Justice Dept. says ‘good faith researchers’ no longer will face hacking charges

The U.S. Justice Department on Thursday said it would not use the country’s long-standing anti-hacking law to prosecute researchers who are trying to identify security flaws, a move that provides both protection and further validation for a craft still villainized by many officials, companies and the general public.

In a news release and five-page policy statement issued to federal prosecutors, top Justice officials said local U.S. attorneys should not bring charges when “good faith” researchers exceed “authorized access,” a vague phrase from the 1986 Computer Fraud and Abuse Act (CFAA) that has been interpreted to cover such routine practices as automated downloads of Web content.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

The guidance defines good faith to mean research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.

Companies can still sue those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state prosecutors tend to follow federal guidance when their laws are similar.

Well-intentioned hackers in the past were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.

In 2019, a mobile voting company, Voatz, referred to the FBI a Michigan college student who was researching its app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and he emailed their customers about it.

In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that examined the publicly available source code of a government website and then warned the state that it was exposing the Social Security numbers of 100,000 educators.

The Justice Department did…