Black Hat: Digital rights lawyer advises researchers on navigating legal landscape

Share this article:
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.

Violating the Computer Fraud and Abuse Act (CFAA) can lead to harsh consequences, but one legal expert shared tips on what security researchers can do to protect themselves. 

Speaking at this year's Black Hat 2013 in Las Vegas, Marcia Hofmann, an Electronic Frontier Foundation fellow, said researchers should seek legal advice prior to diving into work that could walk the line of what could potentially break the federal anti-hacking law.

"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognize them early and talk to a lawyer to help you navigate them," Hofmann said.

In addition to seeking a lawyer and asking them how one can do their research in the safest possible way, Hofmann said that being acquainted with policies and confidentiality agreements at one's organization or with companies involved in one's research is essential.

Many in the security industry believe that the 30-year-old CFAA is broadly worded, leading to what Hofmann believes are "very unfortunate" situations. One she pointed out was the case with Andrew Auernheimer, aka “Weev,” the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T. She is part of the legal team that has filed an appeal in this case.

In Auernheimer's case, he presented the data and information regarding his hack to the news and gossip blog Gawker. While Hofmann doesn't think that talking about one's research or findings is a bad idea, she said public disclosure without reporting it first to the vendor could make the situation sticky.

“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.

While a first time offense of the CFAA is considered a misdemeanor, the statute has a broad felony liability in certain cases, such as when an allegedly malicious act is committed with intent to profit, or information obtained is worth more than $5,000.

"The way it's written at this point, is even if it's a first time offense, things can go badly," Hofmann said. "Vague language lends itself to selective enforcement."

One thing she said that benefits security researchers who may be faced with a possible CFAA violation are their credentials.

"The fact that the people at this conference work in security and do it professionally are atmospherics that do help," she said

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.