The US Department of Justice said it revised its enforcement policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA). The updated policy now states that the “hacking law” shouldn't be used to target white-hat hackers acting in good faith.
The Computer Fraud and Abuse Act was originally enacted in 1986 and was designed to punish hacking crimes.
“The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the DoJ said.
The agency explained that the updated policy now seeks to focus the department’s resources on cases “where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”
The newly refined policy also states that those acting in bad faith under pretense of doing security research should not remain unpunished.
“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith, the DoJ explained.