'White hat' hackers no longer risk prosecution by the US

The United States government will no longer go after ethical hackers, reversing a policy in effect since 2014 that has had a chilling effect on security research.

All federal prosecutors who wish to pursue cases under the US Computer Fraud and Abuse Act (CFAA) must follow the new policy, which is effective immediately, the US Department of Justice decreed [pdf].

Prosecutors who wish to press CFAA charges must consult with the DoJ's computer crimes and intellectual property section in the department's criminal division.

Deputy attorney-general Lisa Monaco said the DoJ has never been interested in prosecuting good-faith computer security research as a crime.

The new policy clarifies which specific, hypothetical CFAA violations that shouldn't be charged.

These include breaching sites' terms of service, such as embellishing online dating profiles, creating fictitional accounts, using pseudonyms on social networks that prohibit such things, or violating access restrictions.

Such violations do not warrant federal charges, nor should checking sports scores or paying bills at work, the DoJ said.

The department warned that claiming to be conducting security research is not a carte-blanche for those acting in bad faith.

As an example, anyone who discovers vulnerabilities in devices in order to extort their owners would be deemed to act in bad faith, the new policy states.

The ambiguous CFAA has been used by powerful organisations and authorities to silence research and reporting on computer security.

In October last year, Missouri governor Mike Parson threatened to prosecute a journalist who had viewed the source code of the state's website and found it leaked social security numbers.

Enacted in 1986, the CFAA covers a range of computer crimes, with stiff penalties and prison sentences of up to 20 years for breaches.

Over the years, several people have been prosecuted under the CFAA, including Aaron Swartz, who was charged with 11 violations of the Act for downloading academic journal articles at MIT.

Swartz faced a cumulative penalty of a million dollars in fines and 35 years in prison, and committed suicide, after which the case against him was dismissed.