The Department of Justice Revised the Computer Fraud and Abuse Act to Permit Good-Faith Computer Security Research

[cageymaru]

The Department of Justice has formally acknowledged the role that computer security researchers play in testing the safety of networks, devices, and online services. The DOJ has announced that the Computer Fraud and Abuse Act (CFAA) has been revised to recognize the importance of good-faith computer security research. Courts were confused as to the difference between malicious hacking and computer security research which seeks to discover vulnerabilities and report them for the purpose of better cyber-security. This change in the law does not give carte blanche authority to malicious hackers who would extort companies and then claim they were acting in good-faith. I think this is a great change that clarifies what is acceptable for courts to pursue.

“Computer security research is a key driver of improved cybersecurity,” said Deputy Attorney General Lisa O. Monaco. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.

 

[Aurelius]

Doesn't affect state-level charges, but still good. Can't help but feel this was in response to that Missouri governor threatening to charge a reporter for exposing a basic website flaw — sorry, sir, but you can't level hacking charges against someone who was actually doing you a favor.

 

[UnknownSouljer]

Doesn't affect state-level charges, but still good. Can't help but feel this was in response to that Missouri governor threatening to charge a reporter for exposing a basic website flaw — sorry, sir, but you can't level hacking charges against someone who was actually doing you a favor.

Well that, and if it’s the story I’m thinking of, looking at the code that’s from the site isn’t even hacking anyway. The schmuck didn’t even know about “view html”; available in literally all browsers.

Edit: this one: https://arstechnica.com/tech-policy...t-illegal-or-hacking-prof-tells-missouri-gov/

 

[Aurelius]

Well that, and if it’s the story I’m thinking of, looking at the code that’s from the site isn’t even hacking anyway. The schmuck didn’t even know about “view html”; available in literally all browsers.

Edit: this one: https://arstechnica.com/tech-policy...t-illegal-or-hacking-prof-tells-missouri-gov/

Precisely. "View Page Source" is not a hacking tool.

 

[MrCaffeineX]

Precisely. "View Page Source" is not a hacking tool.

This is where it would be nice to see some representation in our republic that has at least a rudimentary understanding of the legislation they enact or the laws they are responsible to uphold - or people that are not so arrogant as to believe that they know all things without accepting input from those with more knowledge.

 

[D-EJ915]

This is where it would be nice to see some representation in our republic that has at least a rudimentary understanding of the legislation they enact or the laws they are responsible to uphold - or people that are not so arrogant as to believe that they know all things without accepting input from those with more knowledge.

I feel like this is applicable to most situations these days unfortunately.

 

[Tsumi]

Well that, and if it’s the story I’m thinking of, looking at the code that’s from the site isn’t even hacking anyway. The schmuck didn’t even know about “view html”; available in literally all browsers.

Edit: this one: https://arstechnica.com/tech-policy...t-illegal-or-hacking-prof-tells-missouri-gov/

Apparently Governer Parson is still doubling down on his accusations despite his own departments whom he tasked to investigate finding no hacking occurred. His own advisors apparently told him they wanted to thank rather than investigate these people. The guy is on a power trip.

 

[jfreund]

A regulatory agency cannot "revise" legislation. That requires new legislation. A court decision can invalidate or establish a precedent for the application of legislation.

A regulatory agency can only change their interpretaion of legislation. The problem with that is that they can change it again or "selectively enforce" depending on who runs the agency.

 

[UnknownSouljer]

This is where it would be nice to see some representation in our republic that has at least a rudimentary understanding of the legislation they enact or the laws they are responsible to uphold - or people that are not so arrogant as to believe that they know all things without accepting input from those with more knowledge.

We're in a "post-truth" nation where whatever you believe 'is the truth'. Or more to the point, whatever you can convince others is the truth is just as valid as the truth. Truth is about popularity not definitions or about what in fact happened.
tl;dr: he's just operating like every other politician, and politicians aren't particularly interested in anything that doesn't meet their agenda.

Apparently Governer Parson is still doubling down on his accusations despite his own departments whom he tasked to investigate finding no hacking occurred. His own advisors apparently told him they wanted to thank rather than investigate these people. The guy is on a power trip.

I hope he takes them to court so the judge can laugh in his face for the frivolous lawsuit.

 

[Tsumi]

We're in a "post-truth" nation where whatever you believe 'is the truth'. Or more to the point, whatever you can convince others is the truth is just as valid as the truth. Truth is about popularity not definitions or about what in fact happened.
tl;dr: he's just operating like every other politician, and politicians aren't particularly interested in anything that doesn't meet their agenda.


I hope he takes them to court so the judge can laugh in his face for the frivolous lawsuit.

I hope the researcher and journalist go through with a defamation lawsuit against him and win.

 

[sfsuphysics]

I hope the researcher and journalist go through with a defamation lawsuit against him and win.

Are they going against him personally? Or the position he holds? if it's the later it's just a matter of funneling tax payer money from regular citizens to him and his lawyer(s), if it's the former... well they'll probably also try to get the tax payers to pay for it in some way.

Either way if politicians would just admit they were wrong every now and then we wouldn't be into issues like this.

 

[Darunion]

Either way if politicians would just admit they were wrong every now and then we wouldn't be into issues like this.

LOL stop stop! you're killing me!

 

[GoldenTiger]

Either way if politicians would just admit they were wrong every now and then we wouldn't be into issues like this.

Ahahahahahahaha! I have oceanfront property in Arizona to sell you!