Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School.

Transcription

1 Jennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School

2 Topics For Today 1. What are the state and federal laws regulating access to computer systems and how do these laws affect civil and governmental investigations of computer security breaches? 2. Is there a risk of civil or criminal liability for maintaining insecure computer systems? 3. Is reverse engineering legal? 4. What are trade secret laws? 5. How do license agreements affect reverse engineering and trade secrets? 6. What is the proper way to report security vulnerabilities? 7. How do I know when I need to talk to a lawyer?

3 Federal Law 18 USC 1030: Makes it a crime to access a computer without authorization and obtain information or cause damage.

4 State Law CA PC 502(c)(3):Knowingly and without permission uses or causes to be used computer services or (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

5 CFAA and Incident Investigation/Strike Back: 18 USC 1030(a)(5)(A)(i) : knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.

6 Liability for Insecurity? Downstream victims Denial of Service Attacks: Zombie Computer Storage or Distribution Site for Copyright Infringing Materials Child Pornography or Obscenity Attack Tools

7 The Law of Reverse Engineering Is it a right? Protected by Fair Use Atari Games Corp. v. Nintendo of America, Inc., 975 F.2d 832 (Fed. Cir. 1992) Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510, (9th Cir. 1992) Sony Computer Entm t, Inc v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000)

8 Reverse Engineering DMCA Anti-circumvention provisions a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

9 EULAs and Reverse Engineering Bowers v. Baystate Blizzard v. BnetD

10 Trade Secret Law California s trade secret act prohibits the misappropriation of trade secrets. Misappropriation means acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge.

11 Trade Secret Law and RE Reverse engineering is proper, not improper, means and is specifically allowed by California law. As used in this title, unless the context requires otherwise:(a) Improper means includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means. Reverse engineering or independent derivation alone shall not be considered improper means.

12 Trade Secret Law and EULAs Violation of an NDA is a trade secret violation. Violation of an End User License Agreement is a trade secret violation? Formation Issues A violation of a promise in a EULA is a violation of contract, but not an improper means of discovering a trade secret. Any limit to enforceability of EULA terms on other grounds?

13 Security Publication: Pros Public Awareness of Security Risks Enables SysOp Remediation Motivation for Vendor to Patch White Hats Know What Black Hats Know: No Security Through Obscurity

14 Security Publication: Cons Public Relations Nightmare: Relative Seriousness of Problem Window of Opportunity Before Patch Script Kiddies: Greatly Increases Potential Attackers

15 Security Publication Dual Nature: The same information that allows more widespread exploitation of vulnerabilities is required to correct those vulnerabilities.

16 Security Publication: Issues Security Through Obscurity vs. Script Kiddies Timing of Disclosure What to Disclose To Whom

17 Legal Liability? Negligence: Duty Not to Publish? Conspiracy: Agreement? Aiding and Abetting? Wire Fraud: Intent to Defraud? State Statutes? Digital Millennium Copyright Act Council of Europe Convention on CyberCrime

18 DMCA Prohibits Circumvention of Technological Measure that Effectively Controls Access to a Copyrighted Work Prohibits Manufacturing and Distribution of Any Technology (Tools) Primarily Designed for the Purpose of Circumventing Access Controls Limited Commercially Significant Purpose OR Marketed for Use in Circumvention

19 DMCA: Exceptions Security Testing Encryption Research Reverse Engineering

20 Security Testing Exception OK to access a computer network solely for the purpose of good faith testing and correcting a vulnerability, with authorization, if not an infringement or other violation of law Factors: information used solely to promote the security of the owner of the tested computer system, or information shared directly with the developer of the system AND information not distributed in a way that might enable copyright infringement or other legal violations Security tools OK if do not otherwise violate section (a)(2).

21 Encryption Research Exception Professional Cryptographers Seek Advance Permission Necessary to Advance the State of Knowledge in the Field Publishing Results Does Not Promote Infringement

22 Reverse Engineering Exception Purpose to Achieve Program-toprogram Interoperability Reverse Engineering Is Necessary Information Divulged for the Sole Purposes of Enabling Program-to- Program Interoperability

23 When to Talk to a Lawyer

24 Jennifer Stisa Granick, Esq. Center for Internet & Society Stanford Law School 559 Nathan Abbott Way Stanford, California USA +1 (650)