Security News > 2022 > May > US won’t prosecute ‘good faith’ security researchers under CFAA

The US Justice Department has directed prosecutors not to charge "Good-faith security researchers" with violating the Computer Fraud and Abuse Act if their reasons for hacking are ethical - things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

"The Department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The new policy clarifies CFAA language that prohibits accessing a computer "Without authorization," but has long been criticized by security researchers and some lawmakers for not defining what the term means.

While security researchers agree the updated policy is a step in the right direction, most contacted by The Register say the changes don't go far enough to protect them while they simply do their jobs.

"There are risks in doing security research in that depending on the research target, the response to one's findings may not be taken as being well intended," he told The Register, noting Aaron Schwartz, and, more recently the Missouri reporter who was threatened with prosecution after reporting social security numbers exposed on a State government website.

Because of this, the phrase "Good-faith research" and other vaguely worded sections in the policy leave a good amount of prosecutorial wiggle room, and "Should give security researchers pause," Mellen told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/20/cfaa_rule_change/