I'm pleased to announce that my latest law journal article has just been published in the new issue of the Richmond Journal of Law and Technology: Shooting the Messenger: Remediation of Disclosed Vulnerabilities as CFAA “Loss." The article reviews post-Van Buren Computer Fraud and Abuse Act cases to determine whether lower courts have followed the Van Buren Court's dicta that "loss" under the CFAA should be limited to "technological harms," and finds that courts have only done so if their existing precedent already construed "loss" narrowly.
The article discusses how the CFAA has been used to chill and punish beneficial cybersecurity research and vulnerability disclosure, and how Van Buren has not totally dispelled the threat the law poses to researchers. As an alternative to proposals to create a safe harbor carve-out for cybersecurity research, I instead suggest amending the CFAA to make it more difficult for plaintiffs to sue researchers and deter them from doing so. I suggest two amendments: exclude vulnerability remediation costs alone from counting towards the $5,000 "loss" threshold required for standing to sue, and allow courts to shift fees to the plaintiff if the plaintiff cannot meet the revised bar. As I explain, this approach would preclude and dissuade retaliatory litigation against researchers while preserving a remedy where well-intended security research does cause harm, and it would not let bad-faith actors escape accountability for their malicious acts.
Protecting good-faith security research from legal liability is essential to improving cybersecurity. For too long, the CFAA has scared off the helpers without deterring the attackers, because it treats the former the same as the latter. But Good Samaritans aren't the same as burglars - and the law ought to recognize the difference.