Connect with us

Hi, what are you looking for?



DoJ Will No Longer Use CFAA to Charge Ethical Hackers

The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).

The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).

Ethical hacking, the DoJ explains, represents the good-faith security research where a computer is accessed only for investigating, testing, or identifying vulnerabilities, with the purpose of improving security as a whole.

Good-faith security research “is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the updated policy reads.

The DoJ also makes it clear that the “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

Per the updated policy, so-called security research whose goal is finding vulnerabilities in systems in order to extort their owners is not in good faith.

The updated policy also clarifies that the DoJ will no longer charge hypothetical CFAA violations, such as exceeding the authorized access granted by a term of service or contractual agreement with an internet service provider or a web service that is publicly accessible.

Employees will no longer be charged for using computers at work in ways that are prohibited by the employer’s policy (e.g. checking sports scores or paying bills). However, those who use multi-account computers and access other users’ accounts without authorizations will be indicted.

The updated policy, the DoJ says, is meant to focus resources on those cases where a computer – or specific parts of the computer, such as other people’s email addresses – is accessed without authorization.

Advertisement. Scroll to continue reading.

Prosecutors, the DoJ says, will have to prove that a defendant knowingly accessed a computer or area of a computer to which they were not granted access, with the purpose of obtaining or tampering with information stored there, “and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.”

“As part of proving that the defendant acted knowingly or intentionally, the attorney for the government must be prepared to prove that the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct,” the DoJ says.

All prosecutors who wish to charge cases under CFAA will need to follow the new policy and must inform the Deputy Attorney General, the DoJ says. The department also advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges.

“Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Deputy Attorney General Lisa O. Monaco said.

The CFAA has widely been used by authorities to prosecute people accused of crimes involving computers. However, last year, the Supreme Court limited prosecutors’ ability to use the anti-hacking law to charge people with computer crimes after a police sergeant was sentenced to prison under the CFAA for using a work database to run a license plate search in exchange for money. The Supreme Court ruled that prosecutors had overreached in using the CFAA to charge him.

Related: US Offers $10 Million Reward for Russian Intelligence Officers Behind NotPetya Cyberattacks

Related: Google Takes Action Against Glupteba Botnet and Its Russian Operators

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights