In a win for cybersecurity research, the Justice Department says(Opens in a new window) it’s going to steer clear from prosecuting those who conduct “good-faith” security research that technically violates the US Computer Fraud and Abuse Act (CFAA).
The change involves revising policy guidelines on how federal prosecutors should tackle cyber crimes under the CFAA, which originally became law in 1986. “The policy for the first time directs that good-faith security research should not be charged,” the Justice Department says.
The revision tries to address ambiguities in the CFAA, which could theoretically be used to prosecute a security researcher for uncovering a vulnerability in a computer system. That’s because deliberately accessing a computer without authorization or exceeding the authorization can technically be charged as a crime, according to the law(Opens in a new window).
The policy revision from the Justice Department now states an attorney for the federal government “should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.”
It also explicitly says the good-faith research covers the testing and investigation of computer systems for vulnerabilities with the goal of patching them. Meanwhile, not-so-good-faith research that involves uncovering a vulnerability only to extort a company remains a prosecutable offense.
“The department has never been interested in prosecuting good-faith computer security research as a crime,” says US Deputy Attorney General Lisa Monaco, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Recommended by Our Editors
The cybersecurity community applauded the policy shift. “This CFAA guidance will hopefully improve the lives of people (like me) who fear retaliation for trying to do the right thing,” tweeted(Opens in a new window) Chris Vickery, a cybersecurity researcher who specializes in uncovering data breaches.
However, the policy guidelines only cover federal prosecution. Bloomberg notes(Opens in a new window) that both companies and local state prosecutors could still use the CFAA to take legal action against a security researcher.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.