A significant reversal by the U.S. Department of Justice on how it views good-faith security research is expected to be warmly welcomed by the cybersecurity community. Quoting The Record.
According to a news release, the DOJ announced a new policy that “for the first time directs that good-faith security research should not be charged” under the Computer Fraud and Abuse Act.
The act has long been controversial among cybersecurity professionals, particularly following the death of Reddit co-founder Aaron Swartz, who died by suicide in 2013 after facing severe legal issues for downloading documents from a server at MIT.
The DOJ said the new policy aims to ensure that the agency only focuses on certain specific Computer Fraud and Abuse Act cases. “The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” the DOJ said in the release.
The news release says the agency will focus on cases where “a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”
“However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith,” the DOJ said in the release.
Additionally, the DOJ will create a new cyber operations international liaison position to work with U.S. prosecutors and European law enforcement officials to “up the tempo of global operations against top tier cyber actors, including arrests, extraditions, asset seizures and working together to dismantle infrastructure,
Why do we care?
This is a pretty big deal for researchers. While not codified by law – and Congress should clear that up – this policy sends an unambiguous signal to researchers. You can do your work. The government doesn’t view it as breaking the law.