White hat research hackers will no longer be charged for violating the the Computer Fraud and Abuse Act, the Department of Justice said.
The DOJ defines good faith hacking as follows:
“Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.”
The activity must be intended to “root out vulnerabilities for the common good,” said Deputy Attorney General Lisa Monaco, adding that amending the policy “promotes cyber security by providing clarity for good faith security researchers.” Information gained from the hacking must be used mainly to promote the security or safety of devices, machines or online services.
The new policy replaces an earlier policy that was issued in 2014, and takes effect immediately.
The DOJ said it will attempt to prosecute those activities in which an "individual is either not authorized at all to access a computer or was authorized to access one part of a computer and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend." In addition, the DOJ specified that those claiming to be conducting security research is not a “free pass for those acting in bad faith.” For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith, officials said.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The new policy also states that these activities are no longer grounds for prosecution under the CFAA:
- Embellishing an online dating profile contrary to the terms of service of the dating website.
- Creating fictional accounts on hiring, housing, or rental websites.
- Using a pseudonym on a social networking site that prohibits them.
- Checking sports scores at work or paying bills at work.
- Violating an access restriction contained in a term of service.