Following a Supreme Court rule in 2021 that supported reading the legislation more narrowly, the new DOJ guideline tries to ease concerns about the CFAA’s vast and confusing application. The court warned that the government’s former view risked criminalizing a “breathtaking quantity of routine computer activity,” outlining five hypothetical cases that the DOJ now says it will not prosecute. This modification is accompanied by a “good-faith testing, investigation, and/or rectification of a security defect or vulnerability” safe harbor for researchers. The new standards go into effect right away, replacing prior ones from 2014.
