“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Deputy Attorney General Lisa Monaco said in a statement.
Newsletter Sign-up
WSJ Pro Cybersecurity
Cybersecurity news, analysis and insights from WSJ's global team of reporters and editors.
SUBSCRIBE
The revised policy directs federal prosecutors to avoid bringing cases if individuals accessed computers to test, investigate or correct vulnerabilities “in a manner designed to avoid any harm to individuals or the public.”
The computer-fraud law, which was enacted in 1986, prohibits accessing a computer “without authorization” or in a manner that “exceeds authorized access.” People who violate the law can be sentenced to as many as 10 years in prison.
Critics in the cybersecurity industry say the language is ambiguous and could be used to prosecute routine activity by people including white-hat hackers, tech researchers or users who inadvertently violate online platforms’ terms of service. Some warn that the legal threat could also have a chilling effect on researchers who find and report software flaws to developers.
In recent years, federal officials have sought to beef up their cyber capabilities amid a sharp rise in public- and private-sector cyber threats such as ransomware. The Justice Department said Thursday that the policy change would bolster those efforts by providing security researchers legal clarity.
“However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith,” the Justice Department said.
The agency’s change doesn’t preclude companies from bringing civil cases against researchers, or prevent individuals from facing prosecution under state law. While Congress hasn’t addressed such aspects of the law, federal courts have begun to re-examine its application.
The Supreme Court last year narrowed the law’s scope, ruling that it didn’t cover instances in which people use their authorized computer access for improper purposes. The 6-3 decision held that a Georgia police officer violated his department’s policy—but didn’t break the anti-hacking law—by running a license-plate check with a law-enforcement database in return for cash.
Writing in the majority opinion in that case, Justice Amy Coney Barrett said that reading the statute broadly “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”
More From WSJ Pro Cybersecurity
Write to David Uberti at david.uberti@wsj.com
