The 1986 Computer Fraud and Abuse Act (CFAA) is a federal statute outlawing unauthorized access to computers and networks. Although designed to protect people, critics say the law is overly broad and leads to criminal charges for innocuous digital activities.

Jeff Stone of BNN Bloomberg reports that ambiguous language in the law has created potential criminal liability for cybersecurity researchers. These “white hat hackers” seek out software flaws and report them with the intention of fixing issues. But some say CFAA has led to prosecutions of researchers trying to do public-good research.

Now, the US Department of Justice is changing its policy around the anti-hacking law, addressing longstanding complaints from cybersecurity researchers that the law could criminalize good-faith efforts to improve technology.

One researcher caught in the broad CFAA net was Christian Sandvig, professor at University of Michigan School of Information. Sandvig planned to use fake online accounts to study whether social media services discriminated against users from different backgrounds. The tactic would have violated sites’ terms of service, a potential CFAA violation.

Sandvig and the American Civil Liberties Union suing the Justice Department to challenge the law. A district court ruled in Sandvig’s favor in 2020, a decision that factored into the new DOJ policy, Justice Department officials said.

Under a policy that goes into effect Thursday, the department is advising prosecutors to not use CFAA to pursue criminal penalties for security researchers who are trying to improve technology.

RELATED:

Read “US Narrows Scope of Anti-Hacking Law Long Hated by Critics,” on bnnbloomberg.ca.

Learn more about H. Marshall McLuhan Collegiate professor of Digital Media, and professor of Information, Communication and Media, Digital Studies Institute, and Art and Design, Christian Sandvig.

Read “Supreme Court ruling that limits hacking law supports UMSI researcher,” about Sandvig’s experience with the CFAA.