The U.S. Department of Justice revises its policy regarding charging violations of the CFAA. Good faith security research will no longer be charged. Credit: Pixel2013 / Matejmo / Getty Images The U.S. Department of Justice (DOJ) has revised its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA), stating that good faith security research does not warrant federal criminal action. Effective immediately, all federal prosecutors who wish to charge cases under CFAA are required to follow the new policy and consult with Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges, the DOJ said. However, the DOJ also acknowledged that claiming to be conducting security research is not a free pass for those acting in bad faith.Good faith research key to cybersecurity advancementIn a press release on its website, Deputy Attorney General Lisa O. Monaco said that computer security research is a key driver of improved cybersecurity. “The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good faith security researchers who root out vulnerabilities for the common good.”The DOJ defined good faith security research as, “Accessing a computer solely for purposes of good faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” The updated policy reflects the department’s goals to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems. New CCFA charge limitations come into playAlong with establishing that good faith security research will not be charged under the CFAA, the DOJ outlined several other scenarios that are not themselves sufficient to warrant federal criminal charges and should also not result in punishment. These include:Embellishing an online dating profile contrary to the terms of service of the dating website.Creating fictional accounts on hiring, housing or rental websites.Checking sports scores at work, paying bills at work, or violating an access restriction contained in a term of service.“The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer – such as one email account – and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” However, the DOJ acknowledged the potential for abuse surrounding the new policy, adding that it is not a “free pass” for those acting in bad faith. “For example, discovering vulnerabilities in devices to extort their owners, even if claimed as “research,” is not in good faith,” it said. Related content news analysis Microsoft fixes three zero-day vulnerabilities, two actively exploited The company’s Patch Tuesday includes fixes for flaws in Windows Desktop Window Manager, Windows MSHTML, and Visual Studio, among others, that IT security orgs should prioritize. By Lucian Constantin May 15, 2024 6 mins Windows Security Zero-day vulnerability brandpost Sponsored by Palo Alto Networks How you may be affected by the new proposed Critical Infrastructure Cyber Incident Reporting Rule The current cybersecurity regulatory landscape continues to evolve, and CIRCIA’s incident reporting requirements are just one of the many emerging regulations organizations will need to observe By Anand Oswal, Senior Vice President and GM of Network Security at Palo Alto Networks May 15, 2024 5 mins Security news Singing River ransomware attack now thought to have affected over 895,000 The health care provider has dramatically increased its estimate of the number of patients affected by the August 2023 attack. By Shweta Sharma May 15, 2024 4 mins Data Breach Ransomware brandpost Sponsored by Sans Institute Clock is ticking for companies to prepare for EU NIS2 Directive Many companies are still not ready for the impact of NIS2, but SANS can help them prepare. By Laura McEwan May 15, 2024 3 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe