The United States Department of Justice has announced that it would no longer charge ethical hackers under the controversial Computer Fraud and Abuse Act (CFAA).
Ethical hacking, the DoJ explains, represents the good-faith security research where a computer is accessed only for investigating, testing, or identifying vulnerabilities, with the purpose of improving security as a whole.
Good-faith security research “is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the updated policy reads.
The DoJ also makes it clear that the “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”
Per the updated policy, so-called security research whose goal is finding vulnerabilities in systems in order to extort their owners is not in good faith.
The updated policy also clarifies that the DoJ will no longer charge hypothetical CFAA violations, such as exceeding the authorized access granted by a term of service or contractual agreement with an internet service provider or a web service that is publicly accessible.
Employees will no longer be charged for using computers at work in ways that are prohibited by the employer’s policy (e.g. checking sports scores or paying bills). However, those who use multi-account computers and access other users’ accounts without authorizations will be indicted.
The updated policy, the DoJ says, is meant to focus resources on those cases where a computer – or specific parts of the computer, such as other people’s email addresses – is accessed without authorization.
Prosecutors, the DoJ says, will have to prove that a defendant knowingly accessed a computer or area of a computer to which they were not granted access, with the purpose of obtaining or tampering with information stored there, “and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.”
“As part of proving that the defendant acted knowingly or intentionally, the attorney for the government must be prepared to prove that the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct,” the DoJ says.
All prosecutors who wish to charge cases under CFAA will need to follow the new policy and must inform the Deputy Attorney General, the DoJ says. The department also advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges.
“Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Deputy Attorney General Lisa O. Monaco said.
The CFAA has widely been used by authorities to prosecute people accused of crimes involving computers. However, last year, the Supreme Court limited prosecutors’ ability to use the anti-hacking law to charge people with computer crimes after a police sergeant was sentenced to prison under the CFAA for using a work database to run a license plate search in exchange for money. The Supreme Court ruled that prosecutors had overreached in using the CFAA to charge him.