The US Department of Justice has revised its enforcement policy over a controversial anti-hacking law, granting a much-needed legal reprieve to security professionals who break into digital systems to help rather than harm.
The Computer Fraud and Abuse Act (CFAA) was originally enacted in 1986 and has been designed Punish hacking crimes. However, since it was developed in the early days of the Internet, it has often been criticized for its overly broad legal language critics say does not distinguish between hacking cases involving “black hat” cybercriminals and ethical hackers or “white hats”. Even when CFAA was changed multiple timesCritics have feared the law’s broad mandate could allow innocent cyber professionals to become embroiled in draconian legal cases.
in one press release Released Thursday, the Justice Department tried to make it clear that it doesn’t want to go after the good guys. An amendment to the DOJ’s CFAA Enforcement Policy “now directs that good faith safety research should not be prosecuted,” the press release said.
Hypothetically, based on the current reading of the law, lawsuits could have been brought against security professionals who practice legitimate digital intrusion – including researchers, penetration testers and “white hat” hackers who wanted to uncover software bugs. The DOJ’s policy revision removes this possibility.
“Computer security research is a key driver of improved cybersecurity,” said Assistant Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement advances cybersecurity by providing clarity to good faith security researchers rooting out vulnerabilities for the greater good.”
The newly refined policy now seeks to focus the Justice Department’s time and energy on cases where an individual “either [was] didn’t have permission to access a computer at all, or had permission to access part of a computer — such as other users’ emails,” the announcement said explained. Federal prosecutors wishing to prosecute cases through the CFAA must refer to the newly revised policy.
However, the Justice Department also notes that this latest change is not a “free pass for those acting in bad faith.” So if you hack into a computer and try to blackmail the owner, only to turn around and pretend you’re “researching,” you’re probably out of luck, script kiddies.