DOJ announces that it will not prosecute good-faith hackers Under CFAA

The Supreme Court took a first look at the CFAA last year. It also subsequently limited its scope to eliminate a whole class of scenarios, such as violating a web service privacy policy, checking sports results on a work computer, and scraping publicly available web pages. Federal prosecutors could have brought criminal charges.

The Justice Department has ruled out federal prosecutions for these types of situations, even though it was a year after the court ruling. Instead, the Justice Department will focus on cases in which malicious actors intentionally hack into computers.

This policy shift is not a legislative fix. It could change, just like the Justice Department did today. It does not protect good-faith hackers or anyone else who is accused of hacking, from state computer hacking statutes.

U.S. Deputy Attorney General Lisa O. Monaco stated that the department had never been interested in prosecuting good faith computer security research as a criminal. Today’s announcement promotes cybersecurity and provides clarity for good-faith security researchers who seek out vulnerabilities for our common good.

Some critics might not agree with that claim following Aaron Swartz’s suicide. Swartz was charged under the CFAA with downloading 4.8 Million articles and documents from JSTOR, an academic subscription service. JSTOR declined to investigate the case but federal prosecutors brought him under criminal investigation for theft.

Since Swartz’s passing, activists and legislators have pushed for “Aaron’s Law,” which reforms and codifies changes to the CFAA in order to better protect hackers of good faith.