The Department of Justice will no longer pursue hackers who breach networks or computers in “good faith” it said late Thursday, adding: “Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such… online services.”
The announcement came amid revision of DOJ policy around how it will charge apparent breaches of the Computer Fraud and Abuse Act (CFAA); 1986 legislation that multiple courts of appeals have used to hold hackers civilly or criminally liable for accessing or probing a system for vulnerabilities without permission.
The announcement left many security researchers thrilled. For decades White Hat hackers have found themselves in the legal crosshairs even when they were simply trying to report a vulnerability to an organisation at risk. Too often the kneejerk response of many organisations to an unsolicited security vulnerability disclosure is the threat to sue: The Stack‘s team have listened to multiple call recordings over the years of security researchers trying to disclose severe vulnerabilities to organisations clearly utterly befuddled by what is happening, treating the disclosure as a potential shakedown or threat and unable to make meaningful sense of the disclosure.
(The flipside of this is a proliferation of often young “security researchers” getting highly excited about some trivial issue and demanding cash or “swag” from bemused/overworked IT teams to explain the vulnerability. For enterprises not overly familiar with the space and that have not traditionally paid much attention to cybersecurity, it can be challenging in such occasions to differentiate between benevolent and malevolent).
The small print suggests it is too early for White Hats to get excited about a newly liberal regime.
As Orin Kerr, Professor of Law at Berkeley and a cybersecurity specialist noted: “It’s just a policy, not a law, so it’s just something to guide prosecutorial discretion and doesn’t create any rights in court…”
The DOG regardless appears minded to uphold the policy firmly, noting this week that “all federal prosecutors who wish to charge cases under the Computer Fraud and Abuse Act are required to follow the new policy, and to consult with CCIPS [the department’s Criminal – Computer Crime and Intellectual Property Section] before bringing any charges”, adding that “prosecutors must [also] inform the Deputy Attorney General (DAG), and in some cases receive approval from the DAG, before charging a CFAA case if CCIPS recommends against it.”
As Professor Kerr added however: “The charging policy doesn’t address civil liability, of course. So if you hack in to someone’s computer with a good-faith security goal, etc., they could still sue you. But if I’m reading this correctly, DOJ is saying they won’t charge you.
“One thing that makes this interesting is that, over the years, a fairly high % of people charged with hacking claim a good-faith security goal. (Even when it’s a preposterous claim, that’s the public claim.). This now becomes a claim defense counsel can make to DOJ if they find out DOJ is considering charging their clients; defense counsel can make the case to the AUSA that the client was acting in good faith…”
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network added in an emailed comment: “This is a historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data.
“On the other side, the DoJ may unwittingly open a Pandora’s box: the definition of ‘good faith’ could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cybercriminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement… cybersecurity researchers shall also bear in mind that, apart from the CFAA, they may face civil lawsuits, namely for breach of contract or intellectual property infringement. Moreover, due to the international nature of many tech vendors, criminal charges may be brought in other jurisdictions. Therefore, security research remains a shark-infested area.”