Skip to main content

Legally Blind and Deaf - How Computer Crime Laws Silence Helpful Hackers

  • May 20th , 2015

A world wide war is being waged in which the most able-bodied soldiers are being discouraged from enlisting. It is an information security war, and hackers are the troops and the weapon designers that have the skills to shape our collective future, for good or for ill.

How do we enlist the hackers of the world to join the army of defenders? One way is by revising the current laws that discourage security research, that blur the lines between "defense" and "crime."

Imagine a world in which those with the scarce and highly-prized knowledge and skills to help secure the Internet can work for the greater good, without fear of legal threats or prosecution. Would you trust your data to an Internet service provider who didn't want to hear about potential security problems? Or would you rather that every manufacturer be open to hearing about flaws in their code and trying to fix issues before criminals can use them in an attack?

Antiquated computer crime laws, inherently vague and overbroad and passed before the Internet took shape, have long had a chilling effect on security research.

Hack the Planet

This year, the iconic movie "Hackers" will celebrate its 20th anniversary, and we're still grappling with the ethics of trying to find holes and break computer systems in order to secure them. Real life hackers who want to help secure the Internet ecosystem perform security research to discover software and hardware flaws, and then report them to get them fixed. With the recent spotlight on hacking planes, it's more important than ever for lawmakers to clarify a safe way for friendly hackers to perform security research that could save lives. But not all companies are interested in hearing from friendly hackers, even when it means their users are at risk.

Laws like the Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act (CFAA) in the U.S. and similar laws around the globe are receiving renewed interest from lawmakers and even President Obama himself. Unfortunately, the proposed revisions seek to expand punishments, not address the potential for injustice. Too often, these laws are used to threaten security researchers into silence, which ultimately does nothing to fix security holes. If a security researcher can find a hole, it stands to reason that bad guys can find it too, so keeping it quiet only helps attackers and hurts the rest of us.

Help Reform Computer Crime Laws

I was invited along with several experts, including lawyers, researchers, and government representatives, to a recent workshop on legal reform of computer crime laws. Our goal was to discuss ways to reform these laws to ensure that security research is a protected exemption. The current research exemption under the DMCA doesn't really protect security research because it stipulates that a hacker must seek out and receive "the authorization of the owner or operator of such computer, computer system, or computer network" before they do any research. Many vendors will never give this authorization, and the public will continue to be at risk. Basically, the idea is that these laws should only be used to target criminals, not helpful hackers.

In an attempt to reform the law, security experts are currently testifying to congressional committees, and a group of researchers, lawyers, and academics submitted an official comment to the US Copyright Office on May 1 urging approval of a research exemption to the anti-circumvention provisions of the Digital Millennium Copyright Act. This statement included in the comment remains open for signature until May 22, 2015. Security researchers and experts are welcome to sign the statement. (To ask that your name or organization be added to the list of supporters email Jim Dempsey, jdempsey [at] law.berkeley.edu, or Deirdre Mulligan, dmulligan [at] berkeley.edu)

Protecting Helpful Hackers Benefits Us All

It is high time for security research to be protected under the law. The hackers with the skills to break into software and networks, who choose to come forward with their knowledge and share their findings, should be legally exempt from criminal prosecution under laws designed to punish crime.

The war being fought for security and privacy on the Internet needs all hands on deck when it comes to defense. Hackers should find the path of least resistance to be the one that helps defenders; they should not run into trouble with the law when they are trying to help. I urge everyone to support a safe harbor for security research in existing and future computer crime laws. Support a more secure Internet for us all.

– Katie Moussouris, Chief Policy Officer

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…