Last week, the U.S. Department of Justice announced it would no longer prosecute hackers doing “good faith” cybersecurity research, like testing or investigating a system to help correct a security flaw or vulnerability.
It’s a change in how the DOJ enforces the 1986 Computer Fraud and Abuse Act following a ruling last year by the Supreme Court in Van Buren v. United States that limited the scope of the CFAA.
Riana Pfefferkorn is a research scholar at the Stanford Internet Observatory. She told Marketplace’s Kimberly Adams that this is part of an ongoing policy shift at the Justice Department. The following is an edited transcript of their conversation.
Riana Pfefferkorn: This is meant to be, I think, a clarification and an extension of a policy that had previously been in place that was another attempt by DOJ to dissuade prosecutors from bringing criminal charges in federal court against researchers. This also builds upon a recent decision by the Supreme Court in a case called United States versus Van Buren that was the court’s first interpretation of the CFAA, which provided some principles for narrowing the scope of what’s long been considered a frighteningly overbroad law.
Kimberly Adams: Why frighteningly overbroad?
Pfefferkorn: By the wording of the law itself, this has been a cudgel to be used against security researchers for a long time to inhibit people from doing the kinds of prosocial cybersecurity research that this policy is intended to clear the way for. In fact, we’d seen a case where several social science researchers had proactively sued the DOJ with respect to the research that they wanted to do into job discrimination and housing discrimination online through job search and housing websites, but that they were afraid to engage in this for fear of prosecution, because the terms of service for those sites prevented the kinds of methods they wanted to do, like making sock puppet accounts [with false identities] in order to make their postings. At the same time, I think it hasn’t been deterring the actual bad faith hackers from continuing to perpetrate attacks, such as the Colonial Pipeline attack.
Adams: Can you give some examples of sort of these good faith hacking attempts or internet research that federal officials used the CFAA to target in the past?
Pfefferkorn: We’ve seen a couple of recent examples where luckily, nothing was brought to an actual federal criminal indictment. But a few years ago, there were some college students at the University of Michigan who were probing a mobile-voting app as part of an election security course that they were doing. And the app maker referred them to the FBI, and they were under investigation for a while. We’re talking about a situation where students who are trying to work on ways to improve election security, which is a vital interest to the United States, were being referred to criminal authorities for potential prosecution.
Adams: Many companies ask hackers to come and look at their programs and look at their software using “bug bounty” programs. Can you explain how that works?
Pfefferkorn: So a bug bounty program allows security researchers to find and get paid for the vulnerabilities they report to a participating company. And the company that is offering the bug bounty agrees not to take legal action against the researcher for engaging in that activity.
Adams: Can you talk about how significant this change in policy is for the DOJ?
Pfefferkorn: I view this as being a great start. At the same time, after being burned for so long, I think their announcement has been met with a lot of skepticism. Importantly, it doesn’t extend to civil lawsuits under the CFAA. What’s more, this policy by the DOJ, because it’s only about federal law, doesn’t extend to state criminal charges. And a lot of states have little mini-CFAAs that are typically similar to the federal law, but this policy won’t impede state prosecutors from potentially bringing state charges either.
Adams: This update says that the federal government isn’t going to go after good faith hackers and researchers. How does the government determine what good faith hacking is?
Pfefferkorn: So the example that they give is, if you basically tried to extort a ransom from an entity that you have “done research on” in order to get paid off in return for keeping the vulnerability you found quiet, that would not be considered to be in good faith, even if you might try to frame it as research. But I think this is one of the things that has given pause to people within the security community is, OK, who gets to make that decision about whether our research is in good faith or not? How intrusive is it going to be into our lives for them to make that determination?
Adams: So why do you think the DOJ decided to do this now?
Pfefferkorn: One, I think the DOJ saw the Supreme Court’s decision in Van Buren and said, OK, this affects how we bring and prosecute cases because that was a criminal case. At the same time, I think also they have started to understand the situation that we’re in, where there is a dire need for better cybersecurity at all levels of government and in the private sector. And given the severe cybersecurity skills shortage and the large number of job openings in this field, we need all hands on deck. But it doesn’t do America any good to take well-meaning, competent people with a skill set that’s both valuable and scarce and threaten to put them in jail. So I view this as a multipronged approach to improving cybersecurity.
Related links: More insight from Kimberly Adams
We’re including a link to the case Pfefferkorn mentioned, in which students at the University of Michigan were investigated for testing the security of a voting app as part of a project in their election security class.
Scotusblog, which follows the Supreme Court, also has coverage of that Van Buren v. United States case that prompted the DOJ’s change in policy, in case you want to learn more about it.
But to sum up, in that 2021 case, a police officer had been convicted of violating the CFAA for accessing his department’s license plate database to run a check in exchange for a bribe. The Supreme Court overturned that conviction.
Pfefferkorn also mentioned bug bounties — contracts in which companies pay people to hack and identify weaknesses in their security systems.
But beyond these “bounties,” there are also hacking competitions in which people can win a lot of money for finding exploits.
Last week, hackers netted nearly $800,000 at a competition in Vancouver, Canada, for discovering vulnerabilities in systems like Mozilla’s Firefox browser, Microsoft Teams and the Windows 11 operating system — with the companies’ permission, of course.