The Department of Justice (DoJ) has revised its policies on enforcement of the Computer Fraud and Abuse Act (CFAA) which will help make sure that good-faith hackers are not breaking the law when they work to uncover vulnerabilities on government networks.
DoJ said in a press release that “the policy for the first time directs that good-faith security research should not be charged” under the law. The CFAA dates back to 1986, and prohibits accessing a computer without authorization, or in excess of authorization.
The agency’s policy change recognizes hackers as a possible resource to uncover vulnerabilities in government systems and networks, with Deputy Attorney General Lisa Monaco declaring that “computer security research is a key driver of improved cybersecurity.”
“Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public,” DoJ said when it announced the CFAA policy change.
“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” said Deputy Attorney General Lisa Monaco.
At the same time, DoJ said its policy change also “acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith.”
“The department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems,” the agency said.
DoJ listed out several other scenarios for which the government will not undertake prosecution under the CFAA, which have less to do with hacking and more to do with more innocuous computer use.
“Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges,” DoJ said.