Security research is a dangerous business.
The threat of lawsuits or even prosecution hangs heavy over the heads of white hat hackers as well as black hats. From Dmitry Skylarov being prosecuted for cracking ebook crypto back in 2001, to Weev being prosecuted today for exposing flaws in AT&T's website security, the legal landscape is littered with potential landmines for those trying to improve Internet and software security. When a major company like Google can be sued for billions over its interception of unencrypted WiFi signals, what's a wireless security researcher to do? When an Internet luminary like Aaron Swartz can be threatened with decades of jail time for his open data activism, what's your average pen tester supposed to think? How serious are these threats - and what can researchers do to avoid them, and maybe even fix the law?
Two veteran digital rights lawyers - one who counsels companies and defends hackers, and another who is an expert in the DC policy game - and the lead strategist of a major security firm will use a game show format to share examples of legally risky research and ask the question: "Computer Crime or Legitimate Research?" Using the answer to that question, we'll start gaming out how to craft legislation that would provide a sensible security research exception to laws like the Wiretap Act, the Digital Millennium Copyright Act, and the Computer Fraud and Abuse Act.