Black Hat: Digital rights lawyer advises researchers on navigating legal landscape

Share this article:
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.

Violating the Computer Fraud and Abuse Act (CFAA) can lead to harsh consequences, but one legal expert shared tips on what security researchers can do to protect themselves. 

Speaking at this year's Black Hat 2013 in Las Vegas, Marcia Hofmann, an Electronic Frontier Foundation fellow, said researchers should seek legal advice prior to diving into work that could walk the line of what could potentially break the federal anti-hacking law.

"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognize them early and talk to a lawyer to help you navigate them," Hofmann said.

In addition to seeking a lawyer and asking them how one can do their research in the safest possible way, Hofmann said that being acquainted with policies and confidentiality agreements at one's organization or with companies involved in one's research is essential.

Many in the security industry believe that the 30-year-old CFAA is broadly worded, leading to what Hofmann believes are "very unfortunate" situations. One she pointed out was the case with Andrew Auernheimer, aka “Weev,” the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T. She is part of the legal team that has filed an appeal in this case.

In Auernheimer's case, he presented the data and information regarding his hack to the news and gossip blog Gawker. While Hofmann doesn't think that talking about one's research or findings is a bad idea, she said public disclosure without reporting it first to the vendor could make the situation sticky.

“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.

While a first time offense of the CFAA is considered a misdemeanor, the statute has a broad felony liability in certain cases, such as when an allegedly malicious act is committed with intent to profit, or information obtained is worth more than $5,000.

"The way it's written at this point, is even if it's a first time offense, things can go badly," Hofmann said. "Vague language lends itself to selective enforcement."

One thing she said that benefits security researchers who may be faced with a possible CFAA violation are their credentials.

"The fact that the people at this conference work in security and do it professionally are atmospherics that do help," she said

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.