Feds: We Won't Use Cybercrime Law to Stop 'Good Faith' Security Research

pcmag.com:

In a win for cybersecurity research, the Justice Department says(Opens in a new window) it’s going to steer clear from prosecuting those who conduct “good-faith” security research that technically violates the US Computer Fraud and Abuse Act (CFAA). 

The change involves revising policy guidelines on how federal prosecutors should tackle cyber crimes under the CFAA, which originally became law in 1986. “The policy for the first time directs that good-faith security research should not be charged,” the Justice Department says. 

The revision tries to address ambiguities in the CFAA, which could theoretically be used to prosecute a security researcher for uncovering a vulnerability in a computer system. That’s because deliberately accessing a computer without authorization or exceeding the authorization can technically be charged as a crime, according to the law(Opens in a new window). 

The policy revision from the Justice Department now states an attorney for the federal government “should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.”

It also explicitly says the good-faith research covers the testing and investigation of computer systems for vulnerabilities with the goal of patching them. Meanwhile, not-so-good-faith research that involves uncovering a vulnerability only to extort a company remains a prosecutable offense.

“The department has never been interested in prosecuting good-faith computer security research as a crime,” says US Deputy Attorney General Lisa Monaco, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common