Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DoJ Will No Longer Use CFAA to Charge Ethical Hackers

The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).

The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).

Ethical hacking, the DoJ explains, represents the good-faith security research where a computer is accessed only for investigating, testing, or identifying vulnerabilities, with the purpose of improving security as a whole.

Good-faith security research “is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the updated policy reads.

The DoJ also makes it clear that the “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

Per the updated policy, so-called security research whose goal is finding vulnerabilities in systems in order to extort their owners is not in good faith.

The updated policy also clarifies that the DoJ will no longer charge hypothetical CFAA violations, such as exceeding the authorized access granted by a term of service or contractual agreement with an internet service provider or a web service that is publicly accessible.

Employees will no longer be charged for using computers at work in ways that are prohibited by the employer’s policy (e.g. checking sports scores or paying bills). However, those who use multi-account computers and access other users’ accounts without authorizations will be indicted.

The updated policy, the DoJ says, is meant to focus resources on those cases where a computer – or specific parts of the computer, such as other people’s email addresses – is accessed without authorization.

Advertisement. Scroll to continue reading.

Prosecutors, the DoJ says, will have to prove that a defendant knowingly accessed a computer or area of a computer to which they were not granted access, with the purpose of obtaining or tampering with information stored there, “and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.”

“As part of proving that the defendant acted knowingly or intentionally, the attorney for the government must be prepared to prove that the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct,” the DoJ says.

All prosecutors who wish to charge cases under CFAA will need to follow the new policy and must inform the Deputy Attorney General, the DoJ says. The department also advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges.

“Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Deputy Attorney General Lisa O. Monaco said.

The CFAA has widely been used by authorities to prosecute people accused of crimes involving computers. However, last year, the Supreme Court limited prosecutors’ ability to use the anti-hacking law to charge people with computer crimes after a police sergeant was sentenced to prison under the CFAA for using a work database to run a license plate search in exchange for money. The Supreme Court ruled that prosecutors had overreached in using the CFAA to charge him.

Related: US Offers $10 Million Reward for Russian Intelligence Officers Behind NotPetya Cyberattacks

Related: Google Takes Action Against Glupteba Botnet and Its Russian Operators

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.