X

Hackers get lesson in the law

The director of Stanford University's Center for Internet and Society warns attendees of the Black Hat security conference that publishing info on flaws could lead to legal woes.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read
LAS VEGAS--Security researchers and black-hat hackers could face legal troubles if they publish detailed information about vulnerabilities and exploits, according to a presentation at a conference here.

Jennifer Granick, director of Stanford University's Center for Internet and Society, warned the audience at the Black Hat security conference late Thursday that they could run afoul of recent laws like the Digital Millennium Copyright Act, as well as centuries-old common law restrictions.

One possible way for researchers to escape liability is to be careful not just of what they say, but how they say it. "How you market what you publish could be just as important as what you're publishing," said Granick, a criminal defense lawyer. "The law may treat that circumstance differently if you're sending this information out to help people."

The U.S. Constitution's First Amendment generally makes it legal to publish truthful information, but over time, courts and legislators have created many exceptions to that general rule. If the publication includes working computer code--such as an exploit that takes advantage of security vulnerabilities--the legal status is even less clear.

That's because courts have had a difficult time coming up with analogies for computer code, which contains both functional and informational aspects, to more traditional forms of publication, Granick said. "It communicates to computer scientists, but it also does something. It is a tool. The communicative aspect is protected by the First Amendment."

Granick said Stanford Law School is planning a conference in October to explore some of the ways vulnerability disclosures could trigger legal prohibitions, which include the DMCA, the common law tort of negligence, state laws, criminal laws against conspiracies, wire fraud statutes and the Council of Europe's convention on cybercrime.

Last year, Hewlett-Packard invoked the DMCA and computer crime laws, when threatening to sue a team of researchers who publicized a vulnerability--including actual exploit code--in HP's Tru64 Unix operating system. The company backed down after public outcry.

The Justice Department invoked the DMCA to prosecute Dmitry Sklyarov, a Russian programmer who allegedly violated the controversial federal law by writing an e-book unscrambler. Charges against Sklyarov were eventually dropped in exchange for his testimony at his company's trial, which ended in an acquittal.

Princeton University professor Ed Felten was threatened with a DMCA lawsuit for exposing weaknesses in a music watermarking scheme, and the hacker publication 2600 was successfully sued under the DMCA by eight movie studios for distributing a DVD-decrypting utility. The DMCA includes limited exceptions for security testing, encryption research and reverse engineering.