Legal Risks Faced by Security Researchers: A New Guide

2020-11-13 - 3 minutes read

Written by Sunoo Park.

Just last month, over 75 prominent security researchers signed a letter urging the Supreme Court not to interpret the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking / computer crime statute, in a way that would criminalize swaths of valuable security research. This was in response to opposing advocacy by a voting technology vendor with a public track record of hostility toward security research and researchers, including the IPRI group — Michael Specter, James Koppel, and Daniel Weitzner — that recently revealed serious vulnerabilities in their product. The vendor’s brief had followed an earlier brief by the Electronic Frontier Foundation that supported the security researchers’ position. The Supreme Court case in question, Van Buren v. United States, is ongoing.

In fact, the problems are much broader than Van Buren covers. Security researchers routinely face legal risks and receive legal threats, leading to documented chilling effects on their work — this harms security research, which in turn harms the security of the technologies on which we all increasingly rely. Such risk is not limited to anti-hacking laws, but also touches copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law. These laws often appear to criminalize, or at best fail to carve out clear exemptions for, security research — often leaving legality alarmingly unclear even in areas of law that have not yet been invoked against security researchers. 

A Researcher’s Guide to Some Legal Risks of Security Research, authored by Sunoo Park (IPRI alum) and Kendra Albert, is a new joint publication of the Cyberlaw Clinic at Harvard Law School and the Electronic Frontier Foundation (EFF). It gives the most comprehensive presentation to date of this landscape of legal risks, aiming both to provide pragmatic guidance to researchers navigating today’s uncertain legal landscape, and to provoke public debate toward future reform. 

Read the full Guide here:

A Researcher’s Guide to Some Legal Risks of Security Research

Cover image by Yuri Samoilov and licensed under CC BY 2.0.