Department of Justice won’t prosecute white hat hackers who do computer security research
For the activities of white hat hackers engaged in vulnerability and information security technology research on the Internet, the U.S. Department of Justice said it would not prosecute under statutes such as the Computer Fraud and Abuse Act (CFAA), which has been in place since 1986.
The Computer Fraud and Abuse Act was amended by the Comprehensive Crime Control Act, which came into effect in 1984. It expressly prohibits any unauthorized access to the US government, businesses, and personal computer equipment, and is one of many sources of law used to rule illegal hacking.
However, this bill has also hindered many white-hat hackers engaged in vulnerability and information security technology research, even though many information security-related industries protect their security researchers from defendants by means of disclaimers, etc. However, many technicians who independently research information security loopholes are still brought to court by manufacturers. Therefore, there are more and more voices calling for the revision of outdated laws so that white hat hackers can be exempted from lawsuits, thereby promoting the improvement of information security technology.
In an earlier statement to the public, the U.S. Department of Justice announced that it would adjust its policy to decriminalize white hats from the U.S. computer crime statute. “Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
However, the U.S. Department of Justice also emphasized that “the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith”. If researchers exploit system vulnerabilities and make threats in any form at the same time, they cannot be regarded as reasonable security research.
