Security Research and the Law: What You Need to Know

Security researchers often look at the services and sites they don’t own or operate themselves, which could set them up for possible legal risks. In a session at the Black Hat USA conference last week, lawyers Kevin Bankston and Marcia Hofmann detailed the myriad laws that security professionals need to be aware off when conducting research.

When analyzing networks and sites, researchers should exercise care as various laws apply that could make certain actions illegal, said Bankston and Hofmann.

Computer Fraud and Abuse Act

According to Hoffman, one potential legal landmine is the Computer Fraud and Abuse Act (CFAA). One of its key provisions states that,”it is illegal to intentionally access a computer without authorization or in excess of authorization and thereby obtaining information from any protecting computer.”

The debatable point in the CFAA, Hoffman noted, is the question of what constitutes unauthorized access.

Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) is intended to protect copyright holders, but it also has an impact for security researchers.

““No person shall circumvent a technological measure that effectively controls access to [a work protected by copyright law],” the DMCA states.

Encryption and authentication mechanisms could potentially be considered technological measures. There are exceptions within the DMCA for certain types of reverse engineering when a developer is trying to make software code interoperable. Security testing is potentially allowed — but only with the permission of the network owner.

“It’s not always clear which actions are illegal,” Hoffman said. “Vagueness leads to selective enforcement.”

The Electronic Communications Privacy Act of 1986 (ECPA)

The Electronic Communications Privacy Act of 1986 (ECPA) actually involves three legal landmines, according to lawyer Kevin Bankston. The first one is the Wiretap Act, which regulates the interception of content using a device.

Simply running the open-source Wireshark packet sniffer on a network without authorization or consent could possibly be a felony under the Wiretap act, Bankston said.

There is also the Pen Register Statute (PRS, which Bankston explained regulates the acquisition of non-content dialing, routing, signaling or addressing information using a device.

Finally, the Stored Communications Act within the ECPA regulates providers’ disclosure of stored content and subscriber information and prohibits unauthorized access to stored content.

Google has long championed reform of the ECPA. As David Lieber, Google’s senior privacy policy counsel, wrote in a blog post: “While well-intentioned when enacted in 1986, ECPA no longer reflects users’ reasonable expectations of privacy.” Lieber noted in the post that a majority of members in the U.S. House of Representatives now support H.R. 185, bipartisan reform legislation that would create a warrant-for-content rule for electronic communications.

Both Bankston and Hoffman noted that there is a need for more precision in the various laws to define what is illegal. There is also currently a proposal before the U.S. Congress known as Aaron’s Law, after Aaron Swartz, who was prosecuted under the CFAA. The law could amend the CFAA to be more precise about when an individual breaches certain legal barriers.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles