In a policy shift, the US Department of Justice plans to stop prosecuting good-faith security research that would have violated the Computer Fraud and Abuse Act
to choose not to prosecute security research as a violation of the Computer Fraud and Abuse Act. “The policy for the first time directs that good-faith security research should not be charged.” https://www.justice.gov/... Marcus Hutchins / @malwaretechblog : “good-faith security research should not be charged”, “for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability” Last line seems kind of broad. Would that cover hacking systems to patch vulnerabilities? https://twitter.com/... Riana Pfefferkorn / @riana_crypto : Holy shit: new DOJ policy of not charging good-faith security research under the CFAA. https://www.justice.gov/... Mike Masnick / @mmasnick : In other news, this is a big deal, and long overdue. DOJ instructed not to charge good faith security research with CFAA violations! https://www.justice.gov/... https://twitter.com/... Kim Zetter / @kimzetter : Regarding announcement today from Justice Dept that it won't charge good-faith researchers with hacking under CFAA, here's story I wrote in 2016 about four academic researchers who specialize in uncovering algorithmic discrimination who sued DoJ over this https://www.wired.com/... Zack Whittaker / @zackwhittaker : The Supreme Court's ruling was the first time CFAA had been challenged since it was passed into law in 1986(!), and had the potential to make privacy policy violations illegal under CFAA. That didn't happen, but now the DOJ says it won't bring charges for hypothetical violations. https://twitter.com/... Zack Whittaker / @zackwhittaker : DOJ says the policy will apply to hackers and security researchers whose work is carried out in a way that is “designed to avoid any harm to individuals or the public.” The policy shift comes a year after the Supreme Court limited the scope of CFAA. https://techcrunch.com/... Zack Whittaker / @zackwhittaker : Wow. DOJ has announced a significant policy shift in how it will bring computer hacking charges under CFAA in the future. “The policy for the first time directs that good-faith security research should not be charged.” https://www.justice.gov/...
Big news on the CFAA front: DOJ has changed its charging policy to explicitly discourage charging good-faith security researchers. The security community has been pushing for this change for years. https://www.justice.gov/... https://www.justice.gov/... https://twitter.com/...
Exclusive: DOJ is instructing US prosecutors not to bring charges under an anti-hacking law for “good-faith” cybersecurity research. 👀👀 It's a big update for the controversial Computer Fraud and Abuse Act, which was used to prosecute Aaron Swartz. (Fully story coming soon.) https…
Thank you, DoJ. This CFAA guidance will hopefully improve the lives of people (like me) who fear retaliation for trying to do the right thing. “The policy for the first time directs that good-faith security research should not be charged.” https://www.justice.gov/...
DOJ has updated its charging policy for the Computer Fraud and Abuse Act (#CFAA), expressly to allay concerns from “good faith” security researchers. Full text link below. But just remember: there's still *state* criminal law, which may differ. https://www.justice.gov/...
I wrote Aaron's law nearly a decade ago to protect researchers from misguided, overzealous prosecutions. Glad to see DOJ is finally recognizing good-faith security research isn't a crime, it actually makes us all safer. https://twitter.com/...
US Justice Department won't prosecute white-hat hackers under the CFAA. Good-faith security researchers no longer have to worry about being prosecuted under the Computer Fraud and Abuse Act (CFAA), the US Justice Department said. UK to follow please. https://www.zdnet.com/...
This is pretty huge. The CFAA still needs a complete overhaul / rewrite / tear down but recognizing good faith as an exception for criminal charges in cyber is a big step. https://twitter.com/...
Department of Justice revises Computer Fraud and Abuse Act policy, directing that charges should not be brought for good-faith security research https://www.justice.gov/...
New: DOJ has announced it won't charge security research under the country's hacking law. Might end years of uncertainty about security research and the law https://www.vice.com/...
Importantly, the DOJ shift *does not* save researchers from prosecution under numerous state laws. CFAA also is a civil statute, meaning that corporations can still sue ethical researchers, as @HarleyGeiger, one of the authors of Aaron's Law, explained to me.
This comes after Swartz's death, and after SCOTUS ruled last year that DOJ's interpretation of CFAA was overly broad in the Van Buren case. This change would've ruled out prosecution of @niftyc, who sued DOJ in order to research social media biases. https://news.umich.edu/...
A major, important change over at the DOJ—to choose not to prosecute security research as a violation of the Computer Fraud and Abuse Act. “The policy for the first time directs that good-faith security research should not be charged.” https://www.justice.gov/...
“good-faith security research should not be charged”, “for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability” Last line seems kind of broad. Would that cover hacking systems to patch vulnerabilities? https://twitter.com/...
In other news, this is a big deal, and long overdue. DOJ instructed not to charge good faith security research with CFAA violations! https://www.justice.gov/... https://twitter.com/...
Regarding announcement today from Justice Dept that it won't charge good-faith researchers with hacking under CFAA, here's story I wrote in 2016 about four academic researchers who specialize in uncovering algorithmic discrimination who sued DoJ over this https://www.wired.com/..…
The Supreme Court's ruling was the first time CFAA had been challenged since it was passed into law in 1986(!), and had the potential to make privacy policy violations illegal under CFAA. That didn't happen, but now the DOJ says it won't bring charges for hypothetical violations.…
DOJ says the policy will apply to hackers and security researchers whose work is carried out in a way that is “designed to avoid any harm to individuals or the public.” The policy shift comes a year after the Supreme Court limited the scope of CFAA. https://techcrunch.com/...
Wow. DOJ has announced a significant policy shift in how it will bring computer hacking charges under CFAA in the future. “The policy for the first time directs that good-faith security research should not be charged.” https://www.justice.gov/...