The federal government uses the Computer Fraud and Abuse Act (CFAA) to prosecute various cases involving unauthorized access to all or parts of a computer, network, or system. The conduct charged under the law ranges from identifying vulnerabilities in a company’s system and disseminating information obtained (U.S. v. Andrew Auernheimer) to creating a code to access more materials than allowed by a site’s terms of service allows (U.S. v. Aaron Swartz).
The Department of Justice’s purpose in prosecuting these crimes and similar others is to ensure the safety of computer systems and information that may affect national security, critical infrastructure, public health and safety, and international relations.
Recently, the DOJ released a new policy to guide prosecutors in determining whether to pursue certain conduct under the CFAA. It noted that technology and the way crimes are being committed are constantly changing. The department must adapt to these changes to protect the nation against risks arising from Internet crimes but not trample on the rights of individuals or others when doing so. Therefore, the new policy was established to ensure consistency when prosecuting alleged offenses under the CFAA.
Good-Faith Research Will Not Be Charged
One of the most significant sections of the DOJ’s new policy concerns the prosecution (or non-prosecution) of good-faith research. The policy provides that if a person has accessed a computer system or network to test, investigate, or identify vulnerabilities for research purposes, that individual will not face charges under the CFAA.
However, the individual’s research must have been done to protect the public's safety and facilitate increasing the security of certain devices or systems. The department states that “good-faith research” will not be considered a valid defense when someone has engaged in certain actions in “bad faith.” In other words, the individual may still be charged with a crime if they accessed the system to find and take advantage of vulnerabilities.
Prosecuting Unauthorized or Exceeding Authorized Access
The new policy also clarifies when federal attorneys may prosecute alleged violations that constitute unauthorized access or exceeding authorized access.
Under the CFAA, unauthorized access to a computer or system occurs when a person knows that they do not have permission to gain control of any part of the device or network. However, even with this knowledge, they still access the computer or information on it. In this case, the attorney may prosecute the alleged offender.
The attorney may also pursue a case if a person exceeds their authorized access. Exceeding authorized access occurs when a computer system is separated into different sections (e.g., files or user accounts), and an individual is allowed to access only certain parts of the system. The person may face federal charges if they access any other section when they know they are not allowed to do so.
However, prosecution will not happen when a person is alleged to have exceeded authorized access by engaging in conduct like:
- Using a work computer for personal matters (unless the individual accesses another person’s account),
- Using a fake name on a site where the terms expressly forbid such,
- Lying about personal details on a dating site.
Although such conduct might violate the policies of the site or employer, the department will not consider authorization revoked because the user did not adhere to the contract. However, if the site or employer explicitly informs the user that they have been prohibited from accessing the system because they violated the contract, a federal attorney may pursue charges.
According to the new DOJ policy, a federal attorney may also prosecute an alleged CFAA violation when doing so would serve the department’s enforcement goals.
The policy provides the following factors that must be considered when an attorney is deciding whether to pursue charges:
- The individual accessed sensitive information that could harm others,
- The effect accessing the material would have on national and international interests,
- The connection of the offense to larger criminal conduct that jeopardizes the safety of others or national security,
- The impact of the crime on others,
- The likelihood that prosecution would deter future offenses,
- The impact of the offense on the community, and
- The possibility that another jurisdiction will pursue the matter.
Contact an Attorney About Your Case
The DOJ's new policy on prosecuting CFAA violations can have a range of implications on the handling of alleged computer crimes. If you have been charged with an offense, discuss your situation with a lawyer who can help you understand and protect your rights.
Schedule a consultation by calling us at (888) 694-4645 or contacting us online today.