US Department Of Justice Will No Longer Prosecute Good-Faith Hackers

The US Department of Justice has released a new memo, which clarifies that it will no longer bring charges under the federal laws against security researchers and hackers who act in good faith. The new memo discusses that white-hat hackers no longer have to worry about being prosecuted under the 1986 law of the Computer Fraud and Abuse Act (CFAA)

Deputy Attorney General Lisa O. Monaco in a statement stated that “The department has never been interested in prosecuting good-faith computer security research as a crime” Therefore today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

For the first time this policy updated on the May 19th, 2022 “directs that good-faith security research should not be charged” under the Computer Fraud and Abuse Act (CFAA), a shift away from its previous policy that allowed the prosecution of hackers who find security flaws for the purpose of helping to secure exposed or vulnerable systems.

The Department of Justice has described a “good-faith researcher as anyone accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” Such activity is to be carried out “in a manner designed to avoid any harm to individuals or the public,” and where the information is “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” However, the memo also stated that any “research” conducted for the intent of extortion doesn’t count as good faith.

In 1986, the Computer Fraud and Abuse Act (CFAA) was enacted into the US law and therefore predates the modern internet. Over the years, CFAA received several criticisms for its outdated use of language or terms that don’t clearly identify or differentiate between good-faith researchers, hackers, and malicious actors who set out to extort companies or individuals or otherwise cause harm to the populace. 

Last year the Supreme Court eventually took a look at the scope of the CFAA since its introduction. For the first time the court gave its broad interpretation to the CFAA’s reading of “unauthorized” access under the law and as a result, limited the scope of the CFAA. This effectively eliminated an entire class of hypothetical cases such as violating a web service’s privacy policy, embellishing an online dating profile contrary to the terms of service of the dating website, creating fictional accounts on hiring, housing, or rental websites, checking sports results from a work computer and more recently scraping public web pages — under which federal prosecutors could have brought charges.

Now that the Department of Justice has conceded to ruling out, a year after the court did, bringing federal charges over these kinds of cases to halt and instead focusing prosecution on cases where malicious actors deliberately break into computer systems for the purpose of causing harm. However, the policy shift is not a legislative fix and could change in the near future just as the Department of Justice did today. It also does not protect good-faith hackers — or anyone else accused of hacking — from state computer hacking laws.

Some critics may not be quick to accept this claim, especially following the death of Aaron Swartz, who committed suicide in 2013 after federal prosecutors charged him under the CFAA. He was accused of theft after downloading 4.8 million articles and documents from academic subscription service JSTOR, despite JSTOR’s refusal to pursue a case. Since Swartz’s death, campaigners and lawmakers alike have further agitated to reform the CFAA to better protect good-faith hackers.