DOJ announces that it will not prosecute good-faith hackers Under CFAA
Thursday’s announcement by the U.S. Justice Department indicated that it would not file charges under federal hacking laws against hackers and security researchers who act in good faith.
This policy, which is the first to be implemented under the Computer Fraud and Abuse Act, directs that “good-faith security research should never be charged”. This shift from the previous policy that allowed prosecutors federally to charge hackers who found security flaws to help secure vulnerable or exposed systems, marks a significant departure from the policy.
According to the Justice Department, good-faith investigators are those who “use the information primarily to protect the safety of the computer or users of such devices, machines or online services to which it belongs” or “in a way that avoids harm to individuals or to the public.”
Computer Fraud and Abuse Act (CFAA) were enacted into law in 1986 and predate the modern internet.
Federal law defines what constitutes computer hacking, specifically “unauthorized” access to a computer system. The CFAA has been long criticized because of its outdated and vague language, which does not distinguish between hackers and good-faith researchers as well as malicious actors who extort individuals or companies.