Balancing Economic Freedom with Personal Safety

U.S. Computer Crimes and Security Research

Posted by Isaac Rowe on December 2, 2016

The United States’ laws concerning hacking and digital intellectual property are quite controversial. Opponents view them as broken laws that give corporate lawyers too much power while putting innocent people at risk. Proponents believe they are essential pieces of legislation in fighting online abuse and protecting intellectual property. To some, these laws are a safeguard for a productive, capitalistic society; to others, they are a threat to a free society. Much has been written about the widespread effects of these laws, but one facet remains underexplored. Security researchers often need to bypass encryption put in place by product manufacturers and view proprietary code in order to analyze flaws and make assessments. This kind of research is particularly important because researchers may find flaws that are life-threatening to users (like the ability to hijack a car or medical device), or they may discover illicit activity on the part of the manufacturer (like an EPA emissions test-cheating device). However, the act of bypassing encryption is made illegal by copyright and computer fraud law. Do the benefits of these laws outweigh the ethical problems created by impeding researchers? To answer this question, it is necessary for this discussion to first explore why these laws exist and what benefits they provide, then examine the importance of independent researchers as well as their plight. Finally, possible legal solutions to balance this ethical question will be suggested.

The United States has a number of laws meant to prevent hacking and to protect digital intellectual property. The bulk of the laws concerned with hacking are part of the Computer Fraud and Abuse Act (CFAA), while those concerned with intellectual property are part of the Digital Millennium Copyright Act (DMCA) (Constant 231, Hasenfus 308). The acts are quite large and have been involved in numerous different controversies for different issues, but one similarity of particular note is how both acts qualify the crimes they litigate in broad terms. In 1986, the United States introduced the CFAA. It served as a revision to the first ever statute on computer crimes, the 1984 Comprehensive Crime Control Act, and defined a broad range of crimes. There were seven types of computer crime defined in the act and its 1996 Economic Espionage revision, and they mainly fall into the categories of stealing or damaging data or using protected computers without permission. However, despite the original intention of the term ‘protected computer’ to mean one that is of interest to the federal government, the term was broadened to include computers ‘used in or affecting interstate commerce,’ which encompasses many more devices. The act also fails to define other terms used widely in its content, including “access” and “authorization” (Constant 235).

The Digital Millennium Copyright Act was introduced in 1998 as a way for the United States to comply with World Trade Organization guidelines that were a part of an international treaty. Congress stated, “to comply with the treaties, the U.S. must make it unlawful to defeat technological protections used by copyright owners to protect their works” (Hasenfus 308). The problematic portion of this law is the section preventing the defeat of these “technological protection measures,” as they are called in the act. This section, Section 1201(a), or the “anti-circumvention clause,” goes beyond criminalizing the access of copyrighted work by criminalizing the very act of circumventing protection measures, effectively for any reason (Koberidze 229). Because Congress wanted the law to evolve as technology progressed, triennial petition periods were established to examine the enforcement of the law. Certain exemptions can be granted after public comments are heard by the Copyright Office (Koberidze 260).

Copyright holders are understandably opposed to changes in these rules, as it is in their best economic interest. Oftentimes, exemptions are used to exploit the company, as with a cell phone unlocking exemption that was granted and then revoked. It allowed for people to buy a phone with any carrier, then transfer it to another without hindrance, but it lead to some groups buying phones subsidized with subscriber payments made possible by locked devices and moving them to a different network, causing the carrier to take a loss (Hasenfus 305).

Generally, manufacturers and software companies are supporters of these laws, since both of the acts are critical to stopping digital piracy and protecting intellectual property. The DMCA made it possible for intellectual property owners to file complaints against people who share their material without permission, as well as litigate those who bypass their restrictions against such sharing (Hasenfus 308). According to George L. Lenard, the CFAA is particularly useful in providing legal recourse for companies when employees smuggle out proprietary code (14). Computer code, including software installed on cars or medical devices, is often the intellectual property of the company producing the device. It may contain components that are patented or copyrighted by the company, and provide a competitive advantage to them in business. For example, car companies have code to optimize their performance and fuel-efficiency, as well as sophisticated infotainment systems designed to stand out from the crowd (Bigelow, Newcomb). Companies have a capitalistic motive to protect their code from exploitation, and that capitalistic motive must be preserved, or companies may no longer innovate. For example, film copyright is managed just like software, and the Motion Picture Association of America reports that losses from piracy were $3.5 billion annually from 2002-2004 (Von Lohmann). Piracy estimates for software are conflicting, but the financial threat to these companies is growing. If security researchers were permitted to bypass restrictions, the door is left open to abuse by unethical researchers who may leak trade secrets or distribute copyrighted material.

Automakers warn that tampering with protected code on cars without official oversight incurs significant safety risks to the user by compromising protective features, and pose harm to the environment by undoing the manufacturer’s sophisticated calibration (Duffy 39). Similarly, they do not want third party companies producing unlicensed clones of what they produce, by accessing it under the pretense of security research. They also argue that their internal research is sufficient to ensure safety (Sellars). Unlike other fields, security research does not have a board of ethics or governing body, so researchers are left to their own discretion. This, unfortunately, does lead to researchers breaking DMCA and CFAA statutes and engaging in irresponsible practices such as drawing attention to products vulnerable to attack or damaging consumer hardware (Matwyshyn et al. 67).

Despite the risks posed to corporate interests, the existence of independent security researchers is imperative. These researchers, often a part of independent groups supported by nonprofits or universities, engage what is sometimes known as ethical hacking. These researchers bypass restrictions put in place to find flaws overlooked by others and may notify the manufacturer about the flaw, and, if they are ignored, they may publish their findings to catalyze change from the manufacturer or inform the public about the risk. However, anytime a technological barrier to access is hurdled, whether or not copyright is being infringed upon, the law is being broken. Very often the research focuses around securing networks and protecting privacy, which is acceptable under the DMCA (Matwyshyn et al. 69), but sometimes the research focuses on saving lives. When the law impedes this, the ethical implications become great. The best example of this risk is with independent vehicle research. In July 2015, researchers revealed to Wired magazine that they could remotely take control of a Jeep vehicle via an exploit of the UConnect onboard Wi-Fi and entertainment system (Greenberg). In doing so, they certainly violated the DMCA, but they revealed something overlooked by the manufacturer that concerned the safety of thousands of drivers. Similarly, Volkswagen benefitted from the cloak of copyright protection when it ran illegal code to cheat federal emissions tests, code which was protected under the DMCA (Duffy 34). The irresponsible researchers that companies fear are the exception: Matwyshyn et al. point out that “provided that vulnerability research is done ethically, researchers perform an important social function: they provide information that closes the information gap between the creators, operators, or exploiters of vulnerable products and the third parties who will likely be harmed because of them” (67).

The threat to researchers made by these laws is not hypothetical. Because of the vagueness in the laws, Sarah Constant notes that “the government has had a generous amount of leeway to be creative in bringing charges” (237). Even when researchers operate ethically, they may violate the law due to the inclusion of a company’s private terms of service as grounds for charges, which has been used to charge people for things like making fictitious MySpace accounts (238). In the most high-profile case, an activist named Aaron Swartz was convicted under the CFAA and committed suicide while facing the possibility of 35 years in prison for downloading 4.8 million academic articles and distributing them illegally. This was despite the fact that the owner of the articles declined to press charges— the attorney general wanted to make a point (Monarch 3-4). Medical device manufacturers have deep pockets and are extremely protective of their intellectual property, yet this area is one where the case for independent research is so ethically strong, since it directly connected to public safety. Out of fear for legal trouble, researchers in the medical industry applied for exemptions under the DMCA. As noted before, the law has a regular review and update process that allows for balance in an otherwise heavy-handed law. These exemptions are necessary for competition to be possible, for consumers to exercise their rights and for researchers to stay protected. Medical researchers from Harvard successfully received a circumvention exemption (Sellars), and the Electronic Frontier Foundation (EFF) helped procure one for vehicles, but these must be petitioned at every review to stay in effect, even without opposition, needlessly placing the burden on researchers to prove their cause (Pelegrin, Koberidze 264).

Multiple legal scholars recommend the clarification of terms in the CFAA in order to remove the ability for private terms of service to be used in qualifying crimes (Constant 245). One suggestion of doing this is to only charge for a computer crime if the unauthorized access causes harm to the owner. This keeps malicious hackers at bay while protecting average users and encouraging researchers to consider repercussions (Thaw 910). Also, considering protest acts using technology (like Swartz’) as acts of civil disobedience may prevent over-litigation of “ethical hacking” (Monarch 6). Another bill has been introduced, the Breaking Down Barriers to Innovation Act of 2015, which proposes precedents for the DMCA exemptions. That means that once a research group has proved its need to circumvent technological barriers, they need not keep fighting to maintain their exemption (H.R. 1883). This however, is only a stopgap, as the real solution may be to only consider it a crime when actual infringement on copyrighted content occurs, not when circumvention occurs (Koberidze 274).

An ideal solution would take the burden off of researchers constantly fighting to prove that they are not infringing upon copyright, so they can devote their time to serving the public. That way, the ethical dilemma caused by obstructing a privacy-protecting, life-saving public service is lifted from the law. In the same way, the integrity of corporations’ intellectual property must be preserved. One recommendation that stems from this discussion would be to institute a central board, independent of corporate interests, to oversee security research. This board would replace the DMCA exemption process and provide amnesty for CFAA and DMCA violations deemed necessary for research. They would be responsible for ensuring that best practices are carried out to respect intellectual property, stop copyright infringement, and avoid harm to property and data belonging to corporations or the public. In effect, this would carry out the intended purpose of the original laws by criminalizing the actual infringement of copyright or unauthorized access, not the use of tools and methods that could be used for copyright infringement or unauthorized access. Then security researchers could operate knowing that they will not be subject to litigation as long as they are operating ethically, which is currently not a guarantee. The public would benefit, as they now would be ensured both the best product through capitalistic competition and the safest product through thorough analysis. In order to adequately address the ethical concerns of intellectual property and research, the United States’ laws concerning the subject should be altered accordingly.

Works Cited

Bigelow, Pete. “General Motors says it owns your car’s software.” Autoblog, 20 May 2015. http://www.autoblog.com/2015/05/20/general-motors-says-owns-your-car-software/ Accessed 29 November 2016.

Constant, Sarah A. “The Computer Fraud and Abuse Act: A Prosecutor’s Dream and a Hacker’s Worst Nightmare - The Case against Aaron Swartz and the Need to Reform the CFAA.” Tulane Journal of Technology and Intellectual Property, vol. 16, 2013, pp. 231-48. Hein Online, heinonline.org/HOL/Page?handle=hein.journals/tuljtip16&start_page=231&collection=journals&id=241. Accessed 4 Oct. 2016.

Duffy, William.”Defeat Devices as Intellectual Property: A Retrospective Assessment from the DMCA Rulemaking.” The CCCC-IP Annual: Top Intellectual Property Developments of 2015. Intellectual Property Caucus of the Conference on College Composition and Communication, March 2016, pp 37- 45. National Council of Teachers of English, www.ncte.org/library/NCTEFiles/Groups/CCCC/Committees/TopIP2015Collection.pdf#page=37. Accessed 4 Oct. 2016.

Greenberg, Andy. “Hackers Remotely a Kill Jeep Highway - With Me in It.” Wired, 21 July 2015. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. Accessed 2 November 2016.

Hasenfus, Nicholas. “Unlocking Will Get You Locked Up: A Recent Change to the DMCA Makes Unlocking Cell Phones Illegal.” Journal of High Technology Law, vol. 15, no. 2, 2014, pp. 301-328. Hein Online, heinonline.org/HOL/Page?handle=hein.journals/jhtl15&g_sent=1&collection=journals&id=303. Accessed 4 Oct. 2016

“H.R. 1883 — 114th Congress: Breaking Down Barriers to Innovation Act of 2015.” GovTrack. 2015. https://www.govtrack.us/congress/bills/114/hr1883. Accessed 1 November 2016

Koberidze, Maryna. “The DMCA Rulemaking Mechanism: Fail or Safe?” Washington Journal of Law, Technology & Arts, vol. 11, no. 3, 2015. Social Science Research Network, ssrn.com/abstract=272491*7. Accessed 4 Oct 2016.

Lenard, George L. “Using the Computer Fraud and Abuse Act to Combat Improper Employee Competition.” Journal of Internet Law, vol. 8, no. 9, 2005, pp. 1 - 20. Business Source Complete. http://ezproxy.uky.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=16615409&site=ehost-live&scope=site. Accessed 29 November 2016.

Matwyshyn, Andrea M, Ang Cui, Angelos D. Keromytis, and Salvatore J. Stolfo. “Ethics in Security Vulnerability Research.” IEEE Security and Privacy, March/April 2010, pp 67-72. https://www.cs.columbia.edu/~angelos/Papers/2010/msp2010020067.pdf. Accessed 29 November 2016.

Monarch, Ben. “The Good Hacker: A Look at the Role of Hacktivism in Democracy.” Social Science Research Network, 8 May 2015, ssrn.com/abstract=2649136. Accessed 4 Oct. 2016.

Newcomb, Doug. “The Next Big OS War is in Your Dashboard.” Wired, 3 December 2012. https://www.wired.com/2012/12/automotive-os-war/ Accessed 29 Novemer 2016.

Pelegrin, Williams. “Unlocking Your Phone is Legal Again: What You Need to Know.” Digital Trends, 11 February 2015. http://www.digitaltrends.com/mobile/unlocking-your-new-smartphone-is-now-illegal-what-you-need-to-know/. Accessed 1 November 2016.

Sellars, Andy. “DMCA Exemption Granted for Med Device Research, Patient Access to Data.” Harvard Law Clinic Cyberlaw Clinic, 27 October 2015. http://clinic.cyber.harvard.edu/2015/10/27/dmca-exception-granted-for-medical-device-research-patient-access-to-data/, Accessed 1 November 2016.

Thaw, David. “Criminalizing Hacking, Not Dating: Reconstructing The Cfaa Intent Requirement.” Journal Of Criminal Law & Criminology, vol. 103, no. 3, 2013, pp. 907-48. Psychology and Behavioral Sciences Collection. ezproxy.uky.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=pbh&AN=89862800&site=ehost-live&scope=site. Accessed 4 Oct. 2016.

Von Lohmann, Fred and Wendy Seltzer. ‘Death by DMCA.” IEEE Spectrum. 1 June 2006. http://spectrum.ieee.org/computing/software/death-by-dmca/0. Accessed 29 November 2016.