There are more legal pitfalls awaiting security researchers than most attendees at the Black Hat conference in Las Vegas were aware of -- or at least that's how it looked at a Wednesday afternoon panel featuring Rapid 7 Global Security Strategist Trey Ford and attorneys Marcia Hofmann and Kevin Bankston.
When, at the conclusion of the discussion, Ford asked for a show of hands of those who'd learned something they weren't aware of, most audience members raised a hand.
Marcia Hoffmandigital rights attorney
Beginning with a quick overview of the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), Hofmann, who specializes in computer crime and security, electronic privacy and intellectual property, sounded a theme that continued throughout the session. "It's not always clear which actions are legal, and the vagueness of the pivotal language tends to lend itself to selective enforcement," Hofmann said. "Because of the harshness of these penalties, if you get the book thrown at you, you really get the book thrown at you."
The primary cybercrime laws, Hofmann said, are framed in such a way that most first-time offenses are theoretically viewed as misdemeanors. But, there are circumstances "when it can become a felony, and a felony is a much bigger deal," Hofmann said. "Even a first-time violation of the unauthorized access provision can be a felony when you do it with intent to profit, when the information you obtain is worth more than $5,000, or the act is in furtherance of another legal act, or it's a repeat offense. It's a fairly easy thing for the government to make an argument that even a first-time offense is one that deserves some very harsh penalties."
Breaking down cybercrime laws
Not only can the government throw the book at a researcher, but in some cases these cybercrime laws allow civil prosecution as well, making them not only potentially costly for those found guilty, but also setting case precedents that may affect a judge's ruling in future criminal cases.
"The CFAA is a law that was passed in the mid-80s, at a very different time, and it has a number of prohibitions, but the one that has become the biggest problem is one that is actually fairly simple," Hofmann noted. "It makes it illegal to 'intentionally access a computer without authorization or in excess of authorization, and thereby obtain any protected information from a protected computer.'"
The concept that's problematic, she said, "is this idea of 'without authorization or exceeding authorized access.' You would think on the face of it that it's pretty simple, but the problem is that the law doesn't actually define what authorization is or how one would indicate authorization."
Meanwhile, as cybercrime laws go, the DMCA takes a slightly different approach, stipulating that "no person shall circumvent a technological measure that effectively controls access to a work protected by copyright law." This includes software source code, she noted, which may be copyrighted. "Frankly, I think the DMCA is a little scarier than the [CFAA], because the penalties are even tougher," Hofmann added.
Kevin Bankston, Policy Director of the New America Foundation's Open Technology Institute, gave a similar overview of the Electronic Communications Privacy Act (ECPA). On the one hand, he pointed out that it's a law that's important for protecting privacy, and that advocacy groups use the ECPA when they're suing the NSA or arguing that the government is required to have a warrant for surveillance. "But, it's also broad and vague and poses a real challenge to researchers."
The wiretap act part of the law makes it a felony to wiretap someone. But according to Bankston, those who run afoul of it can also rack up awe-inspiring civil fines, because they may be sued for statutory damages, with fines that compound per day and per person wiretapped.
"So I say, holy statutory damages, Batman! And I say that for a specific reason: Have you seen [The] Dark Knight, where Batman opens the mics on every cell phone in Gotham City to try and catch the Joker? If you assume Gotham is about the size of New York and you assume that a vast number of those phones were in private spaces when that happened, we're looking at tens or hundreds of billions of dollars of statutory damages if Bruce Wayne got caught, a tab that maybe even he could not pay off," Bankston said.
In sum: "All you guys who were running Wireshark when you were thirteen? You probably committed a felony under this law," Bankston said.
Trey Ford then invited the audience to join in a game where several hypothetical scenarios were randomly chosen from a menu of possibilities and the legality of each plot was discussed. Could an academic surreptitiously track the location of colleagues in order to infer information about their research projects? Is there ever a circumstance when someone can tap a corporate rival's email? What if you were testing Gmail for a potential security flaw? If you're a computer science major can you expect leniency?
In all the cases, Hofmann and Bankston agreed, the answer was no.
Amazon cloud security weaknesses