DOJ reverses controversial policy on cybersecurity prosecutions

The Department of Justice (DOJ) on Thursday announced that it would reverse its policy on issuing charges for violations of a federal computer fraud law, saying that it will not prosecute “good-faith security research” efforts.

The department announced the change in enforcement of the Computer Fraud and Abuse Act, defining good-faith research as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability” without any intention of harming the public. 

The new policy replaces the earlier one that was issued in 2014.  

“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa Monaco said in the DOJ’s release. 

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” Monaco added.

The DOJ specified that “claiming to be conducting security research is not a free pass for those acting in bad faith” and advised that prosecutors consult the Criminal Division’s Computer Crime and Intellectual Property Section should issues arise. 

Last year, Georgia police sergeant Nathan Van Buren successfully appealed his conviction under the Computer Fraud and Abuse Act to the Supreme Court.

While the Justice Department had argued that Van Buren should not have taken a bribe to access a woman’s license plate information in a 2015 FBI sting operation, the sergeant claimed that he had legitimate access to the database, even if he misused it.

Van Buren’s legal team argued that if a simple violation of the terms of a system is illegal under the Computer Fraud and Abuse Act, basic infractions like using work computers for personal use could be prosecuted.

Thursday’s updated policy specifically cited instances like “checking sports scores at work” or “paying bills at work,” saying that those issues “are not themselves sufficient to warrant federal criminal charges.”

Tags cybersecurity Department of Justice Department of Justice DOJ DOJ Lisa Monaco

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts

More Technology News

See All
See all Hill.TV See all Video

main area bottom custom html

MAIN Area bottom

Main area bottom

Top Stories

See All

Most Popular

Load more