Security researchers often walk a very thin line between what is legal and what is illegal, and knowing the difference is not all that easy, especially given the current state of the law.
So what do security researchers need to know about the law? Attorney Marcia Hoffman addressed that question during a pair of speaking sessions at the Black Hat and DEF CON security conferences last week. While there are risks associated with computer security research and hacking, Hoffman, who works with the Electronic Frontier Foundation (EFF) and currently runs her own legal practice, said that the goal of her talk was not to scare people. Rather her purpose is to increase awareness about some of the sticky situations the law can create.
The primary law that security researchers need to be concerned about is the Computer Fraud and Abuse Act (CFAA). Originally passed in 1984, the CFAA was a response to the movie War Games, according to Hoffman. Members of Congress apparently saw the movie and got worried, she said.
The CFAA includes some provisions that criminalize unauthorized access to certain computers, with one provision stating, “It is illegal to intentionally access a computer without authorization or in excess of authorization and thereby obtaining information from any protecting computer,” said Hoffman.
The limiting legal principle in that provision is the “without authorization or excess of authorization” piece.
“The main problem is that we don’t know what makes access unauthorized,” Hoffman said. “Is it just breaching a technological barrier meant to restrict access, or is it a restriction on how you access data, or does it mean you can’t access the data for a purpose the data’s owner doesn’t like?”
In Hoffman’s view, the vague language present in the CFAA lends itself to selective enforcement, and it’s unclear what’s actually illegal.
Terms of Use
One gray area for law enforcement of potential unauthorized access revolves around Terms of Use violations.
In the International Airport Centers, L.L.C. v. Citron case, cited by Hoffman, a former employee was found in violation of the CFAA for deleting data from a notebook computer. Jacob Citrin deleted the data after he left working for International Airport Centers and therefore the court ruled that he no longer had authorized access to the data.
In the U.S. vs Drew case, Lori Drew created a fake MySpace account and then used that account to harass a friend of her daughter’s. Tragically, the harassed girl ended up committing suicide as a result of the harassment. The prosecutor in that case decided to use the CFAA to go after Drew on the basis that Drew had violated the Terms of Service for MySpace by using a fake account.
Violating Terms of Service, however, can be a slippery slope, according to Hoffman. In many cases, users unknowingly agree to Terms of Service for a given site as soon as they visit the site. For security researchers, Hoffman suggests that they carefully read Terms of Service as well as End User License Agreements (EULAs).
“If you can avoid violating it, then don’t violate,” Hoffman said.
What Security Researchers Need to Know About the Law
Going a step further, Hoffman explained that accessing publicly available data has been deemed to be “unauthorized access” under certain circumstances. In the U.S. vs. Auernheimer case, Andrew “weev” Auernheimer discovered an AT&T flaw that enabled the email addresses of approximately 140,000 Apple iOS users to be obtained. Hoffman, who is on the defense team for Auernheimer, said there were no Terms of Use and the researchers just stumbled across the flaw that exposed the email addresses.
“Just because there is no Terms of Use agreement or technological barrier to access doesn’t mean it’s open season,” Hoffman said. “You need to think about what you’re doing and how you do it.”
Best Practices
Hoffman has a number of best practice recommendations for security researchers to help them stay on the right side of the law.
She recommends that researchers be very careful about violating agreements or policies, especially confidentially agreements. Additionally, she said that researchers should be cautious about creating or distributing tools that circumvent barriers.
She added that public disclosure about an issue, without reporting to the vendor first, can make the situation more tense.
“Your risk increases if you go public without talking to the vendor first,” Hoffman said.
Finally, if in doubt, Hoffman suggests that researchers contact a lawyer for a professional opinion.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.