Security Research and the Law: What You Need to Know
Security researchers must navigate a minefield of U.S. laws and statutes, such as the Computer Fraud and Abuse Act.
Security researchers often look at the services and sites they don't own or operate themselves, which could set them up for possible legal risks. In a session at the Black Hat USA conference last week, lawyers Kevin Bankston and Marcia Hofmann detailed the myriad laws that security professionals need to be aware off when conducting research.
When analyzing networks and sites, researchers should exercise care as various laws apply that could make certain actions illegal, said Bankston and Hofmann.
Computer Fraud and Abuse Act
According to Hoffman, one potential legal landmine is the Computer Fraud and Abuse Act (CFAA). One of its key provisions states that,"it is illegal to intentionally access a computer without authorization or in excess of authorization and thereby obtaining information from any protecting computer."
The debatable point in the CFAA, Hoffman noted, is the question of what constitutes unauthorized access.
Digital Millennium Copyright Act
The Digital Millennium Copyright Act (DMCA) is intended to protect copyright holders, but it also has an impact for security researchers.
"“No person shall circumvent a technological measure that effectively controls access to [a work protected by copyright law]," the DMCA states.
Encryption and authentication mechanisms could potentially be considered technological measures. There are exceptions within the DMCA for certain types of reverse engineering when a developer is trying to make software code interoperable. Security testing is potentially allowed -- but only with the permission of the network owner.
"It's not always clear which actions are illegal," Hoffman said. "Vagueness leads to selective enforcement."
The Electronic Communications Privacy Act of 1986 (ECPA)
The Electronic Communications Privacy Act of 1986 (ECPA) actually involves three legal landmines, according to lawyer Kevin Bankston. The first one is the Wiretap Act, which regulates the interception of content using a device.
Simply running the open-source Wireshark packet sniffer on a network without authorization or consent could possibly be a felony under the Wiretap act, Bankston said.
There is also the Pen Register Statute (PRS, which Bankston explained regulates the acquisition of non-content dialing, routing, signaling or addressing information using a device.
Finally, the Stored Communications Act within the ECPA regulates providers' disclosure of stored content and subscriber information and prohibits unauthorized access to stored content.
Both Bankston and Hoffman noted that there is a need for more precision in the various laws to define what is illegal. There is also currently a proposal before the U.S. Congress known as Aaron's Law, after Aaron Swartz, who was prosecuted under the CFAA. The law could amend the CFAA to be more precise about when an individual breaches certain legal barriers.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.
By Jeff Goldman
July 08, 2014
'The future will be hybrid,' says Gartner research vice president Carsten Casper.