In a big win for computer scientists and other online researchers, the U.S. Department of Justice recently updated its official charging memo—an internal document used to determine whether federal prosecutors should pursue criminal charges—for computer-fraud cases.
The updated memo includes a carve-out for researchers who create dummy accounts on social-media platforms in order to study the propriety algorithms for evidence of bias, discrimination or breaches in security. Among those researchers? Alan Mislove and Christo Wilson, two faculty members in Northeastern’s Khoury College of Computer Sciences, who were part of a lawsuit that aimed to make such a change to the federal statutes.
“This is a big step in the right direction for online research,” says Mislove, professor of computer science and associate dean for academic affairs atin the Khoury College, “but the problem still isn’t completely solved.”
The updated memo includes new guidelines for potential violations of the Computer Fraud and Abuse Act, or CFAA. For the first time, it directs that people who violate a company’s terms of service in good faith for security research should not be charged with a crime.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement released when the change was announced. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
For Mislove and Wilson, the change represents the end of a long legal battle—and the beginning of a new challenge.
Both researchers were plaintiffs in a 2016 case brought by the American Civil Liberties Union that contended that parts of the CFAA were unconstitutional because they chilled important research. In particular for Mislove and Wilson, the threat of criminal liability hovered over their critical research into housing, credit, and job-related discrimination on social media sites. They won in federal district court for Washington, D.C.
Separately, the researchers filed an amicus brief in a 2020 Supreme Court case, Van Buren v. United States, that also challenged the constitutionality of the CFAA. In a 6-3 decision last June, the high court narrowed the scope of the federal computer fraud law. The latest update to the Justice Department’s charging memo brings it in line with the Supreme Court’s decision.
According to the new guidance, “embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”
The references to hiring, housing, and rental exceptions are “a veiled reference to our lawsuit” with the ACLU, says Wilson, associate professor of computer science at Northeastern, and director of the bachelor degree program in cybersecurity in the Khoury College.
While the updated memo is a step toward better protections for online researchers, there is still work to be done, Wilson and Mislove say.
“We’ve made a lot of progress between this and Van Buren, but there’s still a lot of risk,” involved in probing tech companies’ black-box algorithms, Mislove says. And the new DOJ guidance applies only to criminal charges, not civil suits, which are less clear-cut, he adds.
Full protections for researchers will require wholesale changes to existing computer-fraud and hacking laws, Wilson says.
“We can nibble at the edges of these laws by changing guidance, but really we’d have to go back and fundamentally reform them if we wanted to clear a path for this kind of work,” he says.
For media inquiries, please contact firstname.lastname@example.org.