Blog

The United States Department of Justice Will no Longer Prosecute Ethical Hackers

Jun 01, 2022

Ethical Hacker The U.S. Department of Justice (DOJ) announced last week it will not bring charges under federal hacking laws against security researchers and ethical hackers who act in good faith. This decision stems from a landmark 2021 ruling where the Supreme Court ruled in favor of a police officer who was charged with accepting a kickback for accessing the database as a serving police officer, and another for violating the Computer Fraud and Abuse Act (CFAA).

The CFAA, became law in 1986 and is widely criticized as outdated. The federal law dictates what constitutes computer hacking, specifically “unauthorized” access to a computer system, at the federal level. The language within the law regarding good-faith researchers and ethical hackers is vague and leaves those actors vulnerable until now.

The policy now states that, “good-faith security research should not be charged” under the CFAA. A 180 degree turn from the previous language.

The DOJ will focus on cases centered on bad faith actors and intrusions and will not pursue those acting in what is determined to be good faith. Moving forward, the DOJ will not prosecute ethical hackers or security researchers who access a computer system solely for the purposes of good-faith testing, investigation, or correction of a security flaw.

They stated that those acting in good faith refers to those carrying out their activity “in a manner designed to avoid any harm to individuals or the public,” and where the information is “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The policy also imposes a specific burden of proof on prosecutors, requiring that they prove that “the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct.” The revised guidance reinforces the importance of establishing explicit permission policies and internal firewalls to protect sensitive information and put would-be intruders on notice to potential access violations that could trigger criminal penalties.

Said U.S. deputy attorney general Lisa O. Monaco in a statement, “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

It should be noted that although the DOJ has made this announcement, this is not an official change in policy. Those acting in good faith can still be pursued under applicable state laws. This announcement will likely spur legislation in a variety of states in the next session addressing good faith actors, clarifying malicious and good faith actors in existing legislation and bills related to protecting good faith actors.

Read the press release from the Department of Justice to learn more.