The US Department of Justice (DoJ) has announced it will not prosecute security researchers who act in “good faith” under a landmark revision to its computer crime laws.
In a statement published yesterday (May 19), the DoJ laid out changes to the Computer Fraud and Abuse Act (CFAA) and how it might respond to potential violations of the law.
The revised policy (PDF) directs that good-faith security researcher should not be charged, the first time such revisions have been made.
According to the DoJ, “good faith security research” refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.
This activity is deemed to be in “good faith” if it is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
“Computer security research is a key driver of improved cybersecurity,” commented deputy attorney general Lisa Monaco.
“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The DoJ stressed, however, that the changes do not equal a “free pass for those acting in bad faith”.
“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research’ is not in good faith,” the statement reads.
“The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) about specific applications of this factor.”
Changing times
The revisions also clarify that hypothetical CFAA violations are not sufficient to warrant a charge.
Examples of these situations include embellishing an online dating profile contrary to the terms of service of the dating website or using a pseudonym on a social networking site that prohibits them, the DoJ explained.
