19. May 2022

This article has been indexed from


The Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The Department of Justice (DOJ) today announced a new policy under which it will not bring CFAA prosecutions against those engaged “solely” in “good faith” security research.

It’s an important step forward that the DOJ recognizes the invaluable contribution security research plays in strengthening the security of messaging and social media applications, financial systems, and other digital systems used by hundreds of millions of people every day. But its new policy, which is only an agreement for the DOJ to exercise restraint, falls far short of protecting security researchers from overzealous threats, prosecutions, and the CFAA’s disproportionally harsh prison sentences. We still need comprehensive legislative reform to address the harms of this dangerous law.

In part, DOJ’s policy change is forced by the Supreme Court’s ruling last year in Van Buren v. U.S., which provided clarification of the meaning of “exceeding authorized access” under the CFAA. The law makes it a crime to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer,” but does not define what authorization means. Previously, the law had been interpreted to allow criminal charges against individuals for violating a website’s terms of service or violating an employer’s computer use policy, leading to </p><div%20class='code-block%20code-block-default%20code-block-2'>%0A<div%20class=" ad-affiliate>

Read the original article: