Under pressure, DoJ finally reveals its CFAA prosecution guidelines


By: Violet Blue

cfaa_2014_guidelines_jmqitpBlink, and you missed it: This week the Justice Department quietly made public its guidelines for prosecutors as to when they should open investigations or press charges under the Computer Fraud and Abuse Act (CFAA).

The Computer Fraud and Abuse Act is a serious issue and source of terror for everyone in the cybersecurity industry, most especially pentesters and other ethical hackers testing systems for research purposes. This computer crime law is perhaps one of the most controversial, outdated, and hotly contested of its time (it may also be one of the most abused as well). The CFAA is a broad anti-hackingstatute that criminalizes unauthorized access; it is the same statute at issue in a recent ruling that puts acts like sharing passwords on your Netflix account into federal crime territory.

During his talk at Black Hat 2015, Leonard Bailey, special counsel for national security at the Department of Justice’s Computer Crime and Intellectual Property Section, claimed the US government had turned a corner with the CFAA. He implored attendees, saying the DoJ doesn’t want to discourage legitimate research and that the DoJ wanted to avoid what Bailey called “a chilling effect” that such prosecutions can have.

In his talk, Bailey insisted that the DoJ was committed to ensuring the law isn’t abused.

He told his Black Hat audience that when deciding whether to prosecute, federal attorneys are told to consider six factors: resulting harm; the victim(s); sensitivity of the data; harm to national security or public safety; larger criminal activity; and deterrence.

The Justice Department guide published this week is from 2014 (the DoJ prosecuted 194 CFAA cases in 2014, out of over 56,000 total CFAA cases filed). Unlike Bailey’s Black Hat assurances about turning over a new leaf in the CFAA’s us-versus-you history of making life a living hell for researchers, the 2014 guidelines were only disclosed recently as the result of a legal challenge to the CFAA brought in the U.S. District Court for the District of Columbia.

Assistant Attorney General Leslie R. Caldwell of the DoJ’s Criminal Division wrote, “In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act: the 2014 Intake and Charging Policy for Computer Crime Matters.”

The guidelines actually specify eight sets of criteria for pressing charges or opening investigations; two more than DoJ’s man Bailey told us about at Black Hat. These eight factors include:

* The sensitivity of the affected computer system or the information transmitted by or stored on it and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;

* The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations or other considerations having a broad or significant impact on national or economic interests;

* The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;

* The impact of the crime and prosecution on the victim or other third parties;

* Whether the criminal conduct is based upon exceeding authorized access consistent with several policy considerations, including whether the defendant knowingly violated restrictions on his authority to obtain or alter information stored on a computer, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it;

* The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or abuse of a position of trust or otherwise sensitive level of access; or because the conduct is particularly egregious or malicious;

* The nature of the impact that the criminal conduct has on a particular district or community; and

* Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.

Now we finally know their intake and charging policy for the CFAA. So why does it feel like we’re still in the dark ages? Probably because of the horrifyingly vague and highly subjective language used in the guidelines, which have been applied to cases all this time — making it impossible for researchers to know if what they’re doing is actually going to be considered a crime or not.

Psychologist Dr. Keely Kolmes thinks the CFAA situation is so bad that it’s arguably a mental health issue. Some of you may remember the CFAA as being the laws under which charges were brought against hacker and digital rights activist Aaron Swartz, which most believe were used unfairly and inappropriately to make an example out of the young man, who later took his own life.

But if these revelations on the CFAA aren’t the definition of ‘chilling effect’ on research and hacking, I don’t know what else is.

Violet Blue

Violet Blue