DOJ Announces It Won't Prosecute White Hat Security Researchers:
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA).
The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
[...] For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that "Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work."
Andrew Crocker, a senior staff attorney on the EFF's civil liberties team told Motherboard in a statement "We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on 'unauthorized access'—deters researchers from discovering and disclosing vulnerabilities in these systems."
He said that the new policy does not go far enough. "By exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform."
The announcement provided an example of the sort of 'research' that would be considered bad faith and could still face charges. "Discovering vulnerabilities in devices in order to extort their owners, even if claimed as 'research,' is not in good faith," it reads.
(Score: 4, Funny) by inertnet on Monday May 23 2022, @09:50AM (2 children)
Ordering a white hat right now.
(Score: 2) by Frosty Piss on Monday May 23 2022, @10:11AM
Exactly. Black Hat now rebrands as White Hat!
(Score: 1, Funny) by Anonymous Coward on Monday May 23 2022, @10:51AM
Looks like they are out of stock, guess you'll have to backorder...
https://www.entertainmentearth.com/product/spy-vs-spy-white-spy-accessories-kit/ep48100 [entertainmentearth.com]
(Score: -1, Redundant) by Anonymous Coward on Monday May 23 2022, @12:07PM
If the law is written in such ambiguious terms that it is not clear if you violated it,
perhaps the benefit of the doubt should be to the supposed violater.
Is this a case of DOJ choosing not to go after folks who clearly broke the law with good intentions (and often good results),
of not go after folks who did something for which the law is unclear?
(Score: -1, Troll) by Anonymous Coward on Monday May 23 2022, @12:34PM (1 child)
Russian spy: "Is OK, I am white hat researcher".
Sleepy Joe: "That's nice, keep up your good faith penetration testing of the US government's networks".
(Score: 0) by Anonymous Coward on Monday May 23 2022, @05:39PM
Runaway1956: hurrr durrr night felicia
(Score: 5, Insightful) by JoeMerchant on Monday May 23 2022, @03:29PM (6 children)
So, people can still file complaints, you can still be arrested, what you are doing is still considered illegal, but we say - for now - that we won't prosecute.
It's better than nothing, but hardly the kind of assurance that big businesses are built on.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Monday May 23 2022, @05:55PM (1 child)
How do you get around it? Can you be certain someone is doing innocent penetration testing and not nabbing some sensitive files at the same time? How would you prove a good hacker stole anything if they hide their tracks perfectly and claim being a white hat running checks? I simply see no easy way around the issue, and any white hats should have something in writing from their clients before doing any testing. Or the government can create a site where you can register your intent to test security measures. No perfect answer that I can imagine.
(Score: 2) by JoeMerchant on Monday May 23 2022, @07:23PM
I think that really covers it. If you have written permission/authority from the target of the hacking, nothing you do should be prosecutable - ever. The problem comes in when attack vectors might involve compromise of systems which are partly or completely owned by others who it is not practical to get permission from - even though they're not the end-goal of the hacking they need to be hacked along the way to effect access to the target. Control of a DDOS bot-net comes to mind as one type of attack that's hard to accurately simulate with permission, there are millions more scenarios that might apply - that's the whole point of security, you don't just have to make one thing work, you have to protect against ALL the bad things.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by DannyB on Monday May 23 2022, @06:48PM (1 child)
Agree.
I was going to point out that this announcement, however good sounding, does not change the law. It did not suddenly make this legal (even if it is morally okay to do security research).
It just highlights the ineptitude of legislators trying to pass laws governing things they know nothing about.
How often should I have my memory checked? I used to know but...
(Score: 2) by JoeMerchant on Monday May 23 2022, @07:18PM
The problem is, this isn't something innocuous like topless sunbathing on South Beach in Miami. Hacking (regardless of hat color) can carry scary-big penalties, and there are extremely important tangible benefits to supporting White Hat security research as a commercial endeavor. Keeping the laws on the books that can do all those scary things to security researchers and their employers puts a serious chill on development of the industry.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by sjames on Monday May 23 2022, @07:47PM (1 child)
It's worse. read that as won't prosecute...unless they do. I don't think an announced policy to not prosecute is all that binding, especially when they can point out any vanishingly subtle nuance as an excuse.
It provides all the comfort and assurance as if a 16 year old in the neighborhood anxiously offers to watch the keys to your brand new sports car while you go on vacation.
(Score: 2) by JoeMerchant on Monday May 23 2022, @08:57PM
I'm guessing it's a form of political appeasement... somebody is getting a bigger campaign contribution because this announcement made the donor feel better.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Monday May 23 2022, @09:23PM
So, when is congress going to fix the law so the DOJ can't prosecute security researchers? Let's fire congress if they're not going to do their job!
(Score: 0) by Anonymous Coward on Monday May 23 2022, @10:24PM
What exactly is an exception for white hats supposed to look like, legally speaking?
Can I go to the government and get a white hat license, and then I am allowed to access any computer I want without the owner's permission?
Or does the government need to prove malice for each charge against me?
Or do I need to prove that I was wearing my white hat for each charge against me?
I don't have a good answer to these questions. And without a good answer, "the prosecutor will use their own discretion" seems as good to me as any of the other available answers.