Total Tests:

DoJ announces new policy for charging cases under the Computer Fraud and Abuse Act

By Alix Pressley for Intelligent CIO
Thursday, May 26, 2022

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public. Good faith security also refers to when the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

Cybersecurity expert, Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, commented on the announcement: “This is a historical moment for many security researchers whose voices were silenced by vendors and organisations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data.

“On the other side, the DoJ may unwittingly open a Pandora’s box: the definition of ‘good faith’ could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cybercriminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement.” Read Full Article

Previous Media Publications:

Security Boulevard: DoJ Decision Gives Good Faith Hackers Relief From CFAA

Infosecurity Magazine: DoJ: White Hat Hackers Will No Longer Face Prosecution

Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential