SlideShare a Scribd company logo

Legal Issues in Mobile Security Research

London School of Cyber Security
London School of Cyber Security

Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, free expression, and copyright. She is also a non-residential fellow at the Stanford Law School Center for Internet and Society and an adjunct professor at the University of California Hastings College of the Law. She tweets about law and technology issues at @marciahofmann.

EducationTechnology
1 of 36
Download to read offline
Legal Issues in Mobile Security Research Hacker Hotshots December 6, 2012 Marcia Hofmann, EFF
what we’ll talk about today ✪ Why mobile security research presents unique legal considerations. ✪ Some of the laws you should be aware of when you’re doing mobile security research. ✪ Ways to reduce whatever risk your research might create.
what do I mean by “risk”? A couple distinct, separate things. (1) The likelihood of becoming an attractive target for a law suit or prosecution, either with or without basis. (2) The likelihood that a court might decide that you’ve run afoul of the law.
My goal today is not to frighten you or discourage your research. I want to help you spot potentially sticky situations so that you can call a lawyer early to help you safely navigate them. I also want to help you think proactively about ways to design your research to avoid trouble.
This is not legal advice. If you are concerned about the legality of your research, you should speak with a lawyer about your specific situation.
What makes mobile security research legally interesting?
factors ✪ Networked devices that access, store and transmit vast amounts of information, lots of which is intensely personal ✪ Many different players involved in the space: manufacturers, platform providers, software developers, carriers, users ✪ Embedded software (tricky © issues)
some legal considerations*
(1) contract law
which contracts? The documents that set out terms purporting to regulate how people can access and use a device/ program/service. E.g., end-user license agreements, SDK licenses, terms of use, carrier contracts
Be sure to check whether more than one agreement might apply to your research. Also see whether other agreements/policies are incorporated be reference, and read them, too.
laws that might apply Violating an agreement could involve: ✪ Breach of contract ✪ civil claim ✪ monetary damages, if any (compensation for loss) ✪ perhaps account terminated ✪ Computer crime laws…?
(2) computer intrusion laws
laws that might apply Accessing someone else’s computer might involve: (1) Computer Fraud and Abuse Act 18 U.S.C. § 1030 (2) Similar state computer crime laws
unauthorized access The CFAA prohibits, among other things, “intentionally access[ing] a computer without authorization or in excess of authorization, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).
Certain folks have tried to make creative arguments that violating an agreement makes access “unauthorized”… United States v. Drew Facebook v. Power Ventures Sony v. Hotz United States v. Auernheimer
(3) copyright laws
laws that might apply Accessing and making copies of someone else’s copyrighted code might involve: (1) Copyright Act (copying) 17 U.S.C. §§ 101 et seq. (2) Digital Millennium Copyright Act (accessing/enabling others to access) 17 U.S.C. § 1201
Copyright Act ✪ Broadly prohibits infringement of copyrighted works, including code. ✪  Protects expressive elements, but not underlying functional elements. ✪  Stiff penalties (injunctions, statutory damages, criminal penalties).
an important exception: fair use It’s OK to use copyrighted material for purposes such as research, news reporting, commentary, criticism, and scholarship under certain circumstances.
fair use and reverse engineering If reverse engineering is necessary to gain access to functional processes and ideas, intermediate copies are fair use. Be sure that you’re legitimately in possession of the software, and don’t use someone else’s code in your final product unless absolutely necessary.
contracts revisited Some agreements forbid reverse engineering. Can they do that?
contracts revisited Some agreements forbid reverse engineering. Can they do that? So far, the courts say yes.
Digital Millennium Copyright Act Basic prohibitions: (1) Can’t circumvent technological measures that effectively protect or control access to copyrighted works (2) No trafficking in tools that are primarily designed, valuable or marketed for (1)
Digital Millennium Copyright Act Again, tough civil/criminal penalties. (injunctions, statutory damages, criminal fines, prison time)
protection/access measures CSS protocol encryption authentication handshakes “chain of trust” signing? code obfuscation? proprietary protocols?
important exceptions reverse engineering encryption research security testing personally identifiable information (PII)
exemption process ✪  Library of Congress made clear in 2010 and 2012 that jailbreaking phones doesn’t violate the DMCA. ✪  Doesn’t apply to jailbreaking other devices (at least, not yet). ✪  Doesn’t authorize the distribution of jailbreaking tools.
(4) communication laws
laws that might apply ✪  Eavesdropping laws ✪ Wiretap Act (18 § U.S.C. 2510 et seq.) ✪  State laws ✪  Laws protecting addressing/routing information ✪  Pen Register Act (18 U.S.C. § 3121 et seq.) ✪  State laws ✪  Laws protecting stored communications ✪ Stored Communications Act (18 U.S.C. § 2701 et seq.) ✪  State laws
watch out for ✪  Inspecting packets without consent of the parties (note one-party vs. all-party consent). ✪ Breaking encryption or descrambling. ✪  These laws are outdated and confusing. It’s worth checking with a lawyer if your research involves looking at communications, even just routing information.
designing safer research
✪  Identify and read any applicable agreements before you begin your research. ✪  Don’t agree, if possible. ✪  Test on your own devices/accounts/data/ communications. ✪  Get permission to access the device/accounts/ data/communications.
✪  Make sure that the copy of the software you’re studying is legally acquired. ✪  If you make a copy of someone else’s code, make sure that you need it to understand how the program functions, and don’t copy more than you have to. ✪  Avoid making copies of code for a purpose other than analyzing how a program works.
✪  Talk to a lawyer before breaking crypto, descrambling, or bypassing other security measures. ✪  When studying others’ code, consider asking permission, even if you don’t think you’ll get it.
questions? Marcia Hofmann Senior Staff Attorney, EFF marcia@eff.org

Recommended

Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Researchmarciahofmann
 
Privacy and Privacy Law in India By Prashant Mali
Privacy and Privacy Law in India By Prashant MaliPrivacy and Privacy Law in India By Prashant Mali
Privacy and Privacy Law in India By Prashant MaliAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Right to Privacy in the Digital Age-final
Right to Privacy in the Digital Age-finalRight to Privacy in the Digital Age-final
Right to Privacy in the Digital Age-finalGraham Smith
 
RESEARCH - STUDIES IN CONSTITUTIONAL LAW
RESEARCH - STUDIES IN CONSTITUTIONAL LAWRESEARCH - STUDIES IN CONSTITUTIONAL LAW
RESEARCH - STUDIES IN CONSTITUTIONAL LAWChirine Haddad ?
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
 
OTN Special Update - SOPA Put on Hold (2012-02-20)
OTN Special Update - SOPA Put on Hold (2012-02-20)OTN Special Update - SOPA Put on Hold (2012-02-20)
OTN Special Update - SOPA Put on Hold (2012-02-20)Office of Trade Negotiations (OTN), CARICOM Secretariat
 
Right to privacy in tort law jeet
Right to privacy in tort law jeetRight to privacy in tort law jeet
Right to privacy in tort law jeetShubham Verma
 
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...Duc Lai Trung Minh
 

Recommended

Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Researchmarciahofmann
 
Privacy and Privacy Law in India By Prashant Mali
Privacy and Privacy Law in India By Prashant MaliPrivacy and Privacy Law in India By Prashant Mali
Privacy and Privacy Law in India By Prashant MaliAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Right to Privacy in the Digital Age-final
Right to Privacy in the Digital Age-finalRight to Privacy in the Digital Age-final
Right to Privacy in the Digital Age-finalGraham Smith
 
RESEARCH - STUDIES IN CONSTITUTIONAL LAW
RESEARCH - STUDIES IN CONSTITUTIONAL LAWRESEARCH - STUDIES IN CONSTITUTIONAL LAW
RESEARCH - STUDIES IN CONSTITUTIONAL LAWChirine Haddad ?
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
 
OTN Special Update - SOPA Put on Hold (2012-02-20)
OTN Special Update - SOPA Put on Hold (2012-02-20)OTN Special Update - SOPA Put on Hold (2012-02-20)
OTN Special Update - SOPA Put on Hold (2012-02-20)Office of Trade Negotiations (OTN), CARICOM Secretariat
 
Right to privacy in tort law jeet
Right to privacy in tort law jeetRight to privacy in tort law jeet
Right to privacy in tort law jeetShubham Verma
 
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...
[Privacy and IT Ethics Presentation] Chapter 3: The Forth Amendment and emer...Duc Lai Trung Minh
 
Right to privacy
Right to privacyRight to privacy
Right to privacySoundrya Singh
 
Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09Michael Fertik
 
Defend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to KnowDefend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to KnowWinston & Strawn LLP
 
Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14Jelena Jovanovic
 
Darren chaker privacy_law
Darren chaker privacy_lawDarren chaker privacy_law
Darren chaker privacy_lawDarren Chaker
 
Jurisdiction in cyberspace
Jurisdiction in cyberspaceJurisdiction in cyberspace
Jurisdiction in cyberspaceDr. Arun Verma
 
Tia
TiaTia
TiaJulie Cullen
 
Freedoms Forsaken
Freedoms ForsakenFreedoms Forsaken
Freedoms ForsakenHudson Valley Public Relations
 
Privacy Concerns and Cloud Computing
Privacy Concerns and Cloud ComputingPrivacy Concerns and Cloud Computing
Privacy Concerns and Cloud ComputingAIIM International
 
An introduction to cyber law
An introduction to cyber lawAn introduction to cyber law
An introduction to cyber lawshreya sanghvi
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)Chetan Bharadwaj
 
Computer forensics law and privacy
Computer forensics law and privacyComputer forensics law and privacy
Computer forensics law and privacych samaram
 
Privacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinPrivacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinBoyle_Fredrickson
 
Cyber Crime in Government
Cyber Crime in GovernmentCyber Crime in Government
Cyber Crime in GovernmentJacqueline Fick
 
Cyber law final
Cyber law finalCyber law final
Cyber law finaljaskiran_sahni
 
Introduction to cyber law.
Introduction to cyber law. Introduction to cyber law.
Introduction to cyber law. PROF. PUTTU GURU PRASAD
 
Can the law control Digital Leviathan?
Can the law control Digital Leviathan?Can the law control Digital Leviathan?
Can the law control Digital Leviathan?blogzilla
 
Pls 780 week 9
Pls 780 week 9Pls 780 week 9
Pls 780 week 9Michael Germano
 
DMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global CommerceDMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global Commercewelcometofacebook
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
TSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdoolyTSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdoolyzdooly
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingLondon School of Cyber Security
 

More Related Content

What's hot

Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09Michael Fertik
 
Defend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to KnowDefend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to KnowWinston & Strawn LLP
 
Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14Jelena Jovanovic
 
Darren chaker privacy_law
Darren chaker privacy_lawDarren chaker privacy_law
Darren chaker privacy_lawDarren Chaker
 
Jurisdiction in cyberspace
Jurisdiction in cyberspaceJurisdiction in cyberspace
Jurisdiction in cyberspaceDr. Arun Verma
 
Privacy Concerns and Cloud Computing
Privacy Concerns and Cloud ComputingPrivacy Concerns and Cloud Computing
Privacy Concerns and Cloud ComputingAIIM International
 
An introduction to cyber law
An introduction to cyber lawAn introduction to cyber law
An introduction to cyber lawshreya sanghvi
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)Chetan Bharadwaj
 
Computer forensics law and privacy
Computer forensics law and privacyComputer forensics law and privacy
Computer forensics law and privacych samaram
 
Privacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinPrivacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinBoyle_Fredrickson
 
Cyber Crime in Government
Cyber Crime in GovernmentCyber Crime in Government
Cyber Crime in GovernmentJacqueline Fick
 
Can the law control Digital Leviathan?
Can the law control Digital Leviathan?Can the law control Digital Leviathan?
Can the law control Digital Leviathan?blogzilla
 
DMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global CommerceDMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global Commercewelcometofacebook
 

What's hot (19)

Right to privacy
Right to privacyRight to privacy
Right to privacy
 
Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09Michael Fertik on KTRH Houston -- 10/26/09
Michael Fertik on KTRH Houston -- 10/26/09
 
Defend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to KnowDefend Trade Secrets Act: What You Need to Know
Defend Trade Secrets Act: What You Need to Know
 
Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14Interception of torrent traffic BalCCon2k14
Interception of torrent traffic BalCCon2k14
 
Darren chaker privacy_law
Darren chaker privacy_lawDarren chaker privacy_law
Darren chaker privacy_law
 
Jurisdiction in cyberspace
Jurisdiction in cyberspaceJurisdiction in cyberspace
Jurisdiction in cyberspace
 
Tia
TiaTia
Tia
 
Freedoms Forsaken
Freedoms ForsakenFreedoms Forsaken
Freedoms Forsaken
 
Privacy Concerns and Cloud Computing
Privacy Concerns and Cloud ComputingPrivacy Concerns and Cloud Computing
Privacy Concerns and Cloud Computing
 
An introduction to cyber law
An introduction to cyber lawAn introduction to cyber law
An introduction to cyber law
 
An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)An Introduction to Cyber Law - I.T. Act 2000 (India)
An Introduction to Cyber Law - I.T. Act 2000 (India)
 
Computer forensics law and privacy
Computer forensics law and privacyComputer forensics law and privacy
Computer forensics law and privacy
 
Privacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinPrivacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in Wisconsin
 
Cyber Crime in Government
Cyber Crime in GovernmentCyber Crime in Government
Cyber Crime in Government
 
Cyber law final
Cyber law finalCyber law final
Cyber law final
 
Introduction to cyber law.
Introduction to cyber law. Introduction to cyber law.
Introduction to cyber law.
 
Can the law control Digital Leviathan?
Can the law control Digital Leviathan?Can the law control Digital Leviathan?
Can the law control Digital Leviathan?
 
Pls 780 week 9
Pls 780 week 9Pls 780 week 9
Pls 780 week 9
 
DMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global CommerceDMCA & US Laws Impact on Global Commerce
DMCA & US Laws Impact on Global Commerce
 

Viewers also liked

TSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdoolyTSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdoolyzdooly
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 

Viewers also liked (9)

Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
TSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdoolyTSSG Security research unit May11_zdooly
TSSG Security research unit May11_zdooly
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Silk Road & Online Narcotic Distribution
Silk Road & Online Narcotic DistributionSilk Road & Online Narcotic Distribution
Silk Road & Online Narcotic Distribution
 
Ashely Madison Hack
Ashely Madison HackAshely Madison Hack
Ashely Madison Hack
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
The Panama Papers Hack
The Panama Papers HackThe Panama Papers Hack
The Panama Papers Hack
 
ISIS and Cyber Terrorism
ISIS and Cyber TerrorismISIS and Cyber Terrorism
ISIS and Cyber Terrorism
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 

Similar to Legal Issues in Mobile Security Research

Chapter2
Chapter2Chapter2
Chapter2Pibi Lu
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in ITAnushka Perera
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
 
It legislation
It legislationIt legislation
It legislationdoogstone
 
Cybercrime
CybercrimeCybercrime
Cybercrimepromit
 
Ethics and legislation in the it industry
Ethics and legislation in the it industryEthics and legislation in the it industry
Ethics and legislation in the it industryjamiehaworth1
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 
Business And The Law
Business And The LawBusiness And The Law
Business And The LawRobbieA
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal lawZaheer Irshad
 
2600 v19 n1 (spring 2002)
2600 v19 n1 (spring 2002)2600 v19 n1 (spring 2002)
2600 v19 n1 (spring 2002)Felipe Prado
 
2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptxSSPTRGCELL
 
286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docxrhetttrevannion
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
 

Similar to Legal Issues in Mobile Security Research (20)

Chapter2
Chapter2Chapter2
Chapter2
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and Encryption
 
It legislation
It legislationIt legislation
It legislation
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Ethics and legislation in the it industry
Ethics and legislation in the it industryEthics and legislation in the it industry
Ethics and legislation in the it industry
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
 
Business And The Law
Business And The LawBusiness And The Law
Business And The Law
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal law
 
E-Commerce 10
E-Commerce 10E-Commerce 10
E-Commerce 10
 
2600 v19 n1 (spring 2002)
2600 v19 n1 (spring 2002)2600 v19 n1 (spring 2002)
2600 v19 n1 (spring 2002)
 
2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx2ndnov_txicybersec& SAFETY.pptx
2ndnov_txicybersec& SAFETY.pptx
 
3170725_Unit-5.pptx
3170725_Unit-5.pptx3170725_Unit-5.pptx
3170725_Unit-5.pptx
 
286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx
 
Ethical Hacking Essay
Ethical Hacking EssayEthical Hacking Essay
Ethical Hacking Essay
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
 
cle ppt.pptx
cle ppt.pptxcle ppt.pptx
cle ppt.pptx
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

More from London School of Cyber Security

Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?London School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsLondon School of Cyber Security
 

More from London School of Cyber Security (12)

What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Building an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence ProgramBuilding an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence Program
 
Crowdsourced Vulnerability Testing
Crowdsourced Vulnerability TestingCrowdsourced Vulnerability Testing
Crowdsourced Vulnerability Testing
 
Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
 
Sploitego
SploitegoSploitego
Sploitego
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
 
Sploitego
SploitegoSploitego
Sploitego
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Recently uploaded

Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxDhatriParmar
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsPooky Knightsmith
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 

Recently uploaded (20)

Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young minds
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 

Legal Issues in Mobile Security Research

  • 1. Legal Issues in Mobile Security Research Hacker Hotshots December 6, 2012 Marcia Hofmann, EFF
  • 2. what we’ll talk about today ✪ Why mobile security research presents unique legal considerations. ✪ Some of the laws you should be aware of when you’re doing mobile security research. ✪ Ways to reduce whatever risk your research might create.
  • 3. what do I mean by “risk”? A couple distinct, separate things. (1) The likelihood of becoming an attractive target for a law suit or prosecution, either with or without basis. (2) The likelihood that a court might decide that you’ve run afoul of the law.
  • 4. My goal today is not to frighten you or discourage your research. I want to help you spot potentially sticky situations so that you can call a lawyer early to help you safely navigate them. I also want to help you think proactively about ways to design your research to avoid trouble.
  • 5. This is not legal advice. If you are concerned about the legality of your research, you should speak with a lawyer about your specific situation.
  • 6. What makes mobile security research legally interesting?
  • 7. factors ✪ Networked devices that access, store and transmit vast amounts of information, lots of which is intensely personal ✪ Many different players involved in the space: manufacturers, platform providers, software developers, carriers, users ✪ Embedded software (tricky © issues)
  • 10. which contracts? The documents that set out terms purporting to regulate how people can access and use a device/ program/service. E.g., end-user license agreements, SDK licenses, terms of use, carrier contracts
  • 11. Be sure to check whether more than one agreement might apply to your research. Also see whether other agreements/policies are incorporated be reference, and read them, too.
  • 12. laws that might apply Violating an agreement could involve: ✪ Breach of contract ✪ civil claim ✪ monetary damages, if any (compensation for loss) ✪ perhaps account terminated ✪ Computer crime laws…?
  • 14. laws that might apply Accessing someone else’s computer might involve: (1) Computer Fraud and Abuse Act 18 U.S.C. § 1030 (2) Similar state computer crime laws
  • 15. unauthorized access The CFAA prohibits, among other things, “intentionally access[ing] a computer without authorization or in excess of authorization, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).
  • 16. Certain folks have tried to make creative arguments that violating an agreement makes access “unauthorized”… United States v. Drew Facebook v. Power Ventures Sony v. Hotz United States v. Auernheimer
  • 18. laws that might apply Accessing and making copies of someone else’s copyrighted code might involve: (1) Copyright Act (copying) 17 U.S.C. §§ 101 et seq. (2) Digital Millennium Copyright Act (accessing/enabling others to access) 17 U.S.C. § 1201
  • 19. Copyright Act ✪ Broadly prohibits infringement of copyrighted works, including code. ✪  Protects expressive elements, but not underlying functional elements. ✪  Stiff penalties (injunctions, statutory damages, criminal penalties).
  • 20. an important exception: fair use It’s OK to use copyrighted material for purposes such as research, news reporting, commentary, criticism, and scholarship under certain circumstances.
  • 21. fair use and reverse engineering If reverse engineering is necessary to gain access to functional processes and ideas, intermediate copies are fair use. Be sure that you’re legitimately in possession of the software, and don’t use someone else’s code in your final product unless absolutely necessary.
  • 22. contracts revisited Some agreements forbid reverse engineering. Can they do that?
  • 23. contracts revisited Some agreements forbid reverse engineering. Can they do that? So far, the courts say yes.
  • 24. Digital Millennium Copyright Act Basic prohibitions: (1) Can’t circumvent technological measures that effectively protect or control access to copyrighted works (2) No trafficking in tools that are primarily designed, valuable or marketed for (1)
  • 25. Digital Millennium Copyright Act Again, tough civil/criminal penalties. (injunctions, statutory damages, criminal fines, prison time)
  • 26. protection/access measures CSS protocol encryption authentication handshakes “chain of trust” signing? code obfuscation? proprietary protocols?
  • 27. important exceptions reverse engineering encryption research security testing personally identifiable information (PII)
  • 28. exemption process ✪  Library of Congress made clear in 2010 and 2012 that jailbreaking phones doesn’t violate the DMCA. ✪  Doesn’t apply to jailbreaking other devices (at least, not yet). ✪  Doesn’t authorize the distribution of jailbreaking tools.
  • 30. laws that might apply ✪  Eavesdropping laws ✪ Wiretap Act (18 § U.S.C. 2510 et seq.) ✪  State laws ✪  Laws protecting addressing/routing information ✪  Pen Register Act (18 U.S.C. § 3121 et seq.) ✪  State laws ✪  Laws protecting stored communications ✪ Stored Communications Act (18 U.S.C. § 2701 et seq.) ✪  State laws
  • 31. watch out for ✪  Inspecting packets without consent of the parties (note one-party vs. all-party consent). ✪ Breaking encryption or descrambling. ✪  These laws are outdated and confusing. It’s worth checking with a lawyer if your research involves looking at communications, even just routing information.
  • 33. ✪  Identify and read any applicable agreements before you begin your research. ✪  Don’t agree, if possible. ✪  Test on your own devices/accounts/data/ communications. ✪  Get permission to access the device/accounts/ data/communications.
  • 34. ✪  Make sure that the copy of the software you’re studying is legally acquired. ✪  If you make a copy of someone else’s code, make sure that you need it to understand how the program functions, and don’t copy more than you have to. ✪  Avoid making copies of code for a purpose other than analyzing how a program works.
  • 35. ✪  Talk to a lawyer before breaking crypto, descrambling, or bypassing other security measures. ✪  When studying others’ code, consider asking permission, even if you don’t think you’ll get it.
  • 36. questions? Marcia Hofmann Senior Staff Attorney, EFF marcia@eff.org