Security Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Dispel Criminal Intent with Open Communication

Aug 27th, 2007
By Benjamin Wright, JD

Responsible security professionals, pursuing legitimate goals, sometimes worry their actions will violate computer crime laws. Take for instance the Computer Fraud and Abuse Act. It is worded so broadly it could roughly be interpreted to punish unauthorized access to a computer which causes the computer owner a problem.

A recent study explores the potential that white hat security professionals could be prosecuted for probing a web resource without permission of the owner – such as running a vulnerability scanner like Nikto or otherwise testing a Web 2.0 application for security weaknesses. See the Inaugural Report of the CSI Working Group on Web Security Research Law, June 11, 2007.[1]

Sometimes reputable professionals have good reason to conduct these kinds of probes. They might be surveilling a phishing site that is stealing passwords from their client’s customers. Or they might be performing a public service to Internet users – in keeping with the time-honored practice by security researchers of testing popular desktop software for weaknesses.

Above-board security professionals can take a number of steps to minimize the risk of breaking the law. In order to commit a crime, a person must have intent to do something wrong. A powerful way to dispel “wrongful intent” is to openly communicate what you are doing and what the justification for it is.

One example: If you are aggressively probing a phishing site, then send or leave a message identifying yourself, saying you have reasons to believe the site is phishing and explaining you are running vulnerability tests, and so on.

Another example: If you are researching a popular Web 2.0 application for the purpose of informing and protecting the public, then do it in the open. Send a message to the site owner identifying yourself, describing the scope and limits of your research, and explaining that you act in the public interest, consistent with the established practice of independent testing of software applications. Give the site owner time to respond. And then blog about what you do and let the public see.

These suggestions stem from the general notion that transparency and open communication are the best means to prevent a good person from being mistaken for a crook.

I grant you, these suggestions are not without controversy. There is more to this topic than I have space for here. We discuss these and related issues in the series of courses I teach on IT security law.

===
Benjamin Wright is the author of several books on technology law, including Business Law and Computer Security published by the SANS Institute.[2] http://hack-igations.blogspot.com

As with all public statements by Mr. Wright, this essay provides general information and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

===