Security researchers, ethical hackers, and bug hunters spend their days trying to make the world safer and more secure. And yet the US legal system makes it almost impossible for them to do their jobs, thanks to flimsy interpretations of long, outdated laws.
In the past year alone, there have been several lawsuits and legal actions against security researchers, who find and report software and hardware weaknesses in the hope that companies will fix them. That’s led to a “chilling effect,” whereby the good-guy hackers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal action.
That’s where a new study carried out by the Center for Democracy & Technology, a Washington DC-based non-profit, comes in. Its authors, Joseph Lorenzo Hall and Stan Adams, set out to determine by popular agreement the limits that ethical hackers can reach.
“The premise of the report is to get a sense of the forces that shape or chill the work of security researchers, hackers, and tinkerers, by asking them directly what kinds of considerations shape what they can and cannot do,” said Lorenzo Hall in an email.
The report admits that it’s impossible to create a unified code of conduct that could easily apply to all the various activities undertaken by hackers and security researchers. Instead, the report detailed a “risk basis” to help security researchers determine the level of risk they may face for the activities they conduct.
“Since security researchers tend to push into grey areas where the law is unclear, an understanding of the law’s ‘chilling effects’ on security research has been a major concern of those who work in and with information security,” said the report authors.
The report dives into the laws that govern the security space, including the notorious Computer Fraud and Abuse Act (CFAA), widely seen as the foundation of US hacking laws.
The problem is that they were written in the 1980s at a time where even the smartest minds couldn’t have foreseen smartphones, cloud storage, and vast web-based services — like Facebook or Google.
The report found that half of those interviewed said the CFAA is a “primary source” of risk.
The reality is that there is no specific line in the sand of what is “legal” and “not legal” in security research. Hackers are often subject to a sort-of Russian roulette — nine out of 10 vulnerable companies could thank a researcher, but it only takes one disgruntled company to initiate frivolous and unnecessary criminal action.
Alongside the study, more than 50 security researchers and journalists (disclosure: including this reporter) have signed an open letter to support legal and legitimate security research. The letter lands in the wake of recently settled and ongoing legal action against researchers and reporters.
The letter said that lawsuits “not only endanger a free and open press,” but deter researchers from reporting vulnerabilities and weaknesses “for fear of facing legal retribution.”