Cybersecurity researchers no longer will face hacking charges under CFAA
The guide defines good faith as research aimed primarily at improving the security of sites, programs, or devices, rather than scanning for money in exchange for withholding disclosure or exploiting a security breach. .
Companies can still sue those they say are acting in good faith, and officials could continue to prosecute hackers in accordance with state laws that are often echoed by the CFAA. But most state prosecutors tend to follow federal guidelines when their laws are similar.
Well-intentioned hackers of the past were usually silenced by legal threats. Even in recent years, civil lawsuits and criminal references have been used to cancel public talks about dangerous vulnerabilities or to question the results of the investigation.
In 2019, a mobile voting company, Voatz, reported to the FBI a Michigan college student who was investigating his application for a course. Twenty years ago, a former employee of e-mail provider Tornado Development served more than a year in prison for CFAA federal charges after the company refused to fix security flaws and sent an e-mail to its customers. .
In a case that drew national attention in October, the Missouri governor threatened charges of piracy against a local newspaper that examined the publicly available source code of a government website and then warned the state that was exposing Social Security numbers of 100,000 educators.
The Justice Department did not respond to a question about what motivated the new policy.
But security work has become more obviously vital to corporate and even national security, and professionalization has generated billions of dollars in business. Many companies now pay error rewards to researchers who find defects and report them directly or through programs run by outside companies such as Bugcrowd and HackerOne, which praised the new US policy.
“For more than a decade, cybersecurity leaders have recognized the critical role of hackers as the Internet’s immune system,” HackerOne founder Alex Rice said in an email. “We enthusiastically applaud the Justice Department for codifying what we have long known is true: good faith security research is not a crime.”
Many hackers have resorted to reward platforms and other intermediaries to better protect themselves from legal consequences. Other vulnerabilities have never been revealed or resolved for fear of being prosecuted, said Andrew Crocker, a lawyer for the nonprofit Electronic Frontier Foundation, which often advises hackers.
“The first conversation is that the CFAA has criminal and civil appeals, and if things go wrong, it’s entirely possible for the federal government to file charges,” Crocker told The Washington Post. “Some of the factors are out of your control, such as whether the company considers them good or bad, whether the company has a good relationship with local U.S. law firms, and whether the company has influence in DC.”
Even among hackers who by nature take risks, fear of criminal action often deters them from revealing important findings that could help companies, Crocker said.
The language of political explanation still leaves room for lawsuits in an area of high tension and overlapping motives, Crocker and others noted.
“What if goals include talking to [a security conference] or charging a reward? Isn’t that pure research? “
Security experts said they would prefer Congress to review the 35-year law, as judges apply existing law as they see fit and especially because another Justice Department could reverse the policy.
But they said they were happy with any move in that direction.
“This is a great victory for our cause!” tweeted the rights of non-profit hackers. Piracy is not a crime.