The U.S. Department of Justice (DOJ) won’t prosecute good faith hacking or security research, the agency said on Thursday. This applies to individuals who may have broken the Computer Fraud and Abuse Act (CFAA) while acting in “good faith.”
The previous DOJ policy on ethical hacking or good-faith security research was quite broad
The broadness of the CFAA has previously come under scrutiny from numerous organizations. Non-profit digital rights group Electronic Frontier Foundation (EFF) has been vocal about the old regulations.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement (via Motherboard). “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Previously, the CFAA posed risks to researchers who hack into systems in order to expose any vulnerabilities. The policy change effectively means researchers will no longer face charges for such practices.
“We’re pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure,” Andrew Crocker, senior staff attorney at EFF told Motherboard.
Crocker believes that the new policy change should do more. “By exempting research conducted ‘solely’ in ‘good faith,’ the policy calls into question work that serves both security goals and other motives, such as a researcher’s desire to be compensated or recognized for their contribution,” he said.
While good-faith research will no longer attract scrutiny, the DOJ provided a scenario where individuals could continue to face charges. “Discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith,” the agency said.
The new policy applies only to federal prosecutors, and it won’t restrict state-level agencies from filing charges against researchers. But as noted, it could provide more clarity and context to courts during future ethical hacking cases.
The Department of Justice set up a team to look into crypto crimes last year
In October 2021, the DOJ instituted a team of investigators known as the National Cryptocurrency Enforcement Team (NCET) to explore crypto crimes. The NCET looks into money laundering and other financial crimes facilitated by virtual currency exchanges. This team will also look into ransomware extortion cases.