The US Justice Department has directed prosecutors not to charge “good-faith security researchers” with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.
Good-faith, according to the policy [PDF], means using a computer “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.”
Additionally, this activity must be “carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, “is not in good faith.”
Hopefully, the policy changes will make security researchers’ lives less stressful
“Computer security research is a key driver of improved cybersecurity,” stated Deputy Attorney General Lisa Monaco. “The Department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The new policy clarifies CFAA language that prohibits accessing a computer “without authorization,” but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.
Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for…