VANCOUVER–The shift to mobile computing platforms in recent years has made life much easier for many users, but it’s also made life a lot more difficult for security researchers. Working on any software or hardware product carries with it a number of potential legal challenges, but mobile and embedded devices have their own special set of pitfalls that are beginning to present problems for researchers.
One of the main issues is that research on mobile devices such as smartphones doesn’t just concern one vendor. An Android device might have been manufactured by one company, run software from another and then have service provided by a third entity. That presents some rather unique problems for researchers.
“There are a lot of players involved in mobile,” Marcia Hofmann, a senior staff attorney at the EFF, said in a talk on mobile security research legal challenges at CanSecWest here Thursday. “Anytime you’re doing research that potentially invades someone’s privacy, that can be a problem. It makes it more likely you could get into legal trouble. You need to think hard about how to design your research so as not to create those legal problems.”
Many researchers who have worked on mobile or embedded devices have run into legal challenges over various aspects of their work. Those problems often arise from copyright issues or potential violations of the DMCA (Digital Millennium Copyright Act), and
Hofmann said that those can be some of the more difficult areas of the law to navigate.
“Copyright is one of the most important things to pay attention to,” she said. “And the DMCA has some pretty harsh statutory penalties. The reverse engineering exception is a lot narrower than most people think. It’s not a broad exception. It has to be for interoperability purposes between programs and it can’t be for purposes that are infringing.”
The exception to the DMCA that allows users to jailbreak their phones has been widely cited and celebrated in the mobile community, but Hofmann warned researchers not to get too excited. The exception only applies to phones, not other mobile devices, she said. The EFF is asking Congress for a broader exception that would cover tablets and other devices.
“The exception doesn’t extend to the distribution of jailbreaking tools, either,” Hofmann said.
There are some things that researchers can do to help protect themselves against potential legal problems. Hofmann said that researchers who are professionals in the field tend to have an advantage in legal disputes.
“When people get in trouble, there’s this perception that it’s some punk kid who meant to make trouble for someone and didn’t have altruistic goals,” she said. “The more you can show you have that altruism, the better.”
She also recommends that researchers assume that the EULAs attached to software are binding, until proven otherwise. The courts have tended to support EULAs in the past, and Hofmann said it’s prudent to assume that will continue.
“I personally have been really disappointed with where the courts have gone on these decisions. But you have to assume as a researcher that the agreement is binding,” she said. “You can’t operate on the assumption that it’s not a real contract.”