June 1, 2022
Data Privacy and Cybersecurity
DOJ Revises CFAA Charging Policy to Provide Clarity
for Cybersecurity Research and Terms of Use
By: David Bitkower, Aaron R. Cooper, Shob a Pillay, and Ashwini Bharatkumar
On May 19, 2022, the Department o f Justice (DOJ) issued revisions to its existing policy fo r charging
offenses und er the Computer Fraud an d Abuse Act (CFAA) (20 22 CFAA Policy).[1] The revision s state
that “goo d-faith” secu rity research will not be charged as a criminal CFAA violation. Comments
accompanying the r evised policy statement a lso highlight the import ance of techn ical barriers—in
addition to co ntractual limits—to deter minations of when access exceeds autho rization. Although the
announcement r egarding se curity resear ch made a splash in th e press, it is un clear to what degree the
policy represe nts a change in how DOJ will approach cases. Nor can se curity resear chers rely on the
guidance for concrete a ssurances aga inst liability, because th e policy revision h as no effect on civil
CFAA liability or state laws that pr ovide for criminal or civil liability for unautho rized access to computer
systems. The revision may also introduce un certainty for system owners, who may be left wondering
how the new policy will be applied, and how federal la w enforcement will react to conduct viewed by
some as good-fa ith research and by other s as in a gra y area.[2]
The Policy’s Backgroun d
The 2022 CFAA Policy updates a 201 4 policy that ou tlined the facto rs DOJ considered when chargin g
CFAA violations. A point of t ension recur ring both be fore and a fter introd uction of the 2 014 policy has
been the t heoretical app licability of the CFAA to legitimate work by compute r security rese archers, an d
more generally whether DOJ would prosecute violations of a website’s terms of se rvice or data use
policies under the CFAA’s “exceeds author ized access” prong.
Although DOJ does not ha ve a regular practice of ch arging secur ity researche rs criminally (despite
some controversial matter s), to addr ess concerns about security research-r elated liability, the 2014
charging po licy required DOJ prosecu tors to consu lt with its Computer Crime and Intellectual Propert y
Section before initiating any char ges under the “exceeds autho rized access” prong of the CFAA,
observing th at “[c]ases un der the CF AA are often complex, and analysis of whether a particular
investigation or prosecution is warranted often r equires a n uanced und erstanding o f technology, th e
sensitivity of information involved, tools for lawful evidence gather ing. . . .”[3] The 2014 policy ou tlined
several factor s to guide DOJ’s assessment of whether su ch a prosecu tion should be initiated. A
comment to the policy explained specia l factors that DOJ would consider in ch arging “e xceeds
authorized access” ca ses, including: “if the defenda nt exceeded autho rized access solely by violating
an access rest riction contained in a contract ual agreement or term of service with an Internet service
provider o r website, federal pr osecution may not be warranted.”[4]
Despite the po licy, researcher s continued to assert that DOJ’s interpretation of t he CFAA is overly
broad an d creates a ch illing effect on th eir work. Most recently, in an amicus brief submitted to the
Supreme Court in Van Bur en v. United States, cyberse curity resear chers argu ed that, und er an
interpreta tion of the CF AA that would prohibit accessing a computer for a n unauthor ized purpose (in
that case, a police officer acce ssing a license plate database to sell non-public inf ormation), “stan dard
security resea rch practices—su ch as accessing pu blicly available data in a manner bene ficial to the
public yet pro hibited by the o wner of the data—ca n be highly risky.” [5] Thus, the ar gument went, “the
government’s relian ce on this bro ad interpr etation of th e statute cond itions security improvements on
