Black Hat: Digital rights lawyer advises researchers on navigating legal landscape

Share this article:
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.

Violating the Computer Fraud and Abuse Act (CFAA) can lead to harsh consequences, but one legal expert shared tips on what security researchers can do to protect themselves. 

Speaking at this year's Black Hat 2013 in Las Vegas, Marcia Hofmann, an Electronic Frontier Foundation fellow, said researchers should seek legal advice prior to diving into work that could walk the line of what could potentially break the federal anti-hacking law.

"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognize them early and talk to a lawyer to help you navigate them," Hofmann said.

In addition to seeking a lawyer and asking them how one can do their research in the safest possible way, Hofmann said that being acquainted with policies and confidentiality agreements at one's organization or with companies involved in one's research is essential.

Many in the security industry believe that the 30-year-old CFAA is broadly worded, leading to what Hofmann believes are "very unfortunate" situations. One she pointed out was the case with Andrew Auernheimer, aka “Weev,” the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T. She is part of the legal team that has filed an appeal in this case.

In Auernheimer's case, he presented the data and information regarding his hack to the news and gossip blog Gawker. While Hofmann doesn't think that talking about one's research or findings is a bad idea, she said public disclosure without reporting it first to the vendor could make the situation sticky.

“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.

While a first time offense of the CFAA is considered a misdemeanor, the statute has a broad felony liability in certain cases, such as when an allegedly malicious act is committed with intent to profit, or information obtained is worth more than $5,000.

"The way it's written at this point, is even if it's a first time offense, things can go badly," Hofmann said. "Vague language lends itself to selective enforcement."

One thing she said that benefits security researchers who may be faced with a possible CFAA violation are their credentials.

"The fact that the people at this conference work in security and do it professionally are atmospherics that do help," she said

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.