Security experts will not be charged with hacking crimes, according to the Justice Department

The US Department of Justice has stated that it will not prosecute “good-faith security research” under anti-hacking legislation, despite long-standing worries about the Computer Fraud and Abuse Act (CFAA). Prosecutors must also avoid arresting someone for just infringing the terms of service of a website — including minor infractions such as exaggerating a dating profile — or for using a work-related computer for personal purposes.

Following a Supreme Court rule in 2021 that supported reading the legislation more narrowly, the new DOJ guideline tries to ease concerns about the CFAA’s vast and confusing application. The court warned that the government’s former view risked criminalizing a “breathtaking quantity of routine computer activity,” outlining five hypothetical cases that the DOJ now says it will not prosecute. This modification is accompanied by a “good-faith testing, investigation, and/or rectification of a security defect or vulnerability” safe harbor for researchers. The new standards go into effect right away, replacing prior ones from 2014.

According to a DOJ press release, “the policy underscores that potential CFAA violations that have troubled some courts and pundits will not be charged.” “Creating a fictional account on a hiring, housing, or rental website; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service is not sufficient to warrant federal criminal charges.”

The CFAA criminalized “exceeding allowed access” to a computer in 1986, and these rules reflect a newly constrained interpretation of the term. As writer and law professor Orin Kerr said in 2021, there’s been a decades-long debate about whether someone can “beyond” their access by breaking any network or computer owner’s rules — or if they must access specifically off-limits systems and information. The former approach has resulted in cases such as US v. Drew, in which prosecutors accused a woman of creating a phony Myspace profile. The Supreme Court favored the latter version, and the Department of Justice now does as well.

The policy does not address all of the CFAA’s complaints, such as the possibility of excessively long jail sentences. It has no effect on the underlying statute, as it simply impacts how prosecutors read it. The Department of Justice further emphasizes that the security research exception is not a “free pass” to probe networks. Someone who discovered a problem and used that information to extort the system’s owner, for example, could be punished by conducting research in bad faith. Despite these restrictions, the rulemaking is a promise not to lay harsh anti-hacking penalties on anyone who uses a computer system in a way that its owner does not approve of.