Despite the hoodie-wearing bad guy image, most hackers are bona fide security researchers protecting users by probing and testing the security configurations of digital networks and assets. Yet the law has often failed to distinguish between malicious hackers and good-faith security researchers.

This failure to distinguish between the two hacker camps has, however, improved over the past two years, according to Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers’ risks.

“Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research,” he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice’s (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China’s recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.

Computer Fraud and Abuse Act changes

The CFAA was enacted in 1986 as an amendment to the Comprehensive Crime Control Act and was the first US federal law to address hacking. “The CFAA has been the boogeyman for the community for quite a long time,” Geiger said. “It’s maybe the most famous anti-hacking law. This is a criminal law and a civil law, and that’s important to remember. You can be prosecuted under the CFAA criminally, and you can also be threatened with private lawsuits.”

The CFAA prohibits several things, including accessing a computer without authorization and exceeding authorized access to a computer. “That phrase, exceeding authorized access to a computer, is really important,” Geiger said. “It used to mean that if you were authorized to use a computer for one thing, but then you used it for another purpose, something that you weren’t authorized to do on the computer that you were allowed to use, then that may…