Blog

DOJ: Good-Faith Security Research ‘Should Not Be Charged’

May 31, 2022
DOJ Good Faith Security

Earlier this month, the U.S. Department of Justice (DOJ) announced a revised policy regarding charging violations of the Computer Fraud and Abuse Act, which essentially “urge[s] prosecutors to narrow their enforcement of the nation’s main anti-hacking law in a bid to protect legitimate researchers who probe technology for security flaws,” reports WSJ

“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in a statement

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

It is critical to work with an organization that understands these challenges both legally and logistically, and navigates them with precision to ensure all activities are above board, while mitigating risk for private and public sectors.

Read the revision here.

What is ‘good-faith security research’?

Good-faith security research, as outlined in October 2021, is defined as:

  • Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. 

‘Not a free pass’

The DOJ’s May 2022 statement continues:

“However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith. The policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) about specific applications of this factor.

Get Flashpoint on your side

It is critical to work with an organization that understands these challenges both legally and logistically, and navigates them with precision to ensure all activities are above board, while mitigating risk for private and public sectors. Request your free Flashpoint trial today

More resources

Recommended reading: U.S. Department of Justice Shares Best Practices for Gathering Threat Intelligence

Related reading: Flashpoint assistance in numerous law enforcement investigations

Related reading: Hacker Lexicon: What Is the Computer Fraud and Abuse Act? (WIRED)

Related reading: Original text: Computer Fraud and Abuse Act of 1986 (Congress)

Begin your free trial today.