Good News, Bad News for Security Researchers: Feds Are Less Likely to Charge You, States Are Another Thing

A talk at a security conference in Washington offered a little long-awaited reassurance to security researchers: Federal prosecutors just aren’t that into you anymore. 

In a talk at ShmooCon(Opens in a new window) Friday evening, Venable LLP cybersecurity lawyer Harley Geiger(Opens in a new window) told attendees that two laws long considered harmful by information-security types have grown less toxic because of recent actions in Washington.

“The Computer Fraud and Abuse Act and the Digital Millennium Copyright Act have evolved in favor of hackers,” he said at the start of his “Hacker Law for Hackers” presentation. 

The CFAA, passed in 1986 after growing alarm over the risks of hacks (catalyzed to some degree(Opens in a new window) by the 1983 classic WarGames), criminalizes access to a computer system “without authorization” or that “exceeds authorized access.” The DMCA, enacted in 1998 at the behest of Hollywood, makes it a crime to disable security measures that control access to copyrighted material. Both measures have been used to threaten and harass security researchers.

But in 2021, the Supreme Court held (PDF(Opens in a new window)) that the CFAA does not cover unauthorized use of “information that is otherwise available” to a person. That essentially took terms-of-service violations out of the law’s scope. As Geiger put it, “that may be a violation of a contract, but it is not a federal hacking crime.”

In May 2022, the Justice Department went further, announcing that it would no longer prosecute good-faith security research under the CFAA. “That is a big deal,” Geiger said. 

He sounded a little less cheery about the DMCA and its Section 1201(Opens in a new window) ban on circumventing copyright-protection systems. Change has come to that statute mainly through the Library of Congress’s Copyright Office, which can grant and renew public-interest exceptions to the anti-circumvention provision every three years.

In 2021, the office renewed and expanded(Opens in a new window) a “1201” exemption on breaking copyright protection for security research. It still, however, prohibits distributing those circumvention tools, which Geiger called an ongoing threat to penetration-testing firms: “Making these technologies, offering them to the public, is something that every pentesting company does.”

Many state computer crime statutes, however, have yet to see any comparable evolution. “The greatest legal risk to security research, I think, is often in state laws,” Geiger said. 

He brought up a Missouri statute(Opens in a new window) that includes this on its list of banned activities: “Discloses or takes data, programs, or supporting documentation.” As in, what security researchers do all the time, and also a common feature of “dark web” monitoring services such as those being pitched at ShmooCon. 

Maryland’s law(Opens in a new window), meanwhile, makes it a crime to “possess, identify, or attempt to identify a valid access code” without authorization. Asked Geiger: “Is that a crime in the state where the NSA is housed?” An audience full of people aware of the codebreakers working at the National Security Agency’s headquarters in Ft. Meade, Md., laughed out loud. 

On the other hand, Geiger commended Washington’s statute(Opens in a new window) for specifically protecting “good faith testing, investigation, identification, and/or correction of a security flaw or vulnerability.”

Geiger finally pointed to a new Chinese regulation(Opens in a new window) on the management of network security vulnerabilities as yet another risk. This statute, which took effect in September 2021, requires researchers to report bugs they have discovered to Chinese authorities within 48 hours, which is nowhere enough time for vendors to patch most of them. 

Geiger’s description of the consequences: “It is a giant sucking sound of unpatched vulnerabilities heading to the Chinese government.” 

He urged attendees to fight against attempts to copy and paste those principles into other legal regimes: “The model that we saw from China we do not want to see replicated elsewhere.”