US Justice Department says it won't prosecute white-hat hackers under the CFAA

Good-faith security researchers no longer have to worry about being prosecuted under the Computer Fraud and Abuse Act, the US Justice Department said on Thursday. The federal agency released a new memo, which for the first time clarifies that the 1986 law shouldn’t be used to target white-hat hackers. 

“The department has never been interested in prosecuting good-faith computer security research as a crime” Deputy Attorney General Lisa O. Monaco said in a statement, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The CFAA prohibits accessing a computer without authorization, or in excess of authorization. Its interpretation has been a point of contention for years, particularly because it’s not uncommon for good-faith security researchers to fall into legal trouble. Last year, for instance, Republican Missouri Governor Mike Parson called for criminal charges against a journalist who found a website that had revealed teachers’ social-security numbers. In 2020, security experts from the firm Coalfire Systems shared how they were arrested at an Iowa courthouse while conducting tests on behalf of the state.

The DOJ’s new memo clarifies what it means when it refers

Read More: