USA: Security research to remain exempt from punishment
IT security researchers will no longer face federal prosecution under the Computer Fraud and Abuse Act (CFAA) in the US. This is the result of a guideline published last week by the US Department of Justice that federal prosecutors must follow if they want to bring charges under the law. It is effective immediately. The civil rights organisation Electronic Frontier Foundation (EFF) welcomed the new directive as an “important step”, but called for a comprehensive reform of the law.
The law has existed since 1986 and prohibits access to “protected computers” without prior authorisation. The US Department of Justice has now announced that security research solely for purposes of good-faith should not be prosecuted. This includes when people gain access to a system in order to find or close security gaps. The procedure must serve to promote the security of online services or other IT systems, and damage to individuals or the general public must be avoided.
The new directive is not a free pass for malicious behaviour. Simply claiming to conduct security research is not enough. If vulnerabilities are discovered, for example to blackmail companies, there is still the threat of criminal prosecution.
Supreme Court ruling
At the same time, the directive clarifies that criminal prosecution under the CFAA is not possible in certain cases, for example, if security researchers use a pseudonym on social networks, even though the terms of use prohibit it. Even if a person uses his or her work computer contrary to the employer’s guidelines, for example to access sports scores, this is not a violation of the law.
Last year, the Supreme Court had already ruled on the CFAA that a violation of the terms of use does not necessarily constitute a violation of the CFAA. In the specific case, a person had – contrary to the terms of use – used data from a system to which he had authorised access.
The law, which dates back to the 1980s, has long been criticised. The EFF criticises, for example, vague formulations that would provide a great deal of discretion in criminal prosecution. The new directive is an important step towards recognising the contribution of security researchers. In the organisation’s view, however, it is not sufficient to actually protect against prosecution and “disproportionate prison sentences”.
The EFF also criticises that the directive only applies if people act “solely” for purposes of good-faith. This wording leaves unclear whether they can be prosecuted if they find a vulnerability and disclose it so that it can be fixed, but also get paid for it.
The EFF also complains that the directive is not binding on courts and can be overturned at any time. In addition, the risk of civil lawsuits continues to exist.
Prosecutions still possible
Some states have similar laws, some of which are even more far-reaching than the CFAA. This problem is not being addressed by the US Department of Justice. Last year, for example, journalists from a local newspaper in the US state of Missouri inspected the publicly accessible source code of the website of the Missouri Department of Education and found a security vulnerability. Attackers could have accessed the national insurance numbers of about 100,000 teachers through the vulnerability. The editors had informed the ministry before publishing their article. The Republican governor of Missouri, Mike Parson, had then threatened the journalists withprosecution on the basis of a local law.
The EFF warns that the CFAA policy provides for exceptions where charges can still be brought, for example, when individuals are informed through a cease and desist letter that they are not authorised to access data. In this way, companies such as LinkedIn (in German) and Facebook have already abused the CFAA in the past. The US Department of Justice’s directive does not contain any concrete provisions to prevent this.
The EFF therefore calls for a “comprehensive reform of the CFAA” to further restrict the law. (js)