DOJ says it will no longer prosecute good-faith hackers under CFAA

The U.S. Justice Department announced Thursday it will not bring charges under federal hacking laws against security researchers and hackers who act in good faith.

The policy for the first time “directs that good-faith security research should not be charged” under the Computer Fraud and Abuse Act (CFAA), a seismic shift away from its previous policy that allowed prosecutors to bring federal charges against hackers who find security flaws for the purpose of helping to secure exposed or vulnerable systems.

The Justice Department said that good-faith researchers are those who carry out their activity “in a manner designed to avoid any harm to individuals or the public,” and where the information is “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The Computer Fraud and Abuse Act, or CFAA, was enacted in law in 1986 and predates the modern internet. The federal law dictates what constitutes computer hacking — specifically “unauthorized” access to a computer system — at the federal level. But the CFAA has long been criticized for its outdated and vague language that does little to differentiate between good-faith researchers and hackers and malicious actors who set out to extort companies or individuals or otherwise cause harm.

Last year the Supreme Court took its first look at the CFAA since the law came into force, and for the first time determined precisely what the CFAA’s reading of “unauthorized” access means under the law and subsequently limited its scope, effectively eliminating an entire class of hypothetical scenarios — like violating a web service’s privacy policy, checking sports results from a work computer and more recently scraping public web pages — under which federal prosecutors could have brought charges.

Now the Justice Department is ruling out, albeit a year on from the court’s ruling, bringing federal charges over these kinds of scenarios and instead focusing on cases where malicious actors deliberately break into a computer system.

The policy shift is not a legislative fix and could, just as the Justice Department did today, change in the future. It also does not protect good-faith hackers — or anyone else accused of hacking — from state computer hacking laws.

In a statement, U.S. deputy attorney general Lisa O. Monaco said:

The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.

Some critics may not accept that claim so willingly following the death of Aaron Swartz, who died by suicide in 2013 after he was charged under the CFAA for downloading 4.8 million articles and documents from academic subscription service JSTOR. Although JSTOR declined to pursue the case, federal prosecutors still brought charges accusing him of theft.

Since Swartz’s death, campaigners and lawmakers alike have pushed “Aaron’s Law” to reform and codify changes to the CFAA in law to better protect good-faith hackers.