Independent security research generally involves probing whatever computer system you can get your hands on and disclosing vulnerabilities to the organization responsible for the system. Navigating the related world of copyrights and authorized access restrictions can be complicated. As an expert in those areas, Andrea Matwyshyn has been critical to the research community’s ability to do its work.
Matwyshyn, currently a professor of law and co-director at Northeastern University’s Center for Law, Innovation and Creativity, represented a bloc that lobbied for an exemption in the Digital Millennium Copyright Act to protect security researchers who hack into their own devices in search of flaws to mitigate. Notably, that exemption also covered voting machines, which paved the way for DEF CON’s Voting Village.
But Matwyshyn says the work is not done on the DMCA, nor on the Computer Fraud and Abuse Act, which sets more explicit restrictions on hacking. Meanwhile, she says, the corporate world is increasingly appreciating the value of independent security research through bug bounty and vulnerability disclosure programs.
CyberScoop: What major challenges remain when it comes to safeguarding people from legal trouble for simply conducting security research?
Andrea Matwyshyn: The forward looking-approach that the Copyright Office took has already changed the game in producing security research on systems that had previously been a functionally off limits because of concerns over copyright litigation. As a result of research that has resulted from this exemption, the state of Virginia subsequently decertified a portion of its voting systems. That came after a Voting Village that was done at the DEF CON security conference 2017. We’re seeing concrete results making citizens safer already because of the mitigation of those concerns with the DMCA. But the problem with our DMCA exemption is that it requires renewal every three years. Ideally, Congress, which admittedly has its hands full right now, would undertake this fix to the DMCA and include it into the statute on a more permanent basis so that the need to renew the exemption every three years a falls away.
The CFAA, is still a point of concern and significant consternation for security researchers because of the lack of clarity it provides to security researchers who are attempting to predict whether particular research methods will run afoul of the it. Congress did a stellar job for 1986, when the statute was passed. But in 1986, we weren’t all walking around with computers in our pockets. This new reality and the development of a robust security research community are providing a need and an emphasis for a taking a look at the CFAA. Ultimately, I would say we need to bite the bullet and revise the language around a authorized access and exceeding authorized access. In essence, that language was drafted from a lawyer’s perspective and not from a technologist’s perspective. That has been part of the challenge in creating a shared understanding of the CFAA and its constraints.
CS: This year’s Voting Village is generating a lot of buzz. It seems that researchers, election officials and vendors are largely not on the same page about the practice of doing this kind of security research. What is the value of these hacking hacking demonstrations?
AM: The machines that were tested in the Voting Village were actual voting machines that had been used previously in various elections. So the systems themselves provided and a realistic set of technical circumstances. There were some mirrored environments that they modeled off of existing technical environments. And so the argument might be whether those are precisely modeled on the reality of technical the environments in terms of the websites that are being used currently by various jurisdictions.
But the bottom line is that if the representative nature of the system is in question, let’s have that conversation. And let’s have an informed debate based on what has been found in terms of the existence of flaws in those systems. The flaws exist whether we talk about them or not. Identifying the existence of flaws allows for fixing them. And when when no flaws are found on a system, it’s a validation of the security practices that went into structuring that voting system in that way. So this independent third-party audit is an opportunity for validation, legitimacy building and trust improvement in those particular voting systems.
A nice comparison point is the DEF CON Bio Hacking Village that was also made possible by our DMCA exemption. It had a lab of medical devices that included medical device manufacturers who brought their devices to the village. There was also an FDA representative in attendance. And since the shared goal is to make these devices as safe as possible, it’s a win-win.
When security researchers are welcomed to provide feedback to manufacturers of sensitive code-based devices that are ultimately used by citizen consumers of these systems, whether they are voting or medical devices, there is a critical function attached to it. In the medical device cases, it’s human life. And in the voting systems case, it’s the future of our democracy.
CS: From an individual perspective, what should people know in order to continue to conduct security research without running legal trouble?
AM: The first one is perhaps the most obvious, which to create a relationship with a trusted attorney who can help to guide you in crafting your research in a way that minimizes legal exposure. The Electronic Frontier Foundation does research in these ways. There are other attorneys who can also assist in working with a researcher to craft a strategy that accomplishes research goals while minimizing legal exposure. Certainty will never be achieved, but an attorney skilled in the questions of security will be able to provide a modicum of comfort and to highlight which types of research strategies are higher-risk in terms of possible legal exposure. There have been numerous cases of researchers that have worked proactively in this way with attorneys to have the end result be a successful disclosure to the company whose products were the subject of the security research.
Apart from that, when planning research, perhaps the most important determination is to what extent your research is going outside of the controlled environment that you have set up. To mitigate legal exposure, the goal is always to create as controlled environment as humanly possible. A lab setting where you eliminate the possibility of other people’s systems being impacted by your research mitigates your risk as a researcher. With certain types of security research that’s not always possible. And those are the types of research that potentially create your gray areas that may expose a researcher to additional risks.