The Department of Justice on Thursday revised its policy concerning the US’ premier anti-hacking law, the Computer Fraud and Abuse Act. The department is instructing prosecutors not to use the CFAA to prosecute cybersecurity researchers, sometimes dubbed “white hat hackers,” who have good faith intentions to improve technology.
The CFAA is a federal statute, enacted in 1986, that prohibits accessing a computer without authorization or in excess of authorization given. The law has long been criticized for overly broad and ambiguous language as to what constitutes authorized access to a protected computer, or what it means to exceed that authorization.
Up until a Supreme Court case that narrowed the scope of the law last year, concerns were raised that the act could allow prosecution for seemingly innocuous activity, such as sharing a Netflix password or using a work Zoom account to make a personal call.
With the DOJ’s revised policy, things are getting even more refined, taking pressure off of cybersecurity researchers who are trying to better technology.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa Monaco in a press release. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
