White Hat hackers are going to breathe a little easier tonight. The U.S. Department of Justice has announced new policy revisions to the Computer Fraud and Abuse Act (CFAA) saying “that good-faith security research should not be charged.”
This means security researchers (aka hackers) who breach networks or find exploits in software and hardware will not be considered for federal prosecution so long as they were acting in good faith to promote the security and safety of the “target devices and services.”
Here’s what the DOJ is defining as good faith security:
“Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
There are exceptions to this policy. For example, a hacker who uses information gained from their exploits to extort a company or a user of a compromised device can be prosecuted. Leaking or selling data acquired through an illegal breach of networks is also a violation of the Computer Fraud and Abuse Act.
“The department has never been interested in prosecuting good-faith computer security research as a crime. Today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” said Deputy Attorney General Lisa O. Monaco.
Companies like Microsoft, Oracle, and even Valve offer bug bounties where they pay hackers to break into their software to help beef up security. In fact, there’s a big hacking event going on where they’ve turned bug hunting into a competitive sport for big cash prizes.
All federal prosecutors charging cases under the CFAA must follow the new policy. The DOJ also explained that some common frowned upon online activities, like embellishing a dating profile, checking sports scores at work, or making burner accounts, don’t warrant criminal charges. Phew.