U.S. Justice Department Says It Won’t Prosecute White Hat Hackers Under CFAA

U.S. Justice Department Says It Won’t Prosecute White Hat Hackers Under CFAA
Photo: CHRIS DELMAS/AFP, Getty Images

The U.S. Justice Department has revised its enforcement policy related to a controversial anti-hacking law, giving a much needed legal reprieve to security professionals who break into digital systems to help rather than harm.

The Computer Fraud and Abuse Act (CFAA) was originally enacted in 1986 and was designed to punish hacking crimes. However, having been engineered in the early days of the Internet, it has often been criticised for its overly broad statutory language, which critics say fails to distinguish between hacking cases involving “black hat” cybercriminals and ethical hackers or “white hats.” Even as CFAA has been amended a number of times, critics have worried that the law’s broad mandate could allow for innocent cyber professionals to get swept up in draconian legal cases.

In a press release published Thursday, the Justice Department sought to make it clear that it doesn’t want to go after the good guys. A modification of the DOJ’s CFAA enforcement policy now “directs that good-faith security research should not be charged,” the press release says.

Hypothetically, under the previous reading of the law, cases could have been brought against security professionals practicing legitimate digital intrusion — including researchers, penetration testers, and “white hat” hackers looking to expose software bugs. The DOJ’s policy revision stamps out that possibility.

“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The newly refined policy now seeks to focus the Justice Department’s time and energy towards cases where a person “either [was] not authorised at all to access a computer or was authorised to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorised access did not extend, such as other users’ emails,” the announcement explains. Federal prosecutors who wish to pursue cases via the CFAA will have to refer to the newly revamped policy.

However, the Justice Department also notes that this recent modification is not “a free pass for those acting in bad faith.” So, if you hack into a computer and try to extort the owner, only to turn around and claim you were doing “research,” you’ll probably be out of luck, script kiddies.