How far can ‘good-faith’ hacking go? Experts question new DOJ guidance
The U.S. Justice Department last week softened its stance on prosecuting hackers under a decades-old law. Will the updates thaw DOJ’s relations with hacking communities famed for testing limits?
The Justice Department’s latest guidance for a foundational anti-hacking law has been lauded for distinguishing ethical security researchers from malicious hackers.
But the new policy for prosecuting cases under the 1986 Computer Fraud and Abuse Act (CFAA) is also raising questions about just how far well-meaning hackers can go in the name of securing a system without raising ire from law enforcement.
That’s because DOJ last week adopted a definition of “good-faith security research” that might cover everything from developing patches for vulnerable software to actively exploiting a vulnerability to secure a system. That definition has been the subject of years of debate, but it hasn’t been tested in court, which means the federal government’s line between good-faith security research and unauthorized hacking is still unclear.
“There is still a certain amount of legal risk of accessing computers without authorization” even for helpful ends, Harley Geiger, Rapid7's senior director of public policy, told README, “especially if you are testing the unclear limits of this policy change.”
Wrangling over a “correction”
“Rooting out vulnerabilities for the common good should be encouraged,” Deputy Attorney General Lisa Monaco said last Friday at an event hosted by the Institute for Security and Technology in Washington, D.C., “and our prosecutors and investigators stand ready to work with researchers when their insights lead to opportunities to fight back and ransomware and other cybercrime.”
The day before the event, DOJ formally updated its CFAA policy to adopt the same definition of “good-faith security research” used by the U.S. Copyright Office in a recent Section 1201 rulemaking on the Digital Millennium Copyright Act.
That definition states: “‘Good-faith security research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” It also features clauses about minimizing potential harm to to the public and caveats on using any information gleaned from the activity.
But the exact nature of good-faith security research is still undefined, and what constitutes a “correction of a security flaw or vulnerability” is especially murky. Could someone write a worm that installs a patched version of vulnerable software on any of the systems it compromises, or take other proactive but intrusive steps to improve a third-party system’s security?
Exploiting a vulnerability to patch a vulnerability
Kevin Poulsen, an investigative journalist who authored “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground,” recounted how hacker Max Butler wrote a worm that exploited the BIND/named vulnerability to install a patched version of the software in 1998.
Poulsen said in 2001 that this could have been “an unsullied act of mass guerilla patching — a relatively harmless hack that would have left the Internet a little more secure, while dappling only a few spots of gray on Butler’s white hat,” if only the worm didn’t also give Butler a backdoor into the now-patched servers. It’s clear that he’d crossed the line of “good-faith security research” — but at what point in the process?
“The definition [of good-faith security research] under Section 1201 has not been litigated,” Geiger said. “The DOJ is borrowing this definition, and it has not gone through the crucible of litigation to figure out the limits of each of these words. I think it’s unclear whether or not this is authorizing something more active.”
Electronic Frontier Foundation senior staff attorney Andrew Crocker agreed that this definition is still ambiguous. “I don’t know if that language has ever been interpreted definitively,” Crocker told README, “but I take it to mean research in order to develop a patch.”
So what happens if a well-intentioned hacker decides to proactively defend a system they don’t own?
Geiger stressed that the DOJ policy change doesn’t prevent organizations from filing civil suits under the CFAA, and that even if this understanding of good-faith security research does cover proactive measures, researchers could still run afoul of state laws. In other words, attempting to address a vulnerability by exploiting that vulnerability is not advisable.
The DOJ didn’t respond to our requests for comment.
The updated policy also requires prosecutors to consult with the Computer Crime and Intellectual Property Section (CCIPS) of DOJ’s Criminal Division in certain CFAA cases, encourages them to confer with the Computer Hacking and Intellectual Property Coordinator (CHIP) in their districts to assist with investigations, and prevents them from charging people with “exceeding authorized access” without approval from the Office of the Deputy Attorney General.
This seems to be a win for U.S. security researchers. The possibility of being charged under the CFAA has long deterred hackers from conducting — or at least publishing—security research on technologies from particularly litigious companies. Now there are more protections in place for researchers who can prove they didn’t poke around software products with malicious intent.
But though there may be more wiggle room under the new policy, cybersecurity researchers still have to worry about the CFAA.
The DOJ’s new policy “falls far short of protecting security researchers from overzealous threats, prosecutions, and the CFAA’s disproportionally harsh prison sentences,” Crocker said in a blog post. “We still need comprehensive legislative reform to address the harms of this dangerous law.”
Crocker wasn’t alone in that assessment.
“Our initial reaction to the news was that it’s very welcome and a pretty balanced change,” Geiger said. “It’s not a complete solution to different problems under the CFAA, but this is also the DOJ doing what it can do with the authorities that it has, absent Congress getting involved.”