Good Faith Required: U.S. Justice Department Changes Policy for Cybersecurity Researchers

Are you just a hacker whose intentions are good? You’re in luck—the U.S. Department of Justice (DOJ) changed its policy toward security researchers acting in good faith to test, investigate, or correct security vulnerabilities, revising its previously broad approach of prosecuting these actions as crimes under the Computer Fraud and Abuse Act (CFAA).

“The policy for the first time directs that good-faith security research should not be charged,” the DOJ said in a statement. “Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

“Computer security research is a key driver of improved cybersecurity,” said U.S. Deputy Attorney General Lisa Monaco in the DOJ statement. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The CFAA has faced criticism since it was fully enacted in 1986 for its broad applications and how prosecutors have used it to charge defendants, CyberScoop reported. For example, prosecutors used the CFAA to charge Internet activist Aaron Swartz with 13 felony counts for downloading academic journal papers in an effort to provide them to the public for free. Swartz faced up to 50 years in prison and a $1 million fine. He died by suicide in 2013 before the trial began.

The revised policy will likely ease some of the legal threat off of well-intentioned cybersecurity professionals and researchers who want to come forward with vulnerability information. This threat likely kept some key vulnerabilities from being disclosed or fixed in the past, Andrew Crocker, a lawyer at the nonprofit Electronic Frontier Foundation, told The Washington Post.

Justice Dept. says “good faith researchers” no longer will face hacking charges https://t.co/km0Tkqu7qm

— The Washington Post (@washingtonpost) May 19, 2022

The policy also clarifies the DOJ’s stance on some hypothetical CFAA violations, noting some cases that are not to be federally charged:

• Embellishing an online dating profile contrary to the dating website’s terms of service;
• Creating fictional accounts on hiring, housing, or rental websites;
• Using a pseudonym on a social networking site that prohibits them;
• Checking sports scores at work;
• Paying bills at work; or
• Violating an access restriction in a term of service.

Instead, the revised policy focuses on cases where a defendant was not authorized at all to access a computer or knowingly accessed a part of a computer the defendant did not have authorized access to, such as other users’ emails or files.  

This is not a free pass to hack—the DOJ clarified that people who hunt for vulnerabilities in devices or services to extort their owners, even if they claim it is research, is not a good faith activity and is subject to legal action.

In addition, companies can still sue people who claim to be acting in good faith, The Washington Post added, and officials can charge hackers under state laws. But typically state prosecutors tend to follow federal guidance, so the CFAA revision’s impact will likely echo across the United States.