The Department of Justice is not targeting security researchers under the Computer Fraud and Abuse Act (CFAA), but certain activities will raise red flags for government investigators, Leonard Bailey, Special Counsel for National Security in the department’s Computer Crime & Intellectual Property Section, told an audience at Black Hat USA 2015 in Las Vegas Wednesday.
In fact, of the 56,218 cases the Justice Department filed in 2014, only a tiny fraction, 194, involved computer fraud -and the department can’t quantify how many researchers have been prosecuted.
Bailey explained that pinging a network is not a problem nor is port scanning unless it’s on a scale that indicates a distributed denial-of-service (DDoS) attack. “Other vulnerability scanning is up in the air,” Bailey said, noting that they could strengthen their position by having a website in place that explains the kind of work they’re doing and why.
The department is mindful, too, of the consequences of coming down too hard, or even at all, on researchers. “One flogging in the public affair can have a chilling effect,” he said.
Bailey also noted that steady progress had been made toward more reasonable and consistent prosecution of CFAA violations and bringing consistency to sentencing. “In the last year, we’ve tried to implement policies so that we have more consistency” when it comes to prosecution under the CFAA, he noted.
Calling the case of 24-year-old Harvard researcher and internet activist Aaron Swartz – whose suicide spawned the creation of “Aaron’s Law,” a proposed overhaul of the CFAA, which privacy rights advocates have long argued has been misused by overzealous prosecutors – a true tragedy, Bailey said the world was a little less bright without the young security researcher in it.