Influencers: Antihacking law obstructs security research
A strong 75 percent majority of Passcode鈥檚 Influencers said a US government law used to prosecute hackers overly restricts necessary security research.
Passcode鈥檚 group of digital security and privacy experts say the Computer Fraud and Abuse Act (CFAA) 鈥 meant to prevent illicit trespassing on computer systems 鈥 is written far too broadly and often results in punishments that are too harsh for the infractions. They complain the law鈥檚 vague language enables prosecutors to go after legitimate security researchers investigating potentially dangerous security vulnerabilities that could harm consumers 鈥 and even target users of video streaming services such as Netflix and HBO Go who share their passwords with friends and听family.
鈥淵ou could indict a ham sandwich with the CFAA,鈥 says Jeff Moss, founder of the DEF CON and Black Hat hacker conferences, in response to the Passcode鈥檚 Influencers Poll, a regular survey of more than 150 leading voices from the government, defense, private sector, and advocacy communities.
The law allows for 鈥渋ntimidation by companies of lone researchers,鈥 Mr. Moss says, and needs to be updated to 鈥渞eflect the current reality of what consent means in a hyperconnected and always-on听world.鈥
While some tech companies have started so-called 鈥渂ug bounty鈥 programs to allow and even incentivize hackers to legally search for security flaws, others have opted to use听the CFAA to prosecute researchers whose findings they feel overstepped terms of service or accessed their databases improperly. For instance, in May, the FBI arrested Texas-based security researcher Justin Shafer after he discovered a vulnerability in dental software that could allow anyone to view sensitive data for 22,000 patients on a publicly available server. The company that developed that software said Mr. Shafer鈥檚 decision to access that data violated the CFAA 鈥 even though it was meant to root out vulnerabilities that could endanger consumers.听
The law specifically bans 鈥渦nauthorized access鈥 to computer systems, but Influencers say it doesn鈥檛 clearly define what that means. 鈥淭he vagueness of 鈥榰nauthorized access鈥 makes researchers gun shy when their research requires interacting with systems and services exposed to the public internet,鈥 says Chris Wysopal, chief technology officer at the cybersecurity firm Veracode.听
And if researchers are unable to investigate technical flaws, everyone鈥檚 security is at stake, Mr. Wysopal adds. 鈥淭his stifles our understanding of the risks present in the technology and the way we use the internet.鈥
Researchers鈥 roles are vital to consumers, adds Rodney Joffe, a senior vice president at the analytics firm Neustar, yet the law 鈥渉as repeatedly stymied solutions that could have mitigated the damage caused by criminals and nation-state actors. And it has done nothing to reduce these malicious activities.鈥澨
The 鈥渙verzealousness鈥 of attorneys who prosecute CFAA cases is another thing that can deter security researchers, adds Cris Thomas, a strategist at Tenable Network Security also known by the hacker name Space Rogue. The case of famed programmer Aaron Swartz, who committed suicide in 2013 while facing 35 years in prison and a $1 million fine on federal data theft charges for leaking millions of documents from behind the paywall of an academic database to the public internet, drew public attention to the tough penalties.
Christopher Doggett, a senior vice president at the data backup company Carbonite, also cites reports that members of US law enforcement have threatened security researchers with indictment in response to their efforts to discover vulnerabilities. 鈥淲hen these considerations are combined with the fact that the statute can result in multiple redundant felony counts with high penalties, there can be almost no doubt that the 鈥榳hite hats鈥 and 鈥榞rey hats鈥 in the security community have a very real reason to be concerned,鈥 Mr. Doggett says. 鈥淎nd that in turn can mean only one thing: fewer vulnerabilities are discovered and disclosed by those who seek to make the online world a safer听place.鈥
The broad legal boundaries of the CFAA have also allowed prosecutions of computer crimes to proceed if hackers are found to have violated a website鈥檚 terms-of-service agreement, some Influencers say. 鈥淭hat overreading should be soundly rejected,鈥 says Jonathan Zittrain, a professor at Harvard Law听School.
In fact, linking violations of terms of service to computer fraud and abuse might not be so easy if a recent court challenge is successful. Last month, the American Civil Liberties Union听听claiming the CFAA violates the constitutional right to free speech on behalf of a group of academics and journalists from several universities and First Look Media, which publishes The Intercept. The researchers complained overly restrictive terms of service on websites they needed to use for an investigation racial discrimination in housing and employment prohibited them from scraping data that was otherwise publicly available.
Just this week, that case may have gotten a boost when the Ninth Circuit Court of Appeals听听in a separate case that violating the terms of service for a website can鈥檛 be the sole basis for prosecuting cases under the听CFAA.
Originally signed into law by President Reagan as part of a 1984 revision of the US criminal code, there has already been motion in Congress to update the law. For instance, Sen. Ron Wyden (D) of Oregon and Rep. Zoe Lofgren (D) of California unsuccessfully pushed for legislation last year that would clarify vague language in the law to help low-level听hackers.
Some of Passcode鈥檚 Influencers are in a position to push for change on Capitol Hill. 鈥淭he vital role security researchers play in protecting our systems today was certainly not anticipated by the drafters of the CFAA, and while the Justice Department has been making strides in communicating with researchers about their prosecutorial discretion, it is clear that the language of the statute is chilling research,鈥 says Rep. Jim Langevin (D) of Rhode Island. 鈥淚t is clear that the CFAA is in need of updating thanks to rapid advances in technology and cybersecurity practices.鈥
Still, Mr. Langevin stressed that 鈥渁ny reform of the CFAA must ensure that we possess the necessary tools 鈥 such as botnet provisions 鈥 to prosecute the many malicious actors who attack US networks each听day.鈥
On the other side, a 25 percent minority of Influencers said that changes to the law are not necessary, since they see many violations as fairly clear-cut.
鈥淒oing 鈥榬esearch鈥 on a network without the network owner鈥檚 permission is a highly questionable practice,鈥 said Stewart Baker, a former National Security Agency counsel who currently serves as a partner at the Washington-based law firm Steptoe & Johnson. 鈥淥ne person鈥檚 researcher is another person鈥檚 hacker,鈥 added an Influencer who chose to remain anonymous. Influencers are given the choice of responding on record or anonymously to preserve the candor of their responses.
Others think that legitimate security researchers haven鈥檛 been seriously held back by the CFAA, while, at the same time, pushing changes passed through Congress could prove particularly difficult. 鈥淪ure, there are aspects of it that could be improved, but the security research community isn鈥檛 really one to be held back by laws,鈥 said one Influencer. 鈥淚 think it鈥檚 doing pretty well 鈥 and trying to make changes to it would take a lot of political capital out of a Congress that doesn鈥檛 seem able to do much of anything of听value.鈥
What do you think?听听of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our听
Comments:
YES
鈥淚n its current form, the 1984 Computer Fraud and Abuse Act is too broad and needs clarification in scope on activities that can hamper legitimate security research. 听There is pending bipartisan legislation in Congress would exclude terms of service violations from the Act. The Act is important in the rapidly changing digital economy, especially for combating cyber crime, and specifically identity theft. 听But like technology itself, it needs to be updated and adapted to the newest and most critical threats while achieving a balance of security, commerce and privacy.鈥澨鈥 Charles (Chuck) Brooks, Sutherland Global Services
鈥淭he CFAA needs to be 鈥榤odernized鈥 - blanket declaration of criminal activity when someone violates a website鈥檚 Terms of Service is just too broad.鈥澨鈥 John Pescatore, SANS Institute
鈥淏ut it is increasingly important to have a sense of how much it does so. Almost any conceivable regulation will restrict, intentionally or otherwise, some kinds of research (and this is true not just of IT). Not all those restrictions are bad; some are justified on the basis of a benefit-risk analysis. But how are we to know if any particular restriction is 鈥榳orth it鈥? 听The 鈥榗hilling effect鈥 arguments are often theoretical and unmeasured. Time to get more precise.鈥澨鈥 Steve Weber, UC Berkeley
鈥淢any researchers fear that the onerous terms of service of internet sites may trigger the Act through basic security research, or even by mistake. Now that the [Defense Department] has offered a bug bounty for testing the security of their sites and systems, the legal landscape becomes even more confusing.鈥澨鈥 G眉nter Ollmann, Vectra Networks
鈥淥bstruct may not be the right word but there is definitely a chilling effect on security research because of poorly worded provisions in the CFAA. Fear of criminal prosecution has forced many researchers to reconsider their actions leaving the public at risk. The problem isn鈥檛 limited to just the ambiguities and vagueness in the wording of the CFAA but also in overzealousness of prosecuting attorneys. Companies who threaten civil litigation are also a major problem and use the threat of the CFAA to force researchers and the companies they work for to bend to their demands.鈥澨鈥 Cris Thomas aka Space Rogue, Tenable Network Security
鈥淭he CFAA is well-intended but out-dated. It has only been amended a handful of times since it was first passed in 1984, while the technology landscape has changed utterly over those thirty years.鈥澨鈥 Nate Fick, Endgame
鈥淭he CFAA plays an important role in society but has been applied beyond its original intent to the detriment of legitimate security research. 听The [Justice Department] could play a constructive role here by providing thought leadership to fellow prosecutors on the appropriate parameters to be applied in CFAA cases involving security researchers.鈥澨鈥 Abigail Slater, The Internet Association
鈥淭he Computer Fraud and Abuse Act is long overdue for reform. Sometimes, important security issues can be uncovered by poking at a product or service in a way that the manufacturer never intended. Unfortunately, the CFAA criminalizes unauthorized poking by default, even if there is no intent to do harm. This certainly deters valuable security research and provides a cudgel that providers have used to silence critics rather than respond to the underlying problems they are identifying. It certainly behooves service providers to explicitly authorize responsible security research on their products. Even the Pentagon explicitly authorizes security research of their systems and networks. However, Congress should act by heightening the mens rea requirement for prosecution under the CFAA. The balance that was struck in the 1980鈥檚 is no longer relevant today.鈥澨鈥 Tom Cross, Drawbridge Networks
鈥淭he CFAA - a statute suffering from both definitional ambiguities and circuit splits - is, unfortunately, a part of the standard tool-kit of legal threats aggressive attorneys sometimes use to silence researchers attempting to report security vulnerabilities to companies.鈥澨鈥 Andrea Matwyshyn, Northeastern University
鈥淭he framers and authors of CFAA never could have imagined the kind of cutting edge offensive computing research that is commonplace today. The vagueness that makes it so effective against today鈥檚 cyber-crime is a double-edged sword when it comes to the risk security researchers must subject themselves to just to do their job. And by using CFAA as a litmus test, legislators who don鈥檛 understand the inherent nuance are likely to ban huge swaths of necessary security research, with the misguided intent of 鈥榝ixing鈥 cyber security.鈥澨鈥 Nick Selby, Street Cred Software
鈥淭he 鈥榚lasticity鈥 that the Justice Department has read into the CFAA allows them to go after a range of well-meaning behavior. That鈥檚 obviously going to have a chilling effect on researchers. The problem then becomes deciding how you draw lines between legitimate researchers and 鈥榠ntruders.鈥 The bad guys don鈥檛 wear burglars鈥 masks anymore.鈥澨鈥 Influencer
鈥淚n its current form, the CFAA is written with such broad terms that it makes it possible for prosecutors to use it in an extremely wide range of scenarios, which poses a real threat to all types of security researchers at any time. And the risk is not theoretical, precedents have already been set in a notable cases such as United States v. Auernheimer and United States vs. Swartz, to name two. 听In addition, there have been reports that members of U.S. law enforcement have threatened security researchers with indictment in response to their efforts to discover vulnerabilities. 听When these considerations are combined with the fact that the statute can result in multiple redundant felony counts with high penalties, there can be almost no doubt that the 鈥榳hite hats鈥 and 鈥榞rey hats鈥 in the security community have a very real reason to be concerned. 听And that in turn can mean only one thing: fewer vulnerabilities are discovered and disclosed by those who seek to make the online world a safer place.鈥澨鈥 Christopher Doggett, Carbonite
鈥淎s technology has evolved so must the law. CFAA should be updated so the research community can improve cybersecurity without fear of prosecution.鈥澨鈥 Influencer
鈥淣umerous security researchers have pointed out the overbroad nature of the Computer Fraud and Abuse Act. With so many technologists voicing concerns about CFAA鈥檚 impact on the field, only the woefully ignorant would suppose that it has no detrimental impact on security research. As should be obvious, even if the intent of CFAA isn鈥檛 to limit security research, the self-censorship within this field that has been caused by CFAA is already creating a detrimental wake.鈥澨鈥 Sascha Meinrath, The X Lab
鈥淲e have been trying to reform this for a long time.鈥澨鈥 Nico Sell, Wickr
鈥淎ctually, current interpretations of the Digital Millennium Copyright Act are probably more materially obstructing computer security research than the CFAA. That having been said, there is a history of private sector actors invoking the CFAA and leveraging the power of government to respond to a wide variety of activities that don鈥檛 necessarily appear malicious.鈥澨鈥 Bob Stratton, Mach 37
听
NO
鈥淪ure, there are aspects of it that could be improved, but the security research community isn鈥檛 really one to be held back by laws. And they seem to be crushing it in some many ways. I think it鈥檚 doing pretty well - and trying to make changes to it would take a lot of political capital out of a Congress that doesn鈥檛 seem able to do much of anything of value, so I鈥檇 rather they focus on ISIS and climate change than try to spend time working on this issue.鈥澨鈥 Influencer
鈥淒oing 鈥榬esearch鈥 on a network without the network owner鈥檚 permission is a highly questionable practice.鈥澨鈥 Stewart Baker, Steptoe & Johnson
鈥淥ne person鈥檚 researcher is another person鈥檚 hacker.鈥澨鈥 Anonymous Influencer
鈥淣o. But it does obstruct information sharing.鈥澨鈥 Dan Geer, In-Q-Tel
What do you think?听听of the Passcode Influencers Poll.
听
