US DOJ Will No Longer Prosecute “Good Faith” Hackers

Many companies hire ethical hackers (known as white-hat hackers) to penetrate-test their systems. This helps them identify any potential vulnerabilities that they need to patch before cybercriminals (black-hat hackers) discover them. Plenty of white-hat hackers also operate independently and try to find flaws in systems in their free time.

Until now, the US Department of Justice has prosecuted hackers who infiltrate security systems in order to find flaws for the sake of identifying them. The Computer Fraud and Abuse Act (CFAA) made no allowances for non-malicious hackers. The DOJ recently changed the legislation to state that “good-faith security researchers” should not be prosecuted.

From now on, hackers who find security flaws in order to secure vulnerable systems are unlikely to be charged with a federal offense in the US.

Good-Faith Hackers Are Free to Legally Carry on Their Work

Previously, the CFAA determined that any unauthorized access was a criminal offense, regardless of the intent or outcome. In 2021, the Supreme Court scrutinized the CFAA law and agreed that its definition was too limited in scope. The court ruled that the law was outdated and needed to be amended to include scenarios that we regularly come across today.

This was the first time courts had reviewed the CFAA since it was first introduced in 1986 – before the internet really took off. It’s been a long and arduous journey for white-hat hackers who’ve had to work with the threat of arrest haunting their every keystroke.

The last few years have seen multiple cases where authorities accused ethical hackers of illegal activities. Many have stories similar to British security researcher Marcus Hutchins, who played a key role in shutting down the devastating WannaCry attack. The FBI arrested him in 2017.

The DOJ defines good-faith security research as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.”

The DOJ has now amended the CFAA to include less ambiguous wording and make allowance for good-faith security research. Unfortunately, that still doesn’t mean white-hat hackers like Hutchins will be free to work without fear.

Legal Doesn’t Mean Safe or Free From Prosecution

Security researchers have long lived in fear that authorities or prosecutors will misinterpret their work. That hasn’t changed. The amendments to the CFAA don’t prevent authorities from arresting or prosecuting white-hat hackers, although they will need more justification before making an arrest.

It’s still entirely possible authorities will fail to recognize the complexity or minutiae of a case, as has happened in the past.

For now, we’re left to see whether the amendments will lead to real change. The DOJ claims it doesn’t want to waste resources chasing innocent hackers when cybercrime continues to be a massive problem.

Screenshot of a black on white quote from the DOJ website  

Yet security researchers who act in the service of good will need to continue documenting their every move lest they become a target. If arrested, it would be up to them to prove that they were acting in good faith. Even then, prosecutors might disagree. While researchers don’t create code for malicious purposes, cybercriminals often use their code in malware and attacks.

It’s also unclear how this will affect gray areas like hacktivism (hacker activism). Hacktivists claim to work for the greater good, but their targets are often large companies that would ardently disagree. That leaves the CFAA open to interpretation. Based on historical actions, authorities would likely favor the victim’s narrative over that of the hacker.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*