A New HOPE (2022): "The CFAA Has Come a Long Way, or Has It?" (Download)
Friday, July 22, 2022: 7:00 pm (DAC 416ABC): On May 19th, for the first time in nearly a decade, the U.S. Department of Justice revised its guidelines for bringing charges under the Computer Fraud and Abuse Act (CFAA), instructing federal prosecutors to decline prosecutions if the conduct at issue involved "good faith security research." Under these new guidelines, accessing a computer "for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability," if carried out in a way designed to avoid harm to individuals and the public, would not be a criminal offense.
On the books since 1986 - and enacted into law in direct response to the classic hacker flick WarGames - the U.S. Supreme Court and various lower courts have been continually shrinking the once-broad scope of the CFAA, and now DOJ itself has reconsidered the wisdom of its past practices.
This talk will explore the contours of this new policy and how it affects the hacker community, including topics such as:
- Is this change too little too late, especially since it was an expansive use of prosecutorial discretion that lead to CFAA charges against Aaron Swartz in 2011 that tragically lead to him taking his own life in 2013?
- What was the driving force behind this radical policy shift?
- What binding effects do these guidelines have on U.S. Attorneys' Offices?
- What counts as "good faith security research?"
- What does not count as "good faith security research?"