Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    What Security Researchers Need to Know About the Law

    Written by

    Sean Michael Kerner
    Published August 6, 2013
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Security researchers often walk a very thin line between what is legal and what is illegal, and knowing the difference is not all that easy, especially given the current state of the law.

      So what do security researchers need to know about the law? Attorney Marcia Hoffman addressed that question during a pair of speaking sessions at the Black Hat and DEF CON security conferences last week. While there are risks associated with computer security research and hacking, Hoffman, who works with the Electronic Frontier Foundation (EFF) and currently runs her own legal practice, said that the goal of her talk was not to scare people. Rather her purpose is to increase awareness about some of the sticky situations the law can create.

      The primary law that security researchers need to be concerned about is the Computer Fraud and Abuse Act (CFAA). Originally passed in 1984, the CFAA was a response to the movie War Games, according to Hoffman. Members of Congress apparently saw the movie and got worried, she said.

      The CFAA includes some provisions that criminalize unauthorized access to certain computers, with one provision stating, “It is illegal to intentionally access a computer without authorization or in excess of authorization and thereby obtaining information from any protecting computer,” said Hoffman.

      The limiting legal principle in that provision is the “without authorization or excess of authorization” piece.

      “The main problem is that we don’t know what makes access unauthorized,” Hoffman said. “Is it just breaching a technological barrier meant to restrict access, or is it a restriction on how you access data, or does it mean you can’t access the data for a purpose the data’s owner doesn’t like?”

      In Hoffman’s view, the vague language present in the CFAA lends itself to selective enforcement, and it’s unclear what’s actually illegal.

      Terms of Use

      One gray area for law enforcement of potential unauthorized access revolves around Terms of Use violations.

      In the International Airport Centers, L.L.C. v. Citron case, cited by Hoffman, a former employee was found in violation of the CFAA for deleting data from a notebook computer. Jacob Citrin deleted the data after he left working for International Airport Centers and therefore the court ruled that he no longer had authorized access to the data.

      In the U.S. vs Drew case, Lori Drew created a fake MySpace account and then used that account to harass a friend of her daughter’s. Tragically, the harassed girl ended up committing suicide as a result of the harassment. The prosecutor in that case decided to use the CFAA to go after Drew on the basis that Drew had violated the Terms of Service for MySpace by using a fake account.

      Violating Terms of Service, however, can be a slippery slope, according to Hoffman. In many cases, users unknowingly agree to Terms of Service for a given site as soon as they visit the site. For security researchers, Hoffman suggests that they carefully read Terms of Service as well as End User License Agreements (EULAs).

      “If you can avoid violating it, then don’t violate,” Hoffman said.

      What Security Researchers Need to Know About the Law

      Going a step further, Hoffman explained that accessing publicly available data has been deemed to be “unauthorized access” under certain circumstances. In the U.S. vs. Auernheimer case, Andrew “weev” Auernheimer discovered an AT&T flaw that enabled the email addresses of approximately 140,000 Apple iOS users to be obtained. Hoffman, who is on the defense team for Auernheimer, said there were no Terms of Use and the researchers just stumbled across the flaw that exposed the email addresses.

      “Just because there is no Terms of Use agreement or technological barrier to access doesn’t mean it’s open season,” Hoffman said. “You need to think about what you’re doing and how you do it.”

      Best Practices

      Hoffman has a number of best practice recommendations for security researchers to help them stay on the right side of the law.

      She recommends that researchers be very careful about violating agreements or policies, especially confidentially agreements. Additionally, she said that researchers should be cautious about creating or distributing tools that circumvent barriers.

      She added that public disclosure about an issue, without reporting to the vendor first, can make the situation more tense.

      “Your risk increases if you go public without talking to the vendor first,” Hoffman said.

      Finally, if in doubt, Hoffman suggests that researchers contact a lawyer for a professional opinion.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×