The Law of Web Application Hacking. CanSecWest March 9, 2011 Marcia Hofmann, EFF

Similar documents

Retaliatory Hacking: Risky Business or Legitimate Corporate Security?

JAN (a) The obstruction, impairment, or hindrance of the. (b) The obstruction, impairment, or hindrance of any

Legal and Ethical Issues Facing Computer & Network Security Researchers

Secure Mail Registration and Viewing Procedures

The False Claims Acts What you need to know

Bring Your Own Device Security and Privacy Legal Risks

Acceptable Use Policy

Information Security Law: Control of Digital Assets.

Updated Administration Proposal: Law Enforcement Provisions

No. 03 Civ. 2183(NRB). Feb. 23, * * * MEMORANDUM AND ORDER

Sharing a VoiceThread

Handbook on Conducting Research on Social-Networking Websites in California 1

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Encrypting*a*Windows*7*Hard*Disk* with%bitlocker%disk%encryption!

What You Need to Know and What You Need to Do

Business Or Pleasure: The Challenges Of Bring Your Own Device Policies In The Workplace

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

MICHAEL D. WAKS LONG BEACH PERSONAL INJURY ATTORNEY

What Personally Identifiable Information does EducationDynamics collect?

Privacy Statement. Privacy Practices and Feedback

PROMOTION NAME: Boosterthon s Florida Prepaid Scholarship Contest ( Contest ) OFFICIAL RULES

False Claims and Whistleblower Protections All employees, volunteers, students, physicians, vendors and contractors

OPENING INSTRUCTIONS

ELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY

ELECTRONIC HEALTH RECORDS

COMPUTER AND NETWORK USAGE POLICY

* IN THE. * CASE NO.: 24-C Defendant * * * * * * * * * * * * * * * * * * * * * * * MEMORANDUM

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Terms and Conditions:

Optum Website Privacy Policy

1. What information do we collect?

Using ShopTab with an Affiliate Marketing Program

Digital Evidence Collection and Use. CS 585 Fall 2009

Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns

Definitions. As used in through , the following definitions apply:

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Cybercrime: A Sketch of 18 U.S.C and Related Federal Criminal Laws

Privacy Law Basics and Best Practices

TERMS and CONDITIONS OF USE - NextSTEPS TM

2. "Consumer" means an individual. (same as 15 U.S.C. 1681a(c))

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

Personal Injury Laws

Internet Marketing For Denver Law Firms

COMPUTER FRAUD AND ABUSE ACT. US Code as of: 01/05/99 Title 18 Sec Fraud and related activity in connection with computers

Tracking Employees Via Mobile Devices: Legal or Not?

Social Media Marketing Plan by Robert Middleton

Social Media Guidelines

Pinterest Beginner s Guide for Attorneys

Small Business Guide to Monitoring your Online Reputation

Social Media Friend or Foe?

Understanding the Civil Involuntary Commitment Process

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

a. Credit to be used primarily for personal, family, or household purposes. c. Any other purpose authorized under 15 U.S.C. 168l(b).

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

Website & Hosting Terms & Conditions

ABUSE: HOW DO I REPORT ABUSE, NEGLECT, AND EXPLOITATION? GUIDELINES FOR DIRECT SUPPORT PROFESSIONALS WORKING IN THE INTELLECTUAL DISABILITIES SYSTEM

FORMAL OPINION NO Accessing Information about Third Parties Through a Social Networking Website. Facts:

what your business needs to do about the new HIPAA rules

Verizon Wireless Family Locator 4.9 User Guide Contents

Internet Service Provider Agreement

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

Social Media Guidelines

JEWISH FAMILY SERVICE NOTICE OF PRIVACY PRACTICES

Making the leap to the cloud: IS my data private and secure?

An act can be both a crime and a tort. Example reckless driving resulting in an accident

HIPAA and Privacy Policy Training

STOP SMART METERS. If a utility company installed a Smart Meter on your property or residence, you can do something about it. Who Can Take Action?

3Degrees Group, Inc. Privacy Policy

The following is an excerpt from the 2012 Manual on Town Government. LIABILITY

Privacy Policy & Terms of Use Effective: 12/13/2011. Terms and Conditions. Changes in this Privacy Policy. Internet Privacy & Security

fraud, waste, abuse, compliance, integrity, Integrity Help Line

DCPS STUDENT SAFETY AND USE POLICY FOR INTERNET AND TECHNOLOGY

Transcription:

The Law of Web Application Hacking CanSecWest March 9, 2011 Marcia Hofmann, EFF

what we ll talk about today Three situations you should recognize and approach with caution when you re doing security research involving web applications. Some of the laws that might come into play in those situations. Ways to reduce whatever risk your research might create.

what do I mean by risk? A couple things. The likelihood of becoming an attractive target for a law suit or prosecution, either with or without basis. The likelihood that a court might decide that you ve run afoul of the law.

My goal today is not to frighten you or discourage your research. I want to help you spot a few potentially sticky situations and safely navigate them. I also want to help you think about ways to design your research to avoid trouble.

This is not legal advice. If you are concerned about the legality of your research, you should speak with a lawyer about your specific situation.

Sticky situation #1 violating terms of use

what are they? The terms that regulate how people can access and use the service. You ll often find a link to the terms at the bottom of a site s homepage, but sometimes you ll have to hunt around to find them.

what are they? Examples: Twitter: Terms Terms of Service Facebook: Terms Statement of Rights and Responsibilities Paypal: Legal Agreements Paypal User Agreement

Be sure to check whether more than one agreement might apply. Also see whether other agreements/policies are incorporated be reference.

who agrees and when? Google: You agree by clicking to accept or by actually using Google services. Twitter: You agree by accessing or using services/site. Facebook: users and others who interact with Facebook agree by using or accessing the service.

laws that might apply Violating terms of use could involve: Breach of contract civil claim monetary damages, if any (compensation for loss) perhaps account terminated Computer intrusion laws?

risky moves Agreeing (or agreeing ) to terms of use, then violating them. Causing harm to either computers or data. Invading privacy Interrupting service Damaging the system Others

less risky Know what the terms say before you begin your research. If possible, don t agree to them. Don t allow your research to cause harm to a computer, whoever owns the computer, or anyone whose data is stored on the computer.

Sticky situation #2 accessing someone else s computer without permission or authorization

laws that might apply Accessing someone else s computer might involve: Computer intrusion laws Computer Fraud and Abuse Act (18 U.S.C. 1030) State laws Common law trespass laws Trespass to chattels (requires harm)

unauthorized access The CFAA prohibits, among other things, intentionally access[ing] a computer without authorization or in excess of authorization, and thereby obtain[ing]... information from any protected computer. 18 U.S.C. 1030(a)(2)(C).

unauthorized access Courts have interpreted obtaining information broadly. Basically any computer connected to the internet is a protected computer. So the major limiting principle is unauthorized.

Folks have tried to make creative arguments for defining unauthorized to include violating terms of use... United States v. Drew Facebook v. Power Ventures United States v. Lowson

risky moves Getting around measures intended to keep you out of the computer or restrict access to particular data. Appearing to have bad motives. Causing harm.

less risky Get permission to access the computer and/or data. Use your own computers/accounts/data. Don t cause damage or interrupt service. Don t agree to or violate terms of service, if possible.

Sticky situation #3 intercepting or accessing other people s communications

laws that might apply Eavesdropping laws Wiretap Act (18 U.S.C. 2510 et seq.) State laws Laws protecting routing information Pen Register Act (18 U.S.C. 3121 et seq.) State laws Laws protecting stored communications Stored Communications Act (18 U.S.C. 2701 et seq.) State laws

Helpful tip: Consent takes care of a lot of potential problems here.

risky moves Intercepting/accessing communications without the consent of the parties. Misusing those communications or the information that you learn from them. Breaking encryption or other measures meant to ensure the privacy of communications.

less risky Having consent from one or more parties before intercepting or accessing their communications. Consider intercepting or accessing your own communications rather than those of others.

questions? Marcia Hofmann Senior Staff Attorney, EFF marcia@eff.org