The Department of Justice has announced a revision on policy on how federal prosecutors should charge violations of the Computer Fraud and Abuse Act (CFAA). This, essentially, means that the DOJ will no longer prosecute ethical hackers, also known as “good-faith” security researchers.
The revision of policy separates cases of good-faith security research from malicious hacking which were previously distinguishes by a blurred line. Under the new policies, actions such as software testing, investigations, security flaw analysis and network breaches intended to promote the security and safety of target devices are not to be prosecuted by federal prosecutors.
Lisa O. Monaco, the Deputy Attorney General said that “Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Good faith hacking or security researching is defined as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
The new policy focuses on deliberate breaches of limitations on computers and networks or even on accounts of other users.
However, it does not give a blanket pass to hacking under the pretense of conducting security research. As such, federal prosecutors will still view all cases under an ethical lens in an attempt to determine the actor’s intentions.
For example, if someone finds a critical vulnerability on a piece of software and then extorts the software vendor to pay them an amount for not disclosing it, that would still be regarded as a CFAA violation and would be charged accordingly.
Similarly, publicly leaking data or selling it to others cannot be justified even if the owner or hosting company was unresponsive, so it will still be prosecuted, however, the DOJ will no longer prosecute ethical hackers who do not engage in attempted extortion.
A prominent example of a case that might not have been prosecutable based on this policy revision is that of Aaron Schwartz, who violated the terms of MIT’s JSTOR paper hosting portal by downloading millions of documents.
Schwartz was charged with CFAA “exceeds authorized access” violations and eventually succumbed to the pressure of facing prison time by committing suicide.