DOJ: Good faith security research ‘shouldn’t be charged for’

0

Earlier this month, the US Department of Justice (DOJ) announced a revised policy regarding charges of violation of the Computer Fraud and Abuse Act, which essentially “urges[s] prosecutors to restrict their enforcement of the nation’s top anti-piracy law in an effort to protect legitimate researchers investigating the technology for security flaws,” reports WSJ.

“Computer security research is a key driver for improving cybersecurity,” Assistant Attorney General Lisa O. Monaco said in a statement.

“The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity to bona fide security researchers who eliminate vulnerabilities. for the common good.”

It is essential to work with an organization that understands these challenges both legal and logistical, and navigates them with precision to ensure that all activities are on top of everything, while mitigating risks for the private and public sectors. .

Read the review here.

What is “good faith security research”?

Good Faith Security Research, as reported in October 2021, is defined as follows:

  • Access a computer solely for the purpose of testing, investigation and/or good faith correction of a security breach or vulnerabilitywhen this activity is carried out in a manner designed to prevent harm to persons or the publicand where information derived from the activity is used primarily to promote the safety or security of the class of devices, machines or online services to which the consulted computer belongs, or those who use these devices, machines or online services.

“Not a free pass”

The May 2022 DOJ statement continues:

“However, the new policy recognizes that pretending to conduct security research is not a pass for those who act in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if doing so is claimed to be “research”, is not bona fide. The policy advises prosecutors to consult with the Computer Crimes and Intellectual Property Section (CCIPS) of the Criminal Division on specific applications of this factor.

Get Flashpoint on your side

It is essential to work with an organization that understands these challenges both legal and logistical, and navigates them with precision to ensure that all activities are on top of everything, while mitigating risks for the private and public sectors. . Request your free trial of Flashpoint today.

More resources

Recommended reading: US Department of Justice shares best practices for collecting threat intelligence

Related Reading:Hot spot assistance in numerous law enforcement investigations

Related Reading: Hacker Lexicon: What is the Computer Fraud and Abuse Act? (CABLE)

Related Reading: Original Text: Computer Fraud and Abuse Act of 1986 (Congress)

Share.

Comments are closed.