On May 19, 2022, the U.S. Department of Justice (DOJ) amended the Computer Fraud and Abuse Act (CFAA) to no longer charge security personnel for conduct in good faith under the CFAA.
The new policy states that “the government should refuse to prosecute if the available evidence indicates that the defendant’s conduct was conduct in good faith security research.” Access a computer for the purpose” and such activities are primarily used to promote computer equipment security.
The new policy also claims that conducting security research is not a free pass for malicious actors. For example, finding a vulnerability in a device to blackmail its owner, even if it claims to be “research,” is not done in good faith.
This is undoubtedly a major policy benefit for white hat hackers, who no longer have to worry about going to jail for finding vulnerabilities, reducing the pressure on cybersecurity researchers trying to improve their technology. “This CFAA guidance promises to improve the lives of those who fear retribution (like me) for doing the right thing,” tweeted Chris Vickery, a cybersecurity officer. Until then, the CFAA’s blurry lines gave companies room to “cover up scandals by prosecuting white hat hackers.”
U.S. Deputy Attorney General Lisa Monaca said that computer security research is an important key driver in rooting out vulnerabilities and improving network security. She added that the U.S. Justice Department has never been interested in prosecuting “bona fide computer security research” as a crime, and the revisions to the CFAA would support well-intentioned security researchers who “eliminate loopholes for the common good.”
The CFAA was enacted in 1986 and has been revised several times, most recently in 2008. It is an important anti-hacking law in the United States that prohibits hackers from maliciously breaking into unauthorized computer systems. While the CFAA does not address data protection issues such as data collection and use, it provides legal liability for unauthorized access to computers and access to information about others. This means that without authorization, white hat hackers will not be able to scan websites for vulnerabilities without authorization, nor will they be able to obtain any non-public data, otherwise they risk violating the CFAA. White hat hackers are an important force in the network security industry. The improvement of this law will undoubtedly promote the healthy development of the network security industry.
Reference link:
https://slate.com/technology/2022/05/cfaa-justice-department-policy-update.html
The text and pictures in this article are from InfoQ
This article is reprinted from https://www.techug.com/post/the-us-department-of-justice-amended-the-law-to-no-longer-prosecute-white-hat-hackers-for-acts-of- goodwill/
This site is for inclusion only, and the copyright belongs to the original author.