DOJ Announces It Won't Prosecute White Hat Security Researchers:
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA).
The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
[...] For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that "Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work."
Andrew Crocker, a senior staff attorney on the EFF's civil liberties team told Motherboard in a statement "We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on 'unauthorized access'—deters researchers from discovering and disclosing vulnerabilities in these systems."
He said that the new policy does not go far enough. "By exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform."
The announcement provided an example of the sort of 'research' that would be considered bad faith and could still face charges. "Discovering vulnerabilities in devices in order to extort their owners, even if claimed as 'research,' is not in good faith," it reads.
Related Stories
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
(Score: 4, Funny) by inertnet on Monday May 23 2022, @09:50AM (2 children)
Ordering a white hat right now.
(Score: 2) by Frosty Piss on Monday May 23 2022, @10:11AM
Exactly. Black Hat now rebrands as White Hat!
(Score: 1, Funny) by Anonymous Coward on Monday May 23 2022, @10:51AM
Looks like they are out of stock, guess you'll have to backorder...
https://www.entertainmentearth.com/product/spy-vs-spy-white-spy-accessories-kit/ep48100 [entertainmentearth.com]
(Score: -1, Redundant) by Anonymous Coward on Monday May 23 2022, @12:07PM
If the law is written in such ambiguious terms that it is not clear if you violated it,
perhaps the benefit of the doubt should be to the supposed violater.
Is this a case of DOJ choosing not to go after folks who clearly broke the law with good intentions (and often good results),
of not go after folks who did something for which the law is unclear?
(Score: -1, Troll) by Anonymous Coward on Monday May 23 2022, @12:34PM (1 child)
Russian spy: "Is OK, I am white hat researcher".
Sleepy Joe: "That's nice, keep up your good faith penetration testing of the US government's networks".
(Score: 0) by Anonymous Coward on Monday May 23 2022, @05:39PM
Runaway1956: hurrr durrr night felicia
(Score: 5, Insightful) by JoeMerchant on Monday May 23 2022, @03:29PM (6 children)
So, people can still file complaints, you can still be arrested, what you are doing is still considered illegal, but we say - for now - that we won't prosecute.
It's better than nothing, but hardly the kind of assurance that big businesses are built on.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday May 23 2022, @05:55PM (1 child)
How do you get around it? Can you be certain someone is doing innocent penetration testing and not nabbing some sensitive files at the same time? How would you prove a good hacker stole anything if they hide their tracks perfectly and claim being a white hat running checks? I simply see no easy way around the issue, and any white hats should have something in writing from their clients before doing any testing. Or the government can create a site where you can register your intent to test security measures. No perfect answer that I can imagine.
(Score: 2) by JoeMerchant on Monday May 23 2022, @07:23PM
I think that really covers it. If you have written permission/authority from the target of the hacking, nothing you do should be prosecutable - ever. The problem comes in when attack vectors might involve compromise of systems which are partly or completely owned by others who it is not practical to get permission from - even though they're not the end-goal of the hacking they need to be hacked along the way to effect access to the target. Control of a DDOS bot-net comes to mind as one type of attack that's hard to accurately simulate with permission, there are millions more scenarios that might apply - that's the whole point of security, you don't just have to make one thing work, you have to protect against ALL the bad things.
🌻🌻 [google.com]
(Score: 2) by DannyB on Monday May 23 2022, @06:48PM (1 child)
Agree.
I was going to point out that this announcement, however good sounding, does not change the law. It did not suddenly make this legal (even if it is morally okay to do security research).
It just highlights the ineptitude of legislators trying to pass laws governing things they know nothing about.
The lower I set my standards the more accomplishments I have.
(Score: 2) by JoeMerchant on Monday May 23 2022, @07:18PM
The problem is, this isn't something innocuous like topless sunbathing on South Beach in Miami. Hacking (regardless of hat color) can carry scary-big penalties, and there are extremely important tangible benefits to supporting White Hat security research as a commercial endeavor. Keeping the laws on the books that can do all those scary things to security researchers and their employers puts a serious chill on development of the industry.
🌻🌻 [google.com]
(Score: 2) by sjames on Monday May 23 2022, @07:47PM (1 child)
It's worse. read that as won't prosecute...unless they do. I don't think an announced policy to not prosecute is all that binding, especially when they can point out any vanishingly subtle nuance as an excuse.
It provides all the comfort and assurance as if a 16 year old in the neighborhood anxiously offers to watch the keys to your brand new sports car while you go on vacation.
(Score: 2) by JoeMerchant on Monday May 23 2022, @08:57PM
I'm guessing it's a form of political appeasement... somebody is getting a bigger campaign contribution because this announcement made the donor feel better.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday May 23 2022, @09:23PM
So, when is congress going to fix the law so the DOJ can't prosecute security researchers? Let's fire congress if they're not going to do their job!
(Score: 0) by Anonymous Coward on Monday May 23 2022, @10:24PM
What exactly is an exception for white hats supposed to look like, legally speaking?
Can I go to the government and get a white hat license, and then I am allowed to access any computer I want without the owner's permission?
Or does the government need to prove malice for each charge against me?
Or do I need to prove that I was wearing my white hat for each charge against me?
I don't have a good answer to these questions. And without a good answer, "the prosecutor will use their own discretion" seems as good to me as any of the other available answers.