Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Revisions to US Computer Fraud and Abuse Act will not prosecute ‘good-faith’ security research

The US Department of Justice (DoJ) has announced it will not prosecute security researchers who act in “good faith” under a landmark revision to its computer crime laws.

In a statement published yesterday (May 19), the DoJ laid out changes to the Computer Fraud and Abuse Act (CFAA) and how it might respond to potential violations of the law.

The revised policy (PDF) directs that good-faith security researcher should not be charged, the first time such revisions have been made.

According to the DoJ, “good faith security research” refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

This activity is deemed to be in “good faith” if it is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

“Computer security research is a key driver of improved cybersecurity,” commented deputy attorney general Lisa Monaco.

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The DoJ stressed, however, that the changes do not equal a “free pass for those acting in bad faith”.

“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research’ is not in good faith,” the statement reads.

“The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) about specific applications of this factor.”

Changing times

The revisions also clarify that hypothetical CFAA violations are not sufficient to warrant a charge.

Examples of these situations include embellishing an online dating profile contrary to the terms of service of the dating website or using a pseudonym on a social networking site that prohibits them, the DoJ explained.

Source: https://portswigger.net/daily-swig/revisions-to-us-computer-fraud-and-abuse-act-will-not-prosecute-good-faith-security-research

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

Media and frequent innovative releases aggressively fuel the rapid industry rise of generative AI (Artificial Intelligence) ChatGPT.  But, besides its innovative part, cybercriminals have...

Cyber Security

A China-based cybercriminal known as Storm-0558 gained access to unclassified U.S. government email accounts using forged authentication tokens according to a report released by...

Cyber Security

ANALYSIS The US National Institute of Standards and Technology (NIST) is planning significant changes to its Cybersecurity Framework (CSF) – the first in five years,...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO