How security researchers deal with risks stemming from their activities
Broad and inconsistent interpretations of behind the times laws, new anti-infosec legislation, lawsuits and criminal prosecutions are having a chilling effect on security research.
It’s difficult to quantify the effect, but Joseph Lorenzo Hall and Stan Adams of the US-based non-profit Center for Democracy & Technology have attempted to reveal the worries and choices of security researchers in the current climate by interviewing twenty of them.
“We used a qualitative methods research design to understand how security researchers decide whether to pursue or to avoid certain kinds of projects and activities,” the authors explained.
A few initial subjects were asked to suggest others, and none were limited to sharing their own insights and feelings, but also talk about the experiences of those in their immediate networks.
The results
The report offers some interesting insights, both expected and unexpected.
The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) have expectedly been pointed out as a source of legal risk.
“The CFAA prohibits accessing a ‘protected computer’ without authorization or in a way that exceeds authorization,” the authors noted.
“Much of the uncertainty associated with the CFAA stems from the phrase ‘exceeds authorized access.’ This uncertainty has at least two elements: the limits of authorized access and the means by which those limits are set. What this means for researchers is that, when they wish to interface with another machine or system, it is not always clear what they can do.”
And even where access limits are expressed via Terms of Service (TOS) or End User Licensing Agreements (EULAs), “it may not be certain how much legal weight those limits carry.”
The process of vulnerability disclosure is also fraught with many risks, and the researchers have different ways of dealing with those (e.g., go through intermediaries, withhold public disclosure altogether, etc.)
“Whether out of a desire to minimize legal risk, to mitigate risks to third parties, or to avoid reputational harms to themselves or the larger community, the researchers we interviewed expressed a variety of self-imposed norms regarding their research and disclosure practices,” the authors noted.
“Many of these norms coincide with certain elements of the CFAA in that they reflect a desire to avoid 1) crossing the line between authorized and unauthorized access to network-connected computers, 2) obtaining information from such computers, and 3) causing any kind of harm to another computer.”
For example, when they perform network scanning they add identifying and explanatory information to their scanning infrastructure to help scanning targets understand the purpose of the scanning exercise. They also minimize or eliminate the collection of data from computers when performing these scans.
Misperceptions
The results of the research also revealed some misperceptions about barriers to security research, as well as ethical considerations that keep them from pursuing specific research (e.g., potential risks that their work might pose to society at large or certain categories of people) or from releasing the tools they used.
The release of the report has been accompanied by a statement from nearly 60 security researchers, experts and journalists that highlights the importance of security research and urges all members of society to support these research activities.