Security research is a dangerous business.
The threat of lawsuits or even prosecution hangs heavy over the heads of white hat hackers as well as black hats. From Dmitry Skylarov being prosecuted for cracking ebook crypto back in 2001, to Weev being prosecuted today for exposing flaws in AT&T's website security, the legal landscape is littered with potential landmines for those trying to improve Internet and software security. When a major company like Google can be sued for billions over its interception of unencrypted WiFi signals, what's a wireless security researcher to do? When an Internet luminary like Aaron Swartz can be threatened with decades of jail time for his open data activism, what's your average pen tester supposed to think? How serious are these threats - and what can researchers do to avoid them, and maybe even fix the law?
Two veteran digital rights lawyers - one who counsels companies and defends hackers, and another who is an expert in the DC policy game - and the lead strategist of a major security firm will use a game show format to share examples of legally risky research and ask the question: "Computer Crime or Legitimate Research?" Using the answer to that question, we'll start gaming out how to craft legislation that would provide a sensible security research exception to laws like the Wiretap Act, the Digital Millennium Copyright Act, and the Computer Fraud and Abuse Act.
Trey Ford is the Global Security Strategist at Rapid7 where he serves as a customer resource, industry and community advocate. Over the last 15 years, Trey ran Black Hat events worldwide as General Manager, and served functions ranging from incident response, product management, PCI QSA and security engineer for a variety for industry leaders including Zynga, McAfee, FishNet Security and WhiteHat Security.
Marcia Hofmann is an attorney who litigates, counsels, writes, and speaks about a broad range of technology law and policy issues. In 2013 she launched a boutique law practice focusing on computer crime and security, electronic privacy, free expression, and intellectual property. Prior to that, she was a senior staff attorney at the Electronic Frontier Foundation, where she continues to serve as special counsel. She is also a non-residential fellow at Stanford's Center for Internet and Society and an adjunct professor at University of California Hastings College of the Law. Follow her on Twitter at @marciahofmann.
Kevin Bankston is the Policy Director of the New America Foundation's Open Technology Institute, where he works in the public interest to promote policy and regulatory reforms to strengthen communities by supporting open communications networks, platforms, and technologies, with a focus on issues of Internet surveillance and censorship. Prior to leading OTI's policy team, Kevin was a Senior Counsel and the Director of the Free Expression Project at the Center for Democracy & Technology, a Washington, DC-based non-profit organization dedicated to promoting democratic values and constitutional liberties in the digital age. From that position, he spent two years advocating on a wide range of Internet and technology policy issues both international and domestic, most recently organizing a broad coalition of companies and civil society organizations to demand greater transparency around the US government's surveillance practices. He also has served since 2005 on the board of the First Amendment Coalition, a non-profit public interest organization dedicated to advancing free speech and a more open and accountable government, and previously was a nonresidential fellow at the Stanford Law School's Center for Internet & Society. Prior to joining CDT, he worked for nearly a decade at the Electronic Frontier Foundation, specializing in free speech and privacy law with a focus on government surveillance, Internet privacy, and location privacy. As a Senior Staff Attorney at EFF, he regularly litigated issues surrounding free expression and electronic surveillance, and was a lead counsel in EFF's lawsuits against the National Security Agency and AT&T, challenging the legality of the NSA warrantless wiretapping program first revealed in 2005. He originally joined EFF as an Equal Justice Works/Bruce J. Ennis First Amendment Fellow, studying the impact of post-9/11 anti-terrorism surveillance initiatives on online privacy and free expression. Before joining EFF, he litigated Internet-related free speech cases at the national office of the American Civil Liberties Union in New York City as a Justice William Brennan First Amendment Fellow. He received his JD at the University of Southern California Law School after receiving his BA at the University of Texas at Austin.