Department of Justice Won’t Prosecute White Hat Security Researchers

The U.S. Department of Justice (DOJ) announced a new policy for charging cases under the Computer Fraud and Abuse Act (CFAA). The purpose appears to be to allow White Hat security researchers to continue doing what they do, without getting arrested for it.

From the DOJ press release:

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

Deputy Attorney General Lisa O. Monaco said, “Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The DOJ policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. This includes: embellishing on an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a terms of service are not sufficient to warrant federal criminal charges.

In addition, the DOJ made it clear that “the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices to extort their owners, even if claimed as ‘research’, is not in good faith.”

Vice reported that the new policy addresses decades of uncertainty around the law and security research. According to Vice, the policy comes into effect immediately and all federal prosecutors who wish to charge cases under the CFAA are required to follow the policy.

TechCrunch reported: The Computer Fraud and Abuse Act, or CFAA, was enacted in 1986 and predates the modern internet. The federal law dictates what constitutes computer hacking – specifically “unauthorized” access to a computer system – at the federal level.

According to TechCrunch, CFAA has long been criticized for its outdated and vague language that does little to differentiate between good-faith researchers and malicious actors who set out to extort companies or individuals or otherwise cause harm.

I think the policy change made by the DOJ will help clarify what is considered to be beneficial (such as good-faith research) as compared to those who discover vulnerabilities in devices for the purpose of using to to extort the device’s owner. I’m hoping that the list of things that make courts and commentators confused should now be easier for them to understand.