The Importance of Protecting Good-Faith Security Research

The Computer Fraud and Abuse Act is America's federal anti-hacking statute, but it's been used for purposes well beyond that. The law's broad language has let it be used as a cudgel against business competitors and departing employees, to prosecute cyberbullies and activists alike, and even to threaten security researchers who discover vulnerabilities in computer systems. The specter of lawsuits and criminal prosecution chills valid and important research, not only in security but in the social sciences as well.

Good-faith security research is crucial to improving the systems we rely on in every part of our lives, from automobiles to the electrical grid to election equipment. In recent years, great strides have been made in improving relationships between researchers, the government, and the owners of systems in which vulnerabilities may lurk: from mutual suspicion and distrust, to cooperation in the name of the greater public interest. Coordinated vulnerability disclosure (CVD) has emerged as a standard practice for members of the public to conduct security research and safely report the vulns they find to organizations so that they may be fixed in a timely manner.

Nevertheless, the CFAA still looms in the background of security research in the U.S. If a researcher inadvertently colors outside the lines of an organization's bug bounty program, for example, or if a company reacts with hostility to an attempt to report a bug, the researcher may still face legal risk. And when companies act in bad faith -- as with mobile voting app Voatz, which reported a student researcher to state authorities last fall because, as the company told a U.S. senator, it suspected the research might be unflattering to Voatz -- that doesn't only jeopardize the researcher in question; it reminds the entire security community of the CFAA's sword of Damocles dangling overhead of their livelihoods and freedom.

America cannot afford to lose out on the vital work of researchers due to the climate of fear that the overbroad CFAA has continued to perpetuate, exacerbated by bad actors such as Voatz. The Supreme Court has a chance to narrow the scope of the law this term, in the first-ever CFAA case to reach the Court, Van Buren v. United States. The Court's decision may prove to be a landmark for safeguarding security research -- if the Court heeds the computer security experts who filed in a "friend of the court" brief in the case in support of petitioner Van Buren. 

Voatz, unfortunately, also filed a brief in the case earlier this month, doubling down on its decision to call the authorities on a college student, pushing a blinkered view of CVD, and urging the Court to keep the CFAA broad enough to remain a weapon that Voatz and companies like it can use as a means of exerting total control over how security research happens: "my way or the highway" (to prison). This brief wasn't so much an earnest vision of the law as it was another entry in Voatz's ongoing public-relations offensive, intended to downplay and distract attention from the multiple reports of critical insecurities in its mobile voting platform. It's in especially poor taste coming as it does mere weeks before a momentous U.S. election in which election security is a significant concern for many Americans. 

The security community couldn't stand idly by and let Voatz put its twisted views before the nation's highest court without a response. That's why today I'm joining more than 70 security experts, companies, organizations, and a U.S. congressman in signing a letter responding to Voatz's brief. The letter aims to debunk the inaccurate picture Voatz painted not only of its own actions, but of good-faith security research and best practices more broadly.

I'm happy to see the letter get some good press so far, and I'm thankful to all the signatories who have lent their names to this important issue. Special thanks to bug bounty hunter extraordinaire Jack Cable, my colleague at Stanford, for spearheading this letter (which we both signed in our individual capacities, not on behalf of Stanford).

Security research is crucial to our democracy. For too long, a law aimed at malicious hackers has instead chilled researchers' important work. It's time for the Supreme Court to rein in the CFAA.

Add new comment