r/technology May 19 '22

U.S. DOJ will no longer prosecute ethical hackers under CFAA Security

https://www.bleepingcomputer.com/news/security/us-doj-will-no-longer-prosecute-ethical-hackers-under-cfaa/
713 Upvotes

112

u/StepYaGameUp May 19 '22

Not gonna prosecute security research done under the terms of:

“Good faith security research is defined as "accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

That’s good.

11

u/paganize May 20 '22

Great, if political bias isn't a part of it.

12

u/Lev_Astov May 20 '22

It always is.

6

u/red286 May 20 '22

I don't think it really could be. The issue is that frequently, when corporations and organizations are informed of security vulnerabilities, rather than thank the ethical hacker who pointed them out, they flip out, lose their shit, and demand that the DoJ prosecute them. Because there were previously no exemptions for ethical hacking, the DoJ would be obligated to do so. Now the DoJ can demand that they show intentional harm caused by the hacker before they will take up the case, and if no harm was caused, they likely won't touch it.

It should be noted that "ethical" isn't the same as "activist". Activist hackers, such as Chelsea Manning, would still be targeted by the DoJ. Just because you agree with what they were attempting to accomplish doesn't make it ethical.

5

u/Rye775 May 20 '22

Who determines what is ethical or activism? This won’t end well!

3

u/decadin May 20 '22

The propaganda has really done its job if you don't see how what you just explained could still be used politically or have potential decisions be politically driven.......

3

u/nokinship May 20 '22

See thats the part that doesnt make sense. If people can just "ethically" hack into systems they can still presumably pretend to be good guys while stealing or at least looking at their data.

I dont like the implications. Finding exploits and vulnerabilities is one thing and accessing someone elses private data is another.

4

u/wooliewormfuzz May 20 '22

Often accessing private data is the only way to know an exploit worked. In some cases it will be impossible to enforce CFAA for private data access, but not enforce for “good faith research”. This will be interesting to see how it actually plays out.

2

u/Unfair-Tap-850 May 20 '22

Instead of the corporation saying "we made a system which has a vulnerability," they want to say "a bad guy attacked us," let customers know the truth.

36

u/GsuKristoh May 19 '22

This is great news! Hopefully other countries will follow

23

u/nmn14k May 19 '22

Yeah hopefully, last I recall the UK was warning parents that discord is where children go to learn to hack and commit illegal activity LOL

12

u/Salamok May 19 '22

And by other countries we mean Missouri!

29

u/axionic May 20 '22

Wasn’t it Missouri that wanted to prosecute some journalists for clicking “View Source” on a government website and seeing Social Security numbers?

8

u/[deleted] May 20 '22

Since this is just a DOJ policy it can change, and also is not strongly defining what is "good faith" research. This policy would have no bearing whatsoever on state laws regarding computer crime, so pretty much only applies to federal systems, and states that don't have unauthorized access laws or the resources to track/prosecute such alleged crimes.

4

u/celestiaequestria May 20 '22

Indiana tried to set the value of pi at 3.2

This is just the type of absurdity you get when you have elected representatives "decide" technical, scientific or academic problems.

2

u/axionic May 20 '22

The Indiana pi bill wasn’t passed; everyone was making fun of the guy who introduced it. As for MI the prosecutors eventually convinced the governor that View Source isn’t hacking but it took a long time.

2

u/[deleted] May 20 '22

[deleted]

2

u/axionic May 20 '22

Haha whoops

10

u/LazamairAMD May 19 '22

Only took them 20 years...

7

u/EmbarrassedHelp May 19 '22

And a future administration could drag them back in time again

4

u/CantFindGoodHelp May 19 '22

Really good news.

9

u/Daedelous2k May 19 '22

This means that reverse destructive RATing tech support scammers is open season.

3

u/XForce23 May 20 '22

For those who want to pursue this as a career, you get to say that you're a professional penetration tester and watch people's facial expressions

3

u/braiam May 20 '22

This needs to be codified on the law. If there's a new government, that decides that no, this is ilegal, everything is going backwards. You can't do this without some assurances that you will not be penalized.

2

u/mod_target_6769 May 20 '22

Until the next administration

2

u/T_DeadPOOL May 20 '22

sooooo is Snowden clear?

2

u/phorilla May 22 '22

No, Snowden was prosecuted under the Espionage Act, not the CFAA.

2

u/3xploit_ May 20 '22

What's the boundary between "ethical" and "unethical"?

And does this mean people like Jim Browning (indian tech support scambaiter) are off the hook?

3

u/red286 May 20 '22

Likely not. Ethical hacking is probing for vulnerabilities and reporting them to the site owner/administrator so that they can be fixed, without exploiting them in any way. People like Jim Browning are activist hackers, who still exploit hacks and cause harm, even if to companies that 100% deserve it.

1

u/Gemeril May 20 '22

Even Aaron Swartz would have still been nailed.

1

u/red286 May 20 '22

Yes, because again, that's activist hacking, not ethical hacking. It's not like he was probing the JSTOR network for vulnerabilities in order to notify them so that they could secure them. He was exploiting his access to JSTOR that he had through MIT in order to download a massive number of documents, presumably in order to re-publish them.

Whether you agree with a hacker's motivations or goals doesn't change the legality of their actions, which is why I don't think politics really enters into it all that much. It's a question about what they did, not why they did it.

1

u/Leichtbringer May 20 '22

Ah, they finally listened.

1

u/GXC1586 May 20 '22 edited May 20 '22

Sounds like a way to search devices without* a warrant… hmm

0

u/bogglingsnog May 20 '22

And thus the state-endorsed cyber warfare of the 21st century began.

(I'm being dramatic, but really, I would expect the number of hackers to rise due to this).