New research from the US Center for Democracy and Technology aims to help security researchers decide what level of risk is acceptable for them and their work.
A general view of atmosphere at the DEFCON - Dark Tangent talk during the 2015 Tribeca Film Festival. Photo: Ben Gabbe (Getty Images for the 2015 Tribeca Film Festival)
"The intent is to provide some guidance as to activities that are lower-risk or that may need more careful design to mitigate risk," the CDT explains. "Although we mention other risks, such as reputational harm, we are primarily concerned with risk of liability under United States law."
This so-called "risk basis" gives researchers a guide to understanding which techniques might put them more at risk. Using found login credentials to access an account, for example, is considered highly risky, while engaging in automated network scanning that collects minimal data and allows network administrators to opt out is considered low risk.
These guidelines are important for security researchers because the laws covering their work are broad and often unclear. Security researchers have faced prosecution in the US under the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA), both of which leave key phrases open to interpretation.
"Much of the uncertainty associated with the CFAA stems from the phrase 'exceeds authorised access,'" the CDT explains in its research. "This uncertainty has at least two elements: The limits of authorised access and the means by which those limits are set. What this means for researchers is that, when they wish to interface with another machine or system, it is not always clear what they can do."
Nearly half of the researchers surveyed by CDT said that the DMCA posed significant legal risk to their work. However, researchers were uncertain about how exactly the law could apply to them.
"Most researchers mentioning the DMCA as a risk factor expressed certainty about their ability to identify when their work might implicate the DMCA," the CDT wrote. "However, few were confident in their ability to determine what was permissible when the DMCA was clearly implicated or to assess the potential legal consequences of different projects. At least one commented specifically on the uncertainty of the DMCA, noting the chilling effects this uncertainty had on their consideration of DMCA-related work."
Without clear legislation, researchers are forced to make decisions about what kinds of research are legally acceptable based on instinct and hope. For instance, some researchers avoid working on products that require a user to agree to a terms of service or licence agreement, because the researchers believe violating these agreements could put them at risk of being prosecuted under CFAA. However, other researchers believed terms of service agreements were not enforceable and continued to conduct work on platforms that require them, the CDT found in its study.
Researchers also struggle during the disclosure phase of their work, the CDT said. Many researchers will set up a public disclosure of their findings in order to warn consumers of vulnerabilities in the products they use, or to advertise the fact that a bug has been discovered and patched.
However, many companies react poorly to disclosure, and legal threats can often occur during this process. "In fact, disclosure is a common thread uniting nearly every documented example of security researchers experiencing unfavorable treatments as a result of their work," the CDT wrote.
CDT conducted its research by engaging in qualitative interviews with more than 20 security researchers. Given the sensitivity of their work, the researchers are not identified by name or gender.
Dozens of security researchers signed an expert statement that accompanies the CDT study. "Security researchers who search for vulnerabilities often find themselves in areas where laws or regulations forbid or hinder tinkering with devices and software. They are at particular risk where copyright is involved or where they publicly report their discoveries," the statement says. "We urge support for security researchers and reporters in their work, and decry those who oppose research and discussion of privacy and security risks. Harming these efforts harms us all."