Black Hat: Digital rights lawyer advises researchers on navigating legal landscape

Share this article:
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.
Marcia Hofmann presents at Black Hat 2013 in Las Vegas.

Violating the Computer Fraud and Abuse Act (CFAA) can lead to harsh consequences, but one legal expert shared tips on what security researchers can do to protect themselves. 

Speaking at this year's Black Hat 2013 in Las Vegas, Marcia Hofmann, an Electronic Frontier Foundation fellow, said researchers should seek legal advice prior to diving into work that could walk the line of what could potentially break the federal anti-hacking law.

"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognize them early and talk to a lawyer to help you navigate them," Hofmann said.

In addition to seeking a lawyer and asking them how one can do their research in the safest possible way, Hofmann said that being acquainted with policies and confidentiality agreements at one's organization or with companies involved in one's research is essential.

Many in the security industry believe that the 30-year-old CFAA is broadly worded, leading to what Hofmann believes are "very unfortunate" situations. One she pointed out was the case with Andrew Auernheimer, aka “Weev,” the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T. She is part of the legal team that has filed an appeal in this case.

In Auernheimer's case, he presented the data and information regarding his hack to the news and gossip blog Gawker. While Hofmann doesn't think that talking about one's research or findings is a bad idea, she said public disclosure without reporting it first to the vendor could make the situation sticky.

“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.

While a first time offense of the CFAA is considered a misdemeanor, the statute has a broad felony liability in certain cases, such as when an allegedly malicious act is committed with intent to profit, or information obtained is worth more than $5,000.

"The way it's written at this point, is even if it's a first time offense, things can go badly," Hofmann said. "Vague language lends itself to selective enforcement."

One thing she said that benefits security researchers who may be faced with a possible CFAA violation are their credentials.

"The fact that the people at this conference work in security and do it professionally are atmospherics that do help," she said

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.