Violating the Computer Fraud and Abuse Act (CFAA) can lead to harsh consequences, but one legal expert shared tips on what security researchers can do to protect themselves.
Speaking at this year's Black Hat 2013 in Las Vegas, Marcia Hofmann, an Electronic Frontier Foundation fellow, said researchers should seek legal advice prior to diving into work that could walk the line of what could potentially break the federal anti-hacking law.
"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognize them early and talk to a lawyer to help you navigate them," Hofmann said.
In addition to seeking a lawyer and asking them how one can do their research in the safest possible way, Hofmann said that being acquainted with policies and confidentiality agreements at one's organization or with companies involved in one's research is essential.
Many in the security industry believe that the 30-year-old CFAA is broadly worded, leading to what Hofmann believes are "very unfortunate" situations. One she pointed out was the case with Andrew Auernheimer, aka “Weev,” the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T. She is part of the legal team that has filed an appeal in this case.
In Auernheimer's case, he presented the data and information regarding his hack to the news and gossip blog Gawker. While Hofmann doesn't think that talking about one's research or findings is a bad idea, she said public disclosure without reporting it first to the vendor could make the situation sticky.
“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.
While a first time offense of the CFAA is considered a misdemeanor, the statute has a broad felony liability in certain cases, such as when an allegedly malicious act is committed with intent to profit, or information obtained is worth more than $5,000.
"The way it's written at this point, is even if it's a first time offense, things can go badly," Hofmann said. "Vague language lends itself to selective enforcement."
One thing she said that benefits security researchers who may be faced with a possible CFAA violation are their credentials.
"The fact that the people at this conference work in security and do it professionally are atmospherics that do help," she said
