Want CNET to notify you of price drops and the latest stories?

DOJ Says It Won't Go After 'Good Faith' Hackers

The new directive comes less than a year after the Supreme Court narrowed the Computer Fraud and Abuse Act.

Marcos Cabello
Marcos Cabello
Marcos Cabello
Based in Boston, Marcos Cabello has been a personal finance reporter for NextAdvisor and CNET. Marcos has covered cryptocurrency, investing, banking, and the US economy, among other personal finance subjects. If you don't find Marcos behind his computer screen, you'll probably find him behind another screen, playing the newest Nintendo Switch title, streaming the latest TV show or reading a book on his Kindle.
Marcos Cabello
Merrick Garland stands in front of Department of Justice emblem.

US Attorney General Merrick Garland.

Olivier Douliery/Getty Images

The Department of Justice on Thursday revised its policy concerning the nation's premier anti-hacking law, the Computer Fraud and Abuse Act. The department is instructing prosecutors not to use the CFAA to prosecute cybersecurity researchers, sometimes dubbed "white hat hackers," who have good faith intentions to improve technology.

The CFAA is a federal statute, enacted in 1986, that prohibits accessing a computer without authorization or in excess of authorization given. The law has long been criticized for overly broad and ambiguous language as to what constitutes authorized access to a protected computer, or what it means to exceed that authorization.

Up until a Supreme Court case that narrowed the scope of the law last year, concerns were raised that the act could allow prosecution for seemingly innocuous activity, such as sharing a Netflix password or using a work Zoom account to make a personal call.

With the DOJ's revised policy, things are getting even more refined, taking pressure off of cybersecurity researchers who are trying to better technology.

"Computer security research is a key driver of improved cybersecurity," said Deputy Attorney General Lisa Monaco in a press release. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."