A major reversal by the U.S. Department of Justice on how it views good-faith security research is expected to be warmly welcomed by the cybersecurity community.
On Thursday, the DOJ announced a new policy that "for the first time directs that good-faith security research should not be charged" under the Computer Fraud and Abuse Act, according to a news release.
The act has long been controversial among cybersecurity professionals, particularly following the death of Reddit co-founder Aaron Swartz, who died by suicide in 2013 after facing severe legal issues for downloading documents from a server at MIT.
The DOJ said the new policy aims to ensure that the agency only focuses on certain specific Computer Fraud and Abuse Act cases. "The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged," the DOJ said in the release.
The news release says the agency will focus on cases where "a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails."
"However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith," the DOJ said in the release.