the CFAA differently, but he urged the information security community to “take the W” in this case and embrace the fact that DoJ agrees with them in principle about the validity of good faith security research, even if there remains some ambiguity about how exactly to define and apply that definition.

While DoJ tied its definition of “good faith” to existing legal statutes, the department believes the cybersecurity community is in many ways more capable than the government of establishing “a common understanding” of what that means in practice, through further dialogue with the government and through industry adopted standards.

“There have been concerns about how we actually will apply this sort of policy, and one of the things that we’ve been saying to the community is: why don’t you help us help you?” said Bailey. “That is to say, to the extent that there is an effort to kind of figure out what good security research is, you’re in a better position to define the norms and practices and the behaviors that should constitute that.”  

In terms of legislation, Bailey said the department had been asked by the Hill for input on further defining the term, but noted that it is surprisingly hard to develop language that can both exempt legitimate security research and not create a loophole for bad-faith actors.

Geiger warned that kicking a years-long dialogue between DoJ and the information security community around what constitutes good-faith research to Congress could actually backfire.

“I agree [the criticism] is fair, but I think that the community also needs to ask whether or not that same result — that same policy change — would be achieved with Congress got involved, and that is definitely not a given,” he said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.