Thanks to our speakers and everyone who came out last night for the Innovation or Exploitation event, highlighting problems the Computer Fraud and Abuse Act (CFAA) poses for security research, innovation, tinkering, academic research and libraries. I learned a lot, including that much of what librarians do today -- like making court records and academic articles widely available and cataloging books -- requires "scraping" and datamining questionable under the CFAA.
During the event, I posed what I've found to be hard questions to answer about the ideal computer crime law. Those questions are below, and I would be eager to hear thoughts on what the answers might or should be. Meanwhile, to keep up to date on Stanford CIS's CFAA efforts and other work, please sign up for the newsletter, follow us on Twitter or read the blog. Thanks again!
- Should criminal liability hinge on evasion of a code-based restriction or technical protection measure? How should we define that code-based restriction?
- How should the criminal law address the exploitation of flawed security mechanisms?
- Should evasion of download rate limitations be a crime? What about evasion of differential pricing mechanisms?
- When is URL manipulation a crime? How do we write a statute that distinguishes between URL manipulation and SQL injection attacks?
- Should the law distinguish between authorization by the computer owner and authorization by the owner of the data stored there? When should password sharing be illegal?
- Should faking your way onto a whitelist be a crime? What about faking your way off a blacklist?
- Do we need a security researcher exception? What would that look like?