Good News, Bad News for Security Researchers: Feds Are Less Likely to Charge You, States Are Another Thing

A talk at a security conference in Washington offered a little long-awaited reassurance to security researchers: Federal prosecutors just aren’t that into you anymore. 

In a talk at ShmooCon(Opens in a new window) Friday evening, Venable LLP cybersecurity lawyer Harley Geiger(Opens in a new window) told attendees that two laws long considered harmful by information-security types have grown less toxic because of recent actions in Washington.

“The Computer Fraud and Abuse Act and the Digital Millennium Copyright Act have evolved in favor of hackers,” he said at the start of his “Hacker Law for Hackers” presentation. 

The CFAA, passed in 1986 after growing alarm over the risks of hacks (catalyzed to some degree(Opens in a new window) by the 1983 classic WarGames), criminalizes access to a computer system “without authorization” or that “exceeds authorized access.” The DMCA, enacted in 1998 at the behest of Hollywood, makes it a crime to disable security measures that control access to copyrighted material. Both measures have been used to threaten and harass security researchers.

But in 2021, the Supreme Court held (PDF(Opens in a new window)) that the CFAA does not cover unauthorized use of “information that is otherwise available” to a person. That essentially took terms-of-service violations out of the law’s scope. As Geiger put it, “that may be a violation of a contract, but it is not a federal hacking crime.”

In May 2022, the Justice Department went further, announcing that it would no longer prosecute good-faith security research under the CFAA. “That is a big deal,” Geiger said. 

He sounded a little less cheery about the DMCA and its Section 1201(Opens in a new window) ban on circumventing copyright-protection systems. Change has come to that statute mainly through the Library of Congress’s Copyright Office, which can grant and renew public-interest exceptions to the anti-circumvention provision every three years.

In 2021, the office renewed and expanded(Opens in a new window) a “1201” exemption on breaking copyright protection for security research. It still, however, prohibits distributing those circumvention tools, which Geiger called an…