What Security Researchers Need to Know About the Law
An Electronic Frontier Foundation lawyer explains the legal implications of hacking and how the Computer Fraud and Abuse Act (CFAA) fits in.Security researchers often walk a very thin line between what is legal and what is illegal, and knowing the difference is not all that easy, especially given the current state of the law. So what do security researchers need to know about the law? Attorney Marcia Hoffman addressed that question during a pair of speaking sessions at the Black Hat and DEF CON security conferences last week. While there are risks associated with computer security research and hacking, Hoffman, who works with the Electronic Frontier Foundation (EFF) and currently runs her own legal practice, said that the goal of her talk was not to scare people. Rather her purpose is to increase awareness about some of the sticky situations the law can create. The primary law that security researchers need to be concerned about is the Computer Fraud and Abuse Act (CFAA). Originally passed in 1984, the CFAA was a response to the movie War Games, according to Hoffman. Members of Congress apparently saw the movie and got worried, she said. The CFAA includes some provisions that criminalize unauthorized access to certain computers, with one provision stating, "It is illegal to intentionally access a computer without authorization or in excess of authorization and thereby obtaining information from any protecting computer," said Hoffman.
The limiting legal principle in that provision is the "without authorization or excess of authorization" piece.