LAS VEGAS — In his keynote address at Black Hat Wednesday, Dan Geer, the CISO of In-Q-Tel and a respected security luminary noted that the industry has never been closer to the forefront of corporate and government policy decision making. Despite this, security research remains a dangerous business for those who seek out bugs in software systems and face prosecutions and lawsuits as a result.
In a panel discussion beginning with the warning that “this is not legal advice,” Trey Ford of Rapid7, technology law expert Marcia Hoffman and fellow lawyer Kevin Bankston of the New America Foundation discussed how the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and the Electronic Communications Privacy Act (ECPA) hinder and endanger security research while significantly increasing the punishments for those that are found to have violated the laws, regardless of intentions.
Under certain conditions, punishments increase exponentially when prosecutors daisy chain violations of multiple laws together in one trial for one sentence. Furthermore, rulings in civil violations of these laws often become precedent for future criminal cases.
Briefly, the CFAA prohibits “intentionally accessing a computer without authorization or exceeding authorized access and thereby obtain[ing]… information from a protected computer,” but what is a protected computer and what constitutes authorization or exceeding it, the panel wondered aloud. The CFAA is at first a misdemeanor, but can become a felony on second offenses, if there is a profit motive or if the total damage is more than $5,000. In some cases companies have met the $5,000 mark in costs incurred fixing a bug reported to them and even through paying legal fees to figure out whether or not they were allowed to file suit against the person conducting the research.
The DMCA is problematic too, they explained. It states that “No person shall circumvent a technological measure that control access to [a work protected by copyright.]” A user can violate this law simply by circumventing a technological measure without doing any damage or infringing upon any copyright. Again they wondered: “What is a technological measure? Civil injunctions and actual or statutory damages may be tripled for repeat offense. Penalty payments can be compounded by the judge per sub-violation.
Bankston joked that Bruce Wayne would have had to pay hundreds of billions if not trillions of dollars when Batman hacked into and turned on the microphone on every cellular device in Gotham City in The Dark Knight, because the penalties could have been compounded per person affected.
Finally they addressed the ECPA, which includes the pen register statute, the Wiretap Act and the Stored Communications Act. Hoffman and Bankston heralded the law briefly, saying that they’d used it to file suits against the government and NSA in the past, before noting it suffers from many of the same pitfalls present in the two preceding laws.
Altogether, the vague wording of these laws, Hofmann argued, allow the government to prosecute selectively and to enforce law to incredibly strict degrees when and if they want to. Popular examples cited by the panel include the saga of Aaron Schwartz, who faced felony charges, serious fines, and a long-term prison sentence for allegedly breaking into a utility closet at MIT and stealing academic articles, and that of Andrew Aurenheimer, who faces similar consequences after discovering a bug in AT&T’s website.
In what may have been the most illustrative aspect of the briefing, the crowd joined the panel to play a game where an activity, an action, a target, a motive, and wild card were chosen from five respective lists at random. For example, a corporate security professional performed network sniffing on a system used online out of idle curiosity but dropped a zero-day in the process. While this particular scenario was not discussed, several others were. In every case, Bankston and Hofmann found an angle through which the perpetrator could be prosecuted.
In one hypothetical scenario that was discussed, an academic researcher tracked the location of her colleagues at her institution for the purpose of corporate espionage but there were no monetary damages. This was deemed illegal, regardless of intent, likely violating the Wire Tap Act.
“Just because you have a good faith reason for doing what you’re doing isn’t going to get you off,” Bankston said. “There is no researcher exception for the Wire Tap Act.”
Another scenario – also deemed prosecutable because the CFAA apparently applies to machines located outside the U.S. in nearly every imaginable circumstance – involved someone hacking Chinese networks. A member of the crowd asked if it made a difference if the attacks was retaliatory.
“There is currently no hack-back exception,” Bankston reasoned.
Hoffman explained that even if the user were accessing systems protected by a well-known, default password, such would still constitute a violation of one or more of these laws purely because the user guessed a password, which is directly illegal.
One caveat to many of these laws is consent.
“Consent fixes pretty much anything.” Hoffman said, to which Bankston clarified that consent does not matter when applied to the pen register stature.