Jennifer Granick, director of Stanford University's Center for Internet and Society, warned the audience at the Black Hat security conference late Thursday that they could run afoul of recent laws like the Digital Millennium Copyright Act, as well as centuries-old common law restrictions.
One possible way for researchers to escape liability is to be careful not just of what they say, but how they say it. "How you market what you publish could be just as important as what you're publishing," said Granick, a criminal defense lawyer. "The law may treat that circumstance differently if you're sending this information out to help people."
The U.S. Constitution's First Amendment generally makes it legal to publish truthful information, but over time, courts and legislators have created many exceptions to that general rule. If the publication includes working computer code--such as an exploit that takes advantage of security vulnerabilities--the legal status is even less clear.
That's because courts have had a difficult time coming up with analogies for computer code, which contains both functional and informational aspects, to more traditional forms of publication, Granick said. "It communicates to computer scientists, but it also does something. It is a tool. The communicative aspect is protected by the First Amendment."
Granick said Stanford Law School is planning a conference in October to explore some of the ways vulnerability disclosures could trigger legal prohibitions, which include the DMCA, the common law tort of negligence, state laws, criminal laws against conspiracies, wire fraud statutes and the Council of Europe's convention on cybercrime.
Last year, Hewlett-Packard invoked the DMCA and computer crime laws, whena team of researchers who publicized a vulnerability--including actual exploit code--in HP's Tru64 Unix operating system. The company backed down after public outcry.
The Justice Department invoked the DMCA to prosecute Dmitry Sklyarov, a Russian programmer who allegedly violated the controversial federal law by writing an e-book unscrambler. Charges against Sklyarov were eventually dropped in exchange for his testimony at his company's trial, which ended in an.
Princeton University professor Ed Felten was threatened with a DMCA lawsuit for exposing weaknesses in a music watermarking scheme, and the hacker publication 2600 wasunder the DMCA by eight movie studios for distributing a DVD-decrypting utility. The DMCA includes limited exceptions for security testing, encryption research and reverse engineering.