CFAA Safe Harbor

Resolution

The Computer Fraud and Abuse Act (CFAA) should provide “safe harbor” from prosecution to security researchers who attempt to discover and exploit computing software and systems, even if they violate a company’s terms of service.

The debate will be “Oxford Style” and follow this format.

Resources

Here are some resources and questions to help guide and nuance the debate:

Questions

1. How should we define “security researcher” vs. malicious hacker? Who qualifies for safe harbor?
2. What role should disclosure play? Should researchers be required to follow responsible disclosure practices?
3. How do we balance security research benefits against potential harm from vulnerability discovery?
4. Should the intent of the researcher matter in determining prosecution?
5. What are the implications of treating Terms of Service violations as criminal acts?
6. How does safe harbor affect companies’ incentives to maintain secure systems?

Readings

• Computer Fraud and Abuse Act (CFAA) - EFF Overview
• The CFAA and Security Research
• Van Buren v. United States (2021)
• Aaron’s Law and CFAA Reform
• Bug Bounty Programs and Legal Safe Harbor