Bona fide security researchers no longer need to worry about being sued under the Computer Fraud and Abuse Act (CFAA), the US Department of Justice said Thursday. The federal agency has released a new memo, which for the first time clarifies that the 1986 law should not be used to target hackers.
“The department has never been interested in prosecuting good faith computer security research as a crime,” Deputy Attorney General Lisa O. Monaco said in a statement, “and today’s announcement furthers cybersecurity by providing insight to bona fide security researchers rooting out vulnerabilities for the greater good.
The CFAA prohibits access to a computer without authorization or beyond authorization. Its interpretation has been a point of contention for years, not least because it’s not uncommon for bona fide security researchers to get into legal trouble.
Last year, Republican Missouri Gov. Mike Parson called for criminal charges against a reporter who found a website that revealed teachers’ Social Security numbers. In 2020, security experts from Coalfire told how they were arrested at an Iowa courthouse while conducting tests on behalf of the state.
The new DOJ memo clarifies what this means when it refers to “good faith security research” that will not be prosecuted:
“‘Good faith security research’ means accessing a computer solely for the purpose of testing, investigating, and/or correcting a security breach or vulnerability in good faith, when such activity is conducted in a manner that avoids harm to persons or the public, and where the information derived from the activity is used primarily to promote the safety or security of the class of device, machine or online service to which the activity belongs computer accessed, or those who use such devices, machines or online services.”
The memo also states that any “research” conducted with the intent of extortion does not count as good faith.
Last year, the Supreme Court limited the scope of the CFAA, when it ruled that a police officer had not broken the law when he searched a database of license plates for knowledge in money exchange. The court case put to rest some concerns that a broad interpretation of the CFAA could criminalize much computer activity, including violating a website’s terms of service, such as sharing a Netflix password.
The new DOJ policy also states that the agency will not pursue CFAA cases that simply deal with terms of service violations. He gives examples like “embellishing an online dating profile contrary to the dating site’s terms of service” or “creating dummy accounts on hiring, housing, or rental sites.”