DoJ makes long-anticipated changes to policy

DoJ has made landmark amendment to the CFAA Computer Fraud and Abuse Act

UPDATED The US Department of Justice (DoJ) has announced it will not prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.

In a statement published yesterday (May 19), the DoJ laid out changes to prosecution under the Computer Fraud and Abuse Act (CFAA) and how it might respond to potential violations.

The revised policy (PDF) directs that good-faith security researcher should not be charged, the first time such revisions have been made.

Read more of the latest news about security policy and legislation

According to the DoJ, “good faith security research” refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

This activity is deemed to be in “good faith” if it is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

DON’T MISS White House tackles security challenges faced by open source ecosystem during virtual summit

“Computer security research is a key driver of improved cybersecurity,” commented deputy attorney general Lisa Monaco.

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The DoJ stressed, however, that the changes do not equal a “free pass for those acting in bad faith”.

“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research’ is not in good faith,” the statement reads.

“The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) about specific applications of this factor.”

Changing times

The revisions also clarify that hypothetical CFAA violations are not sufficient to warrant a charge.

Examples of these situations include embellishing an online dating profile contrary to the terms of service of the dating website or using a pseudonym on a social networking site that prohibits them, the DoJ explained.

This article has been updated for clarification.

YOU MAY ALSO LIKE UK government to review country's aging Computer Misuse Act – official