[ad_1]
To print this article, all you need is to be registered or login on Mondaq.com.
The Department of Justice recently announced a revision of its policy concerning charging violations of the
Computer Fraud and Abuse Act (the “CFAA”). Following
recent decision from the Supreme Court and appellate courts that seemingly narrow the
scope of civil liability under the CFAA, the DOJ’s new policy
may likewise limit criminal prosecutions under the law.
As regular readers of this blog are well aware, the CFAA
provides that “[w]hoever … intentionally accesses a computer
without authorization or exceeds authorized access, and thereby
obtains … information from any protected computer … shall be
punished” by fine or imprisonment.” The DOJ’s
announced policy, however, now directs that “good-faith
security research” should not be charged. “Good faith
security research” means “accessing a computer solely for
purposes of good-faith testing, investigation, and/or correction of
a security flaw or vulnerability, where such activity is carried
out in a manner designed to avoid any harm to individuals or the
public, and where the information derived from the activity is used
primarily to promote the security or safety of the class of
devices, machines, or online services to which the accessed
computer belongs, or those who use such devices, machines, or
online services.”
The new policy highlights the DOJ’s goal to promote privacy
and cybersecurity by upholding the legal rights of individuals and
network owners to ensure confidentiality and availability of
information stored in their information systems. Thus, the DOJ will
consider several factors in determining whether CFAA prosecution
should be pursued, including
- the sensitivity of the affected computer system and harm
associated with unauthorized access; - concerns pertaining to national security, critical
infrastructure, public self and safety, market integrity,
international relations, or other considerations having broad
impact on national economic interests; - if the activity was in furtherance of a larger criminal
endeavor or posed risk of bodily harm or a threat to national
security; - the impact of the crime and prosecution on third parties;
- the deterrent value of an investigation or prosecution;
- the nature of the impact has on a particular community;
- whether another jurisdiction is likely to prosecute the
criminal conduct effectively; and - the defendant’s conduct consisted of good-faith security
research.
Consistent with a recent decision from the Ninth Circuit that
scraping information from public LinkedIn accounts did not amount
to a violation of the CFAA, the DOJ will not prosecute if the
defendant’s authorization to access a particular file was
conditioned by a contract or agreement, nor will a prosecution be
brought if a defendant exceeds authorized access solely by
violating an access restriction contained in a contractual
agreement or term of service with an Internet service provider or
we service available to the general public. Prosecution may,
however, be brought against a defendant who accesses a multi-user
web service, and is authorized to access only his own account on
that service, but instead accesses someone else’s account.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
[ad_2]
Source link
