Join our subscribers
DoJ Decision Gives Good Faith Hackers Relief From CFAA
Wednesday, May 25, 2022
After years of being hamstrung by the threat of prosecution under The Computer Fraud and Abuse Act (CFAA), security researchers and hackers operating in good faith have gotten some relief after the U.S. Justice Department said it would not bring charges against them using the law.
Calling the DOJ decision an “historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation,” Ilia Kolochenko, founder of ImmuniWeb, said it “will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now handle critical data.” But the public policy shift does not let researchers completely off the hook—they could still face charges from other quarters.
“Cybersecurity researchers should also bear in mind that, apart from the CFAA, they may face civil lawsuits, namely for breach of contract or intellectual property infringement,” said Kolochenko. “Moreover, due to the international nature of many tech vendors, criminal charges may be brought in other jurisdictions. Therefore, security research remains shark-infested waters.”
“The DoJ may unwittingly open Pandora’s box: The definition of ‘good faith’ could vary broadly among security researchers,” added Kolochenko.
“Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad—albeit sincere—interpretation of ‘good faith,’ or let creative cybercriminals off the hook,” he said. “We should wait for a couple of years to monitor the evolution of the CFAA enforcement.” Read Full Article
Infosecurity Magazine: DoJ: White Hat Hackers Will No Longer Face Prosecution
BCS, The Chartered Institute for IT: Opensource: The devil is in the backdooring
