LAS VEGAS--Security researchers and black-hat hackers could face
legal troubles if they publish detailed information about
vulnerabilities and exploits, according to a presentation at a
Jennifer Granick, director of Stanford University's Center for Internet and Society, warned the audience at the Black Hat
security conference late Thursday that they could run afoul of recent
laws like the Digital Millennium Copyright Act, as well as
centuries-old common law restrictions.
One possible way for researchers to escape liability is
to be careful not just of what they say, but how they say it. "How you
market what you publish could be just as important as what you're
publishing," said Granick, a criminal defense lawyer. "The law may
treat that circumstance differently if you're sending this information
out to help people."
The U.S. Constitution's First Amendment generally makes it legal to
publish truthful information, but over time, courts and legislators
have created many exceptions to that general rule. If the publication
includes working computer code--such as an exploit that takes advantage
of security vulnerabilities--the legal status is even less clear.
That's because courts have had a difficult time coming up
with analogies for computer code, which contains both functional and
informational aspects, to more traditional forms of publication,
Granick said. "It communicates to computer scientists, but it also does
something. It is a tool. The communicative aspect is protected by the
Granick said Stanford Law School is planning a conference
in October to explore some of the ways vulnerability disclosures could
trigger legal prohibitions, which include the DMCA, the common law tort
of negligence, state laws, criminal laws against conspiracies, wire
fraud statutes and the Council of Europe's convention on cybercrime.
Last year, Hewlett-Packard invoked the DMCA and computer crime laws, when threatening to sue
a team of researchers who publicized a vulnerability--including actual
exploit code--in HP's Tru64 Unix operating system. The company backed
down after public outcry.
The Justice Department invoked the DMCA to prosecute
Dmitry Sklyarov, a Russian programmer who allegedly violated the
controversial federal law by writing an e-book unscrambler. Charges
against Sklyarov were eventually dropped in exchange for his testimony
at his company's trial, which ended in an acquittal.
Princeton University professor Ed Felten was threatened with a DMCA
lawsuit for exposing weaknesses in a music watermarking scheme, and the
hacker publication 2600 was successfully sued under the DMCA by eight
movie studios for distributing a DVD-decrypting utility. The DMCA
includes limited exceptions for security testing, encryption research
and reverse engineering.