cageymaru
Fully [H]
- Joined
- Apr 10, 2003
- Messages
- 21,912
The Department of Justice has formally acknowledged the role that computer security researchers play in testing the safety of networks, devices, and online services. The DOJ has announced that the Computer Fraud and Abuse Act (CFAA) has been revised to recognize the importance of good-faith computer security research. Courts were confused as to the difference between malicious hacking and computer security research which seeks to discover vulnerabilities and report them for the purpose of better cyber-security. This change in the law does not give carte blanche authority to malicious hackers who would extort companies and then claim they were acting in good-faith. I think this is a great change that clarifies what is acceptable for courts to pursue.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.
“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.