Since the first computer virus, the Morris Worm, there have been conflicts around what people should and should not do with computer and network technologies. Some of these conflicts remain in the technical realm with various parties fighting it out online, but other conflicts fall within the purview of the law. In the civil sense, aggrieved parties sue hackers for a perceived wrong, and in the criminal sense, prosecutors seek to hold someone responsible and criminally liable for wrongdoing in cyberspace.
Over the past three decades, the community that investigates vulnerabilities in computers and networks – the computer and information security research community – has grown. Beginning as a hobby of early computer scientists such as Cliff Stoll, the security research community has become a well-defined industry element that seeks to help defend information systems and networks, and to discover and repair new weaknesses in systems that billions use everyday.
We sought to study the interaction between the law, technology, and this community. Specifically, since security researchers tend to push into grey areas where the law is unclear, an understanding of the law’s “chilling effects” (inhibition or discouragement) on security research has been a major concern of those who work in and with information security. We asked security researchers and hackers what factors affect the kinds of work they choose to engage in. We then distilled those interviews to reveal the various levels of risk that researchers associate with certain activities. We hope to update this “risk basis” as new activities in security research develop and existing practices become the norm.
The report consists of five sections. Section 2 of this report describes the methodology for the qualitative investigation we employed. Section 3 discusses findings from these interviews, focusing on laws such as the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA), as well as vulnerability disclosure and other community norms. In Section 4, we describe a risk basis, listing common activities discussed in our interviews and assessing to what extent certain methods of performing those activities are more or less risky. We provide concluding thoughts in Section 5.