Back to Top

Cybersecurity researchers no longer will face hacking charges under CFAA

Cybersecurity researchers no longer will face hacking charges under CFAA


Placeholder while loading article actions

The U.S. Department of Justice said Thursday it would not use the country’s long-standing anti-piracy law to prosecute investigators trying to identify security flaws, a measure that provides protection and additional validation for a ship that is still evil by many officials and companies. and the general public.

In a press release and a five-page policy statement issued to federal prosecutors, senior justice officials said local U.S. attorneys should not file charges when “good faith” investigators pass “access.” Authorized “, a vague phrase from the Computer Abuse and Fraud Act of 1986 (CFAA) which has been interpreted to cover routine practices such as automated web content downloads.

The guide defines good faith as research aimed primarily at improving the security of sites, programs, or devices, rather than scanning for money in exchange for withholding disclosure or exploiting a security breach. .

Companies can still sue those they say are acting in good faith, and officials could continue to prosecute hackers in accordance with state laws that are often echoed by the CFAA. But most state prosecutors tend to follow federal guidelines when their laws are similar.

Well-intentioned hackers of the past were usually silenced by legal threats. Even in recent years, civil lawsuits and criminal references have been used to cancel public talks about dangerous vulnerabilities or to question the results of the investigation.

In 2019, a mobile voting company, Voatz, reported to the FBI a Michigan college student who was investigating his application for a course. Twenty years ago, a former employee of e-mail provider Tornado Development served more than a year in prison for CFAA federal charges after the company refused to fix security flaws and sent an e-mail to its customers. .

In a case that drew national attention in October, the Missouri governor threatened charges of piracy against a local newspaper that examined the publicly available source code of a government website and then warned the state that was exposing Social Security numbers of 100,000 educators.

The Justice Department did not respond to a question about what motivated the new policy.

But security work has become more obviously vital to corporate and even national security, and professionalization has generated billions of dollars in business. Many companies now pay error rewards to researchers who find defects and report them directly or through programs run by outside companies such as Bugcrowd and HackerOne, which praised the new US policy.

“For more than a decade, cybersecurity leaders have recognized the critical role of hackers as the Internet’s immune system,” HackerOne founder Alex Rice said in an email. “We enthusiastically applaud the Justice Department for codifying what we have long known is true: good faith security research is not a crime.”

Many hackers have resorted to reward platforms and other intermediaries to better protect themselves from legal consequences. Other vulnerabilities have never been revealed or resolved for fear of being prosecuted, said Andrew Crocker, a lawyer for the nonprofit Electronic Frontier Foundation, which often advises hackers.

“The first conversation is that the CFAA has criminal and civil appeals, and if things go wrong, it’s entirely possible for the federal government to file charges,” Crocker told The Washington Post. “Some of the factors are out of your control, such as whether the company considers them good or bad, whether the company has a good relationship with local U.S. law firms, and whether the company has influence in DC.”

Even among hackers who by nature take risks, fear of criminal action often deters them from revealing important findings that could help companies, Crocker said.

The language of political explanation still leaves room for lawsuits in an area of ​​high tension and overlapping motives, Crocker and others noted.

“What if goals include talking to [a security conference] or charging a reward? Isn’t that pure research? “

Security experts said they would prefer Congress to review the 35-year law, as judges apply existing law as they see fit and especially because another Justice Department could reverse the policy.

But they said they were happy with any move in that direction.

“This is a great victory for our cause!” tweeted the rights of non-profit hackers. Piracy is not a crime.



Source link

Related post

Recreation and Sport Management Program to Launch New Outdoor Leadership Minor

Recreation and Sport Management Program to Launch New Outdoor…

Photo sent The College of Education and Health Professions’ sports and recreation management program…
Open House: What steps can be taken to check the rising cases of suicides among youths? : The Tribune India

Open House: What steps can be taken to check…

Education institution should set up helplines To begin with, it should be made clear that stress is a physical reaction to…
Here are the top 25 start-ups to work for in India

Here are the top 25 start-ups to work for…

It’s also great to see young professionals embracing India’s startup ecosystem, with 56% of all hires at the top 25 startups…

Leave a Reply

Your email address will not be published.