DOJ won't prosecute white hat hackers

Good-faith security researchers who probe or hack systems to point out vulnerabilities and help organizations patch them will no longer face charges.

On Thursday, the Department of Justice (DOJ) announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA). CFAA often threatened security researchers who penetrated systems to help companies and organizations up their security game.

"Computer security research is a key driver of improved cybersecurity," said Deputy Attorney General Lisa O. Monaco. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

The CFAA used to be a significant headache for white hat hackers in the US. It was adopted in 1986 and partly inspired by the movie WarGames (1983), starring Matthew Broderick. He is playing a hacker who infiltrates the government systems, gains control over the US nuclear arsenal, and nearly causes a large-scale nuclear war.

The problem is that this law did not differentiate between all the kinds of ways in which you might legitimately have a reason to access somebody else's computer. Ethical hacking means looking for the weak points in systems and informing the owners.

The intent here is to disclose the findings to fix them before a less ethical counterpart comes around. So-called white-hat hackers often act with permission and give detailed reports on the level of risk. They are a comprehensive tool to test the defense measures of your organization.

"However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as "research," is not in good faith," DOJ said.

The new policy replaces an earlier policy issued in 2014 and takes effect immediately.

The sentiment towards white hat hackers has been shifting for quite some time. It's common to hire companies for penetration testing, and independent bounty hunters have found their claim too. Many big companies, such as Apple and Google, have implemented bug bounty programs. The Pentagon developed bug bounty program “Hack Pentagon” was a turning point, and now more organizations are interested in productively working with hackers.

Loss of life

“Security research depends on accessing other peoples’ computers because you cannot tell if a system is secure unless you do that. I think it has problems with just how the internet works. When the consequences of that are severe criminal penalties, it becomes a huge problem,” Cindy Cohn from the Electronic Frontier Foundation

Severe criminal penalties were only one side of a coin. As a result of this “bad law,” we have also lost lives. Programmer Aaron Swartz, Reddit Co-Founder, according to the Washington Post, killed himself amid "a lengthy legal battle over charges related to his bulk-downloading of documents from an academic database while connected to MIT's network."

“Aaron committed suicide rather than faced the very severe penalties of American anti-hacking laws. It is important that we recognize the stakes of having overbroad laws. It is not just people who go to jail who should not. We also have lost lives as a result of this bad law. That is enemy number one,” Cohn said.

After the tragic loss, Aaron's Law Act of 2013 was drafted to amend provisions of the Computer Fraud and Abuse Act. It defined the “excess of authority” much more clearly but was never passed in Congress.