20 May 2022

US won’t prosecute “white hat” hackers under CFAA


US won’t prosecute “white hat” hackers under CFAA

The US Department of Justice said it revised its enforcement policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA). The updated policy now states that the “hacking law” shouldn't be used to target white-hat hackers acting in good faith.

The Computer Fraud and Abuse Act was originally enacted in 1986 and was designed to punish hacking crimes.

“The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services,” the DoJ said.

The agency explained that the updated policy now seeks to focus the department’s resources on cases “where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”

The newly refined policy also states that those acting in bad faith under pretense of doing security research should not remain unpunished.

“For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith, the DoJ explained.


Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022