Security News
The US Justice Department has directed prosecutors not to charge "Good-faith security researchers" with violating the Computer Fraud and Abuse Act if their reasons for hacking are ethical - things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing. "The Department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
The U.S. Department of Justice announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act, which says that, among other things, good-faith security researchers will no longer be charged and prosecuted. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area. Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors.
In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the "Exceeds authorized access" language was too broad. Justice Barrett said the clause was effectively making criminals of most US citizens who ever used a work resource to perform unauthorized actions, such as updating a dating profile, checking sports scores, or paying bills at work.
Today, the US Supreme Court restricted the scope of the federal Computer Fraud and Abuse Act after overturning the conviction of a Georgia police officer who searched a police database for money. The CFAA is a cybersecurity bill created in 1986 that prohibits unauthorized access to computer systems and networks or acts that "Exceeds authorized access." Due to the vague nature of the bill, the CFAA can be broadly interpreted to allow harmless actions such as violating a website's terms of service or violating corporate policies by using work devices to access personal accounts on social sites.
Some companies have argued that narrowing the scope of the CFAA would not be damaging to security programs if companies are already contracting security services, including crowdsourced programs like bug bounty. One company received pushback from the information security community when it accused MIT security researchers of acting in "Bad faith" by identifying vulnerabilities in its mobile app.
Abstract: Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla, Microsoft, IBM, Google to demonstrate vulnerabilities. In this paper, we ask, "What are the potential legal risks to adversarial ML researchers when they attack ML systems?" Studying or testing the security of any operational system potentially runs afoul the Computer Fraud and Abuse Act, the primary United States federal statute that creates liability for hacking.
The particular case under review concerns former police sergeant Nathan Van Buren who was convicted in 2017 under the CFAA for running a computer search for a license plate number. Lawyers and legal minds have been fighting over the question of authorized and unauthorized use under the CFAA ever since it was enacted back in 1986.
