DOJ Issues Guidance for Enforcing Computer Fraud and Abuse Act – By Mariam Baksh (Nextgov) / May 19, 2022
Nearly a decade after the death of open-access advocate Aaron Schwartz, his legacy is still playing out in cybersecurity policy.
The Department of Justice has officially revised its policy regarding a controversial law in a bid to encourage more activity from security researchers—sometimes referred to as white-hat hackers—who can find cybersecurity bugs and alert authorities for remediation before adversaries get to them.
The law in question—the Computer Fraud and Abuse Act, or CFAA—gained notoriety within the vulnerability disclosure community following, among others’, the department’s prosecution of Aaron Schwartz. Schwarz was a Harvard University research fellow who was fined $1 million and sentenced to 50 years in prison under the law for siphoning documents from JSTOR, a digital repository of academic journals. In 2013, after over a year of negotiating with federal prosecutors, Schwartz—who at 26 was also credited with helping to create RSS feeds, co-founding Reddit and freely distributing millions of documents from the pay-walled Public Access to Court Electronic Records system—died of an apparent suicide.
The federal prosecutor who brought the charges was described as a villain in the press and the case contributed significantly to what some have described as a chilling effect that the overzealous application of the law has had on valuable security research. Hackers are thought to be reluctant to present bugs they’d found while gaining unauthorized access to federal systems.
