The Department of Justice has announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA).
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public. Good faith security also refers to when the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Cybersecurity expert, Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, commented on the announcement: “This is a historical moment for many security researchers whose voices were silenced by vendors and organisations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data.
“On the other side, the DoJ may unwittingly open a Pandora’s box: the definition of ‘good faith’ could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cybercriminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement.”