New Justice Department guidelines promise not to prosecute security researchers under...

Cal Jeffrey

Posts: 3,491   +1,040
Staff member
Facepalm: Fear not. The Justice Department will not hunt you down for finding a security vulnerability or making a fake Facebook profile. It has decided to take the advice of the SCOTUS and not make federal cases out of violations of company or website policy. Under new DoJ rules, misusing a computer system you have authorized access to is not prosecutable.

The US Department of Justice (DoJ or Justice Department) issued a press release Thursday clarifying the crimes falling under the Computer Fraud and Abuse Act (CFAA). The law was passed in 1984 and updated in 1986. However, the language of the legislation is so broad that people doing security research — something barely even existed at the time — or using their company's computer for personal reasons could constitute a federal crime.

Under the CFAA, anyone attempting to access files, computers, systems, or even websites owned by someone else could face charges, even if they have authorization to use the system. However, the Justice Department says it will not pursue "good-faith security research," which is still vague but better than the original language.

The policy change follows a US Supreme Court (SCOTUS) ruling in June of last year that whittled down the scope of the law. The case involved a police officer who accessed and sold license plate information obtained from his squad car's computer. He was convicted and sentenced to 18 months in prison.

An appeal to the Eleventh Circuit upheld the conviction, but the SCOTUS overturned it in a 6-3 ruling last year. The justices' opinions came to the law's wording, which forbids "exceeding authorized access." The high court believes that exceeding authorized access is overly broad and should not cover those misusing a system they have legal permissions to use. The court said it criminalizes a "breathtaking amount" of everyday computer use.

The Supreme Court gave several examples in its opinion demonstrating how the letter of the law could go awry of the color of the law. Taking heed of these hypothetical situations, the DoJ formally issued policy changes to ensure it would not overextend the purpose of the 36-year-old legislation.

"Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged," said the Department. "Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges."

Instead, the policy will focus on instances where the defendant is not authorized access entirely or breaches a forbidden part of an otherwise authorized system. For example, a user can access and even misuse his work email, but not a coworker's. The misuse of his email might violate company policies, but it does not violate the CFAA under this new interpretation.

Permalink to story.

 

Cal Jeffrey

Posts: 3,491   +1,040
Staff member
I think the main thing with the SCOTUS ruling is that people were being prosecuted under the law for breaking corporate policies even when there could have been other laws applied to the crime. I mean, I'm no lawyer, but that's kinda how the opinion read to me.
 

VitalyT

Posts: 6,220   +6,751
We also need a law to punish cops who constantly violate it.

So far they just get away with it, every time.
 

bviktor

Posts: 841   +1,260
Sounds all well and good until someone that discovers the hole decides to take a little advantage of it before they report it ...... that could get dicey .....
If you take "a little advantage", why would you report it? You'd be reporting yourself in a nutshell so you must be an *diot to do that.
 

ZedRM

Posts: 1,000   +711
Sounds all well and good until someone that discovers the hole decides to take a little advantage of it before they report it ...... that could get dicey .....
That would be unethical and would constitute a crime. So of course there should be no exception for such a thing.
 

BuckarooBonzai

Posts: 97   +65
There is so much more to this than what is written. Government can use this law to benefit them, to have contractors do work for them that the U.S. Constitution prohibits Government from doing. People questions the contractors, Government say National Security, case closed.