Recent legal developments bode well for security researchers, but challenges remain

Despite the hoodie-wearing bad guy image, most hackers are bona fide security researchers protecting users by probing and testing the security configurations of digital networks and assets. Yet the law has often failed to distinguish between malicious hackers and good-faith security researchers.

This failure to distinguish between the two hacker camps has, however, improved over the past two years, according to Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers’ risks.

“Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research,” he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice’s (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China’s recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.

Computer Fraud and Abuse Act changes

The CFAA was enacted in 1986 as an amendment to the Comprehensive Crime Control Act and was the first US federal law to address hacking. “The CFAA has been the boogeyman for the community for quite a long time,” Geiger said. “It’s maybe the most famous anti-hacking law. This is a criminal law and a civil law, and that’s important to remember. You can be prosecuted under the CFAA criminally, and you can also be threatened with private lawsuits.”

The CFAA prohibits several things, including accessing a computer without authorization and exceeding authorized access to a computer. “That phrase, exceeding authorized access to a computer, is really important,” Geiger said. “It used to mean that if you were authorized to use a computer for one thing, but then you used it for another purpose, something that you weren’t authorized to do on the computer that you were allowed to use, then that may have been a CFAA violation, sort of, depending on what circuit you were in.”

In June 2021, the US Supreme Court handed down a decision in the case of Van Buren v. United States, altering its previous stance on the CFAA. In the Van Buren decision, the Court said that if “you are authorized to use a computer for one purpose, and you use it for another, even though it’s an unauthorized purpose, that may be a violation of your contract, but it is not a federal hacking crime,” Geiger told the attendees. “But you still have to have some authorization to use the computer in the first place,” and terms of service can still possibly dictate whether you have authorization.

Another significant improvement related to the CFAA occurred in 2022 following the Van Buren decision. The US Justice Department changed its charging policy to protect hackers. That policy change directed for the first time that good-faith security researchers should not be charged.

“It is explicit protection for good-faith security research under the nation’s chief foremost prosecutor,” Geiger said. Yet there are limits to this change given that the DOJ deals only with criminal law; it doesn’t address the private lawsuit part of the CFAA, nor does it address what states can do.

Improvements under the DMCA

The DOJ’s revised charging policy takes its definition of good faith hacking from the Digital Millennium Copyright Act (DMCA), a controversial and ill-regarded piece of legislation that became law in October 1998. Section 1201 of the DMCA has an exception for good-faith security research, which is research performed in a manner designed to avoid harm and used primarily to make computers and software safer and more secure.

Section 1201 prohibits circumventing a technological protection measure, which means “bypassing software security safeguards, which is a lot of what hacking does,” Geiger pointed out. Moreover, “You have to have the authorization of the copyright owner for the software. But who gets the software copyright holder’s permission, right?” Section 1201 of the DMCA created a security research exception when it was updated in 2021. The update eliminated the loss of the exception if a security researcher just happened to be violating any other law, however unrelated.

While the exception protects security researchers, a separate restriction under the Act restricts “trafficking,” which Geiger says is a critical flaw. “So, Section 1201 of the DMCA forbids making or providing to the public any tools or technologies that are primarily for the purpose of bypassing software security safeguards, bypassing technological protection measures without, again, the authorization of the copyright holder,” Geiger said.

“Making these technologies, offering them to the public is something that every pen-testing company does. This is something that a lot of pen-testing companies, pen testers, and people who are publishing exploits are just kind of whistling past.” This trafficking restriction is now the greater risk for ethical hackers under Section 1201 than the active security research itself,” he warned.

States are the biggest threat to security researchers

Against these positive changes at the federal level, “States are the greatest legal risks to good-faith security researchers,” Geiger said. “Every state has its own version of the Computer Fraud and Abuse Act. Some states are even broader than the CFAA because they have new crimes and new language that is confusing, and that could be applied in a lot of different circumstances.”

For example, Geiger’s home state of Missouri has some of the same restrictions as the CFAA, such as no access without authorization. It also forbids taking or disclosing data residing external to a computer or network without authorization, which is broader than the CFAA. “What does that mean for scanning public-facing assets? Are you not taking or disclosing data from something that is residing outside of a computer, external to a computer, whatever that means?”

“The point is that states have a lot of messy language. A lot of it is very unclear,” Geiger said. “While we are getting toward greater clarity under the CFAA and Section 1201 under the DMCA that this community exists and this community should not be treated at the same level in the same way as malicious actors, states are just not there yet. They are not quite as mature.”

The cybersecurity community needs to better educate states on the misalignment between their hacker laws and those at the federal level, Geiger tells CSO. “The security community has done a tremendous job of educating policymakers on what good faith security research is and how it differs from malicious attacks,” he says. “I think it’s worth revisiting what the sources of greatest legal risk are for a lot of good-faith security research and directing that energy and passion for educating policymakers about good-faith security research” at the state level.

His home state of Missouri would be a good start. Almost a year ago, the state’s Republican governor Mike Parson threatened St. Louis Post-Dispatch reporter Josh Renaud with criminal hacking charges for revealing that teachers’ Social Security numbers were appearing in the HTML of the Missouri Department of Elementary and Secondary Education’s website. Prosecutors ultimately declined to make good on Parson’s threat.

International vulnerability disclosure models needed to counter China

Finally, Geiger warns of the dangers to hackers from China’s recently adopted vulnerability disclosure law, which requires vendors to report their vulnerabilities to the Chinese government within 48 hours of discovery. Researchers who don’t meet this requirement face the possibility of prison time for disclosing tools or technologies.

“If you hear it, it is a giant sucking sound of unpatched vulnerabilities flowing to the Chinese government because this a 48-hour timeline,” he said. Geiger tells CSO that China’s vulnerability disclosure law represents a model we don’t want to see replicated internationally. A vulnerability disclosure law that requires researchers to turn over their findings to the government “is a model where the company may not welcome the vulnerability disclosure in the first place. This does not help researchers.”