Home News Tech Update White Papers Downloads Reviews & Prices

Hardwareаа|аа Softwareаа|аа Securityаа|аа Commentaryаа|аа All Newsаа|аа All Videosаа|аа Alertsаа|ааrss feed


Hackers get lesson in the law
By Declan McCullagh
CNET News.com
August 1, 2003, 11:28 AM PT
TalkBack!аAdd your opinion

LAS VEGAS--Security researchers and black-hat hackers could face legal troubles if they publish detailed information about vulnerabilities and exploits, according to a presentation at a conference here.

Jennifer Granick, director of Stanford University's Center for Internet and Society, warned the audience at the Black Hat security conference late Thursday that they could run afoul of recent laws like the Digital Millennium Copyright Act, as well as centuries-old common law restrictions.

One possible way for researchers to escape liability is to be careful not just of what they say, but how they say it. "How you market what you publish could be just as important as what you're publishing," said Granick, a criminal defense lawyer. "The law may treat that circumstance differently if you're sending this information out to help people."

The U.S. Constitution's First Amendment generally makes it legal to publish truthful information, but over time, courts and legislators have created many exceptions to that general rule. If the publication includes working computer code--such as an exploit that takes advantage of security vulnerabilities--the legal status is even less clear.

That's because courts have had a difficult time coming up with analogies for computer code, which contains both functional and informational aspects, to more traditional forms of publication, Granick said. "It communicates to computer scientists, but it also does something. It is a tool. The communicative aspect is protected by the First Amendment."

Granick said Stanford Law School is planning a conference in October to explore some of the ways vulnerability disclosures could trigger legal prohibitions, which include the DMCA, the common law tort of negligence, state laws, criminal laws against conspiracies, wire fraud statutes and the Council of Europe's convention on cybercrime.

Last year, Hewlett-Packard invoked the DMCA and computer crime laws, when threatening to sue a team of researchers who publicized a vulnerability--including actual exploit code--in HP's Tru64 Unix operating system. The company backed down after public outcry.

The Justice Department invoked the DMCA to prosecute Dmitry Sklyarov, a Russian programmer who allegedly violated the controversial federal law by writing an e-book unscrambler. Charges against Sklyarov were eventually dropped in exchange for his testimony at his company's trial, which ended in an acquittal.

Princeton University professor Ed Felten was threatened with a DMCA lawsuit for exposing weaknesses in a music watermarking scheme, and the hacker publication 2600 was successfully sued under the DMCA by eight movie studios for distributing a DVD-decrypting utility. The DMCA includes limited exceptions for security testing, encryption research and reverse engineering.

аRelated Links:
> ElcomSoft verdict: Not guilty
> Panel defends flaw disclosure guidelines

Get alerts on these topics and companies
Define your own


Halsey Minor: "Services will replace software."

Wireless interoperability in focus at Sun Labs

Some users shut out of key security upgrades
Hard time? Not for cyber criminals

Windows XP SP2 more secure? Not so fast

Uncommon Sense: Energy worries

News Tech Update White Papers Downloads Reviews & Prices