SHARE

May 26, 2022

DOJ's New CFAA Policy: Relief For White Hat Hackers And Web Scrapers?

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

In an effort to "promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems," the US Department of Justice (DOJ) recently announced an updated policy directing that good-faith security research not be charged under the federal Computer Fraud and Abuse Act (CFAA), provided that:

  • The activity involves accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability;
  • Such activity is carried out in a manner designed to avoid any harm to individuals or the public; and
  • The information derived from the activity is used primarily to promote the security or safety of the class of devices, machines or online services to which the accessed computer belongs, or those who use such devices, machines or online services.[1]

Security "research" for the purpose of discovering security holes in devices, machines or services in order to "extort" the owners of such devices, machines or services is not considered in good faith.

The new policy also provides further clarity on CFAA charging in the wake of the US Supreme Court's decision in Van Buren v. United States, 141 S. Ct. 1648 (2021). The DOJ has announced that it will not charge defendants with:

  • Accessing computers "without authorization" unless when, at the time of the defendant's conduct, (1) the defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization; (2) the defendant knew of the facts that made the defendant's access without authorization; and (3) prosecution would serve the DOJ's goals for CFAA enforcement; and
  • "Exceeding authorized access" unless, at the time of the defendant's conduct, (1) a protected computer is divided into areas, such as files, folders, user accounts or databases; (2) that division is established in a computational sense, that is, through computer code or configuration, rather than through contracts, terms of service agreements or employee policies; (3) a defendant is authorized to access some areas, but unconditionally prohibited from accessing other areas of the computer; (4) the defendant accessed an area of the computer to which his authorized access did not extend; (5) the defendant knew of the facts that made his access unauthorized; and (6) prosecution would serve the DOJ's goals for CFAA enforcement.

The DOJ's new policy provides needed clarity to a dynamically evolving area of the law, but questions remain about the distinction between "extortion" and legitimate remuneration for discovered vulnerabilities, the boundaries of permissible offensive cybersecurity activities, and civil relief under the CFAA and state CFAA analogues, among other areas.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Oil License Corruption Charges Don't Stick In Milan Court Of Appeal

By McDermott Will & Emery attorneys McDermott Will & Emery January 27 , 2023

In 2011, global oil company Shell and Italian state-owned oil company ENI struck a deal with the Nigerian government to jointly acquire the license to one of the most valuable oil blocks in Nigeria, known as Oil Prospecting License 245 (OPL 245).

This Week in 340B: January 17 - 23, 2023

By Emily Jane Cook McDermott Will & Emery January 26 , 2023

This weekly series provides brief summaries to help you stay in the know on how 340B cases are developing across the country.

IRS Releases Memorandum on Deducting Cryptocurrency Losses

By Andrew M. Granek McDermott Will & Emery January 26 , 2023

On January 13, 2023, the Internal Revenue Service (IRS) released a Chief Counsel Advice Memorandum (CCA 202302011) concluding that taxpayers cannot claim a deduction for cryptocurrency losses that have, absent a sale or other taxable disposition, substantially declined in value if such cryptocurrency continues to trade on at least one cryptocurrency exchange and has a value that is greater than zero.

More From White Collar Crime

Oil License Corruption Charges Don't Stick In Milan Court Of Appeal

By McDermott Will & Emery attorneys McDermott Will & Emery January 27 , 2023

In 2011, global oil company Shell and Italian state-owned oil company ENI struck a deal with the Nigerian government to jointly acquire the license to one of the most valuable oil blocks in Nigeria, known as Oil Prospecting License 245 (OPL 245).

FCPA Year in Review 2022

By Cuneyt A. Akay Greenberg Traurig January 25 , 2023

In 2022, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) obtained nearly $1 billion in total fines and penalties related to Foreign Corrupt Practices Act (FCPA) violations, making 2022 one of the top 10 highest grossing years with regard to enforcement penalties in the 45-year history of the FCPA.

'If It Ain't Broke, Don't Fix It': U.S. Supreme Court Dismisses Case on Attorney-Client Privilege

By Barbara T. Kaplan Greenberg Traurig January 25 , 2023

In a case set to consider whether the attorney-client privilege protects communications between a client and attorney where the communications contain both legal and non-legal advice (“dual-purpose” communications), on Jan. 23, 2023, the U.S. Supreme Court dismissed In Re Grand Jury, No. 21-1397, after hearing oral arguments two weeks earlier.

Featured Stories
Closeclose
Search
Menu

Working...