What Security Researchers Need to Know About the Law - Page 2

Going a step further, Hoffman explained that accessing publicly available data has been deemed to be "unauthorized access" under certain circumstances. In the U.S. vs. Auernheimer case, Andrew "weev" Auernheimer discovered an AT&T flaw that enabled the email addresses of approximately 140,000 Apple iOS users to be obtained. Hoffman, who is on the defense team for Auernheimer, said there were no Terms of Use and the researchers just stumbled across the flaw that exposed the email addresses.

"Just because there is no Terms of Use agreement or technological barrier to access doesn't mean it's open season," Hoffman said. "You need to think about what you're doing and how you do it."

Best Practices

Hoffman has a number of best practice recommendations for security researchers to help them stay on the right side of the law.

She recommends that researchers be very careful about violating agreements or policies, especially confidentially agreements. Additionally, she said that researchers should be cautious about creating or distributing tools that circumvent barriers.

She added that public disclosure about an issue, without reporting to the vendor first, can make the situation more tense.

"Your risk increases if you go public without talking to the vendor first," Hoffman said.

Finally, if in doubt, Hoffman suggests that researchers contact a lawyer for a professional opinion.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.