The U.S. Department of Justice (DOJ) announced last week it will not bring charges under federal hacking laws against security researchers and ethical hackers who act in good faith. This decision stems from a landmark 2021 ruling where the Supreme Court ruled in favor of a police officer who was charged with accepting a kickback for accessing the database as a serving police officer, and another for violating the Computer Fraud and Abuse Act (CFAA).
The CFAA, became law in 1986 and is widely criticized as outdated. The federal law dictates what constitutes computer hacking, specifically “unauthorized” access to a computer system, at the federal level. The language within the law regarding good-faith researchers and ethical hackers is vague and leaves those actors vulnerable until now.
The policy now states that, “good-faith security research should not be charged” under the CFAA. A 180 degree turn from the previous language.
The DOJ will focus on cases centered on bad faith actors and intrusions and will not pursue those acting in what is determined to be good faith. Moving forward, the DOJ will not prosecute ethical hackers or security researchers who access a computer system solely for the purposes of good-faith testing, investigation, or correction of a security flaw.
They stated that those acting in good faith refers to those carrying out their activity “in a manner designed to avoid any harm to individuals or the public,” and where the information is “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use s ..
Support the originator by clicking the read the rest link below.
