The guidelines define good faith as research aimed primarily at improving the security of sites, programs, or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation. of a security breach.
Companies can still prosecute those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state attorneys tend to follow federal guidelines when their laws are similar.
In the past, well-meaning hackers were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to quash public discussions of dangerous vulnerabilities or cast doubt on research results.
In 2019, a mobile voting company, Voatz, referred the FBI to a Michigan student who was looking for his app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and emailed customers about it.
In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that reviewed the publicly available source code of a government website, then warned the state that it exposed the social security numbers of 100,000 educators.
The Justice Department did not respond to a question about what prompted the new policy.
But security work has become more obviously vital to corporate and even national security, and professionalization has spawned billion-dollar companies. Many companies now pay bug bounties to researchers who find flaws and report them directly or through programs run by outside companies like Bugcrowd and HackerOne, which have welcomed the new US policy.
“For more than a decade now, cybersecurity leaders have recognized the critical role of hackers as the immune system of the internet,” HackerOne founder Alex Rice said via email. “We enthusiastically applaud the Department of Justice for codifying what we have long known: bona fide security research is not a crime. »
Many hackers have turned to bounty platforms and other intermediaries for better protection against legal fallout. Other vulnerabilities were never disclosed or patched for fear of lawsuits, said Andrew Crocker, an attorney at the nonprofit Electronic Frontier Foundation who often advises hackers.
“The first conversation is that the CFAA has criminal and civil remedies, and if things go wrong, it’s entirely possible that the federal government will bring charges,” Crocker told The Washington Post. “Some of the factors are beyond their control, such as whether the company views them as good or bad, whether the company has a good relationship with the local U.S. Attorney’s office, and whether the company has influence at DC”
Even among hackers who are inherently risk-takers, fear of criminal action often deters them from disclosing important findings that could help businesses, Crocker said.
The language of political explanation still leaves room for judgment calls in an area of high tension and overlapping motives, Crocker and others noted.
“And if the goals include talking to [a security conference] or collect a bounty? Isn’t that pure research?
Security experts have said they would prefer Congress review the 35-year-old law, since judges apply the existing law as they see fit and more importantly another Justice Department could reverse the policy.
But they said they were happy with any step in that direction.
“This is a huge victory for our cause!” nonprofit tweet hacker rights Hacking is not a crime.