US Justice Department won’t prosecute white-hat hackers under the CFAA

Good-faith security researchers no longer have to worry about being prosecuted under the Computer Fraud and Abuse Act (CFAA), the US Justice Department said on Thursday. The federal agency released a new memo, which for the first time clarifies that the 1986 law shouldn’t be used to target white-hat hackers. 

“The department has never been interested in prosecuting good-faith computer security research as a crime,” Deputy Attorney General Lisa O. Monaco said in a statement, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The CFAA prohibits accessing a computer without authorization or in excess of authorization. Its interpretation has been a point of contention for years, particularly because it’s not uncommon for good-faith security researchers to fall into legal trouble. 

Last year, Republican Missouri Governor Mike Parson called for criminal charges against a journalist who found a website that had revealed teachers’ social security numbers. In 2020, security experts from the firm Coalfire shared how they were arrested at an Iowa courthouse while conducting tests on behalf of the state.

The DOJ’s new memo clarifies what it means when it refers to “good faith security research” that won’t be prosecuted: 

“‘Good faith security research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The memo also states that any “research” conducted for the intent of extortion doesn’t count as good faith. 

The Supreme Court last year limited the scope of the CFAA, when it ruled that a police officer didn’t violate the law when he searched a license plate database for an acquaintance in exchange for cash. The court case put to rest some concerns that a broad interpretation of the CFAA could criminalize a large swath of computer activity, including violating a website’s terms of service — like sharing a Netflix password. 

The new DOJ policy similarly states that the agency won’t pursue CFAA cases that simply deal with terms-of-service violations. It gives examples like “embellishing an online dating profile contrary to the terms of service of the dating website” or “creating fictional accounts on hiring, housing, or rental websites.”