A revision to the U.S. Department of Justice’s guidelines on prosecuting violations of the Computer Fraud and Abuse Act (CFAA) emphasizes that those conducting security research in good faith will not be prosecuted, even where their activities amount to accessing computers “without authorization” under the CFAA. Yet the policy clarifies that asserting to be engaged in security research is not a free pass for those acting in bad faith. Security researchers can benefit from the policy only apply where their research is carried out in a manner designed to avoid any harm to individuals or the public, and where the information they obtain from their research activity is used primarily to promote the security or safety of devices, machines, and online services.
The policy also provides several examples of hypothetical fact patterns that have concerned courts before but will not be prosecuted. These include creating online dating profiles that violate the dating website’s terms of service; using a pseudonym on a social network; and checking sports scores or paying bills at work where these activities are prohibited by the employer’s Internet use policy.
CLICK HERE to read the U.S. Department of Justice’s revised policy on charging violations of the CFAA.