IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape - TIB AV-Portal

IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape

00:00

9

Elazari, Amit Williams, Jamie

Formal Metadata

Title

IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape

Title of Series

Number of Parts

322

Author

Williams, Jamie

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39904 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

The world might be getting more connected but not less risky to hack. This talk will give IoT hackers a quick intro to the variety of legal pitfalls that govern IoT hacking, from the notorious Computer Fraud and Abuse Act and the DMCA to bug bounty legal terms and the “good-faith” security exemption now pending renewal. Hackers will learn which terms they should beware of in light of recent developments in anti-hacking laws, recent developments in CFAA case law and bug bounties legal scandals, and which strategies could be useful to comply with the DMCA security exemption and anti-hacking laws in general.

Speech

Text

Image

00:00

InternetworkingAssociative propertyHacker (term)IntelAssociative propertyCivil engineeringNeuroinformatikStaff (military)Computer virusGoodness of fitComputer animation

00:39

Information securityVulnerability (computing)Physical systemInformationTraffic reportingComputer animation

01:09

SoftwareSoftware bugVulnerability (computing)Term (mathematics)Group actionComputer programmingNeuroinformatikPlotterVariable (mathematics)Traffic reportingComputer animation

02:00

View (database)Information privacyNeuroinformatikGroup actionMoment (mathematics)System callComputer animation

02:29

Time zoneGroup actionHacker (term)Information securityInformationInformation privacyTraffic reportingInformation securityVulnerability (computing)Sound effectExpert systemComputer animation

03:13

Personal digital assistantGUI widgetSystem programmingConnected spaceServer (computing)Type theoryAssociative propertySoftware bugNeuroinformatikComputer programmingInformation securityTerm (mathematics)Vulnerability (computing)

04:03

ComputerHacker (term)Associative propertyState of matterInformation securityCivil engineeringTerm (mathematics)Error messageGoodness of fitNeuroinformatikAdditionCivil engineeringDesign by contractAssociative propertyInformation securityView (database)Service (economics)Exception handlingState of matterComputer animation

05:22

Source codeHacker (term)Computer programProcess (computing)TelecommunicationSimilarity (geometry)Mathematical analysisWeb serviceDesign by contractCovering spaceComputerMachine codeSoftwareAuthorizationInformationSheaf (mathematics)Musical ensembleTerm (mathematics)Instance (computer science)Service (economics)Direction (geometry)Design by contractNeuroinformatikCASE <Informatik>StatuteAssociative propertyProfil (magazine)Shared memoryPasswordMyspaceFacebookValidity (statistics)AuthorizationLimit (category theory)MereologyState of matterExecution unitPower (physics)MultiplicationDifferent (Kate Ryan album)Right angleSheaf (mathematics)Product (business)Formal languageVapor barrierHypermediaImage resolutionRevision controlInformationDigital electronicsSuite (music)Adventure gameLine (geometry)SoftwareBitReverse engineeringLevel (video gaming)Heegaard splittingFaktorenanalyseTheory of relativitySource codeTraffic reportingInformation securityInternetworkingContext awarenessSoftware developerInterpreter (computing)Multiplication signMathematical analysisProof theoryNormal (geometry)Flow separationArithmetic meanGame theoryComputer animation

13:19

Coma BerenicesPersonal digital assistantDesign by contractWebsiteSimilarity (geometry)Term (mathematics)ComputerTerm (mathematics)Computer crimeCASE <Informatik>Context awarenessAuthorizationService (economics)

13:54

CASE <Informatik>WebsiteRobotInformationProduct (business)Information securityTerm (mathematics)Process (computing)Service (economics)

14:44

WebsiteRobotCloningIdentity managementInformationDigital mediaCopyright infringementSheaf (mathematics)Machine codeControl flowSoftwareEncryptionAssociative propertyInformation securityPhysical systemAuthorizationComputerOperator (mathematics)Software testingVirtual machineIntegrated development environmentSocial classWebsiteProcess (computing)RobotTerm (mathematics)Associative propertyStatuteRegulator geneSoftware bugPosition operatorConnectivity (graph theory)Goodness of fitInformation securityDecision theoryAlgorithmBlock (periodic table)Annihilator (ring theory)Right angleFormal languageSoftware testingAuthorizationProduct (business)Extension (kinesiology)FreewareOrder (biology)Limit (category theory)Parameter (computer programming)Renewal theoryDigital electronicsVirtual machineIP addressVotingMeasurement9 (number)WeightHydraulic motorBlack boxDigitizingCivil engineeringCopyright infringementSource codeOffice suiteIntegrated development environmentHeegaard splittingSoftware developerVideoconferencingHypermediaGame controllerHacker (term)Inheritance (object-oriented programming)Design by contractVapor barrierException handlingEqualiser (mathematics)EncryptionPoint (geometry)CASE <Informatik>Computer animation

22:40

Term (mathematics)Design by contractSoftware bugSocial classAssociative propertyProjective planeInformation securityTerm (mathematics)Vulnerability (computing)Computer programmingWeb pageComputer animation

23:25

Personal digital assistantInformation securitySheaf (mathematics)Process (computing)Vulnerability (computing)Regulator geneComputer programmingTelecommunicationFormal languageProcess (computing)Vulnerability (computing)Design by contractSoftware bugInternet der DingeComputer animation

24:14

MathematicsAverageReverse engineeringSinguläres IntegralFirewall (computing)Information securityMalwareCoroutineComputer networkHacker (term)ForceCivil engineeringTerm (mathematics)Term (mathematics)MereologySoftware bugComputer programmingEntropie <Informationstheorie>Vulnerability (computing)Shift operatorHacker (term)Combinational logicCASE <Informatik>Formal languageAverageComputer animation

25:31

Hacker (term)Template (C++)Point (geometry)CASE <Informatik>Hacker (term)AuthorizationGoodness of fitFormal languageSoftware bugBuffer overflowProjective planeComputer animation

26:05

Lie groupTerm (mathematics)Source codeMachine codeInformation securityAngleBlogVulnerability (computing)Civil engineeringGroup actionComputerConsistencySubsetDrop (liquid)Matrix (mathematics)Formal languageHacker (term)Computing platformOrder (biology)CollaborationismSoftware developeroutputType theoryRouter (computing)Computer programmingVulnerability (computing)Software bugDesign by contractData conversionSoftware testingAuthorizationProjective planeCASE <Informatik>Vector potentialMereologyComputer animation

27:42

Shared memoryIntegrated development environmentoutputProjective planeAndroid (robot)SoftwareTelecommunicationSoftware testingScaling (geometry)Mobile appProcess (computing)Order (biology)Moment (mathematics)Line (geometry)Dynamical systemInterface (computing)Greatest elementInformation securityMathematical analysisDatabaseVector potentialPrime numberRight anglePerspective (visual)Multiplication signCryptographyInternet der DingeData storage deviceComputer animation

30:00

Maxima and minimaFactory (trading post)Context awarenessComputerSoftware testingPhysical systemNeuroinformatikTerm (mathematics)Flash memoryFlagInstance (computer science)DivisorLine (geometry)Server (computing)Point (geometry)Heegaard splittingComputer configurationComputer programmingRight angleCondition numberCASE <Informatik>Software bugAssociative propertySoftware testingDigitizingBitPoint cloudInteractive televisionProof theoryService (economics)Digital electronicsBasis <Mathematik>Information securityWebsiteParticle systemFactory (trading post)2 (number)Vulnerability (computing)Computer animation

34:10

FingerprintView (database)WebsiteInformation securityInformationSoftware bugBlogLink (knot theory)Traffic reportingQuicksortComputer programmingRight angleYouTubeAreaEmailWebsiteProjective planeAssociative propertyComputer animation

35:22

Term (mathematics)Associative propertyEvent horizonCivil engineeringGroup actionAuthorizationSystem programmingComputerDigital signalInformation securityVulnerability (computing)Goodness of fitSuite (music)Insertion lossGroup actionPower (physics)Associative propertySoftware bugInformation securityPoint (geometry)Computer animation

36:14

Hydraulic jumpInternetworkingAssociative propertyHacker (term)Associative propertyMultiplication signBitComputer animation

Transcript: English(auto-generated)

00:00

Hello. Good afternoon. It's a pleasure to be here with you in this excellent, wonderful village, and it's very exciting to see people hacking things on the back, and we're going to talk about the legal implication of this. My name is Amita Lazari. I'm a doctoral law candidate with Berkeley Law and a CLTC grantee. Here with me, Jamie.

00:21

And I'm a staff attorney at the Electronic Frontier Foundation, and I am on our civil liberties team and do a lot of work with the Computer Fraud and Abuse Act, which we'll be talking about today. Cool. And as you might have heard, I'm Israeli. That's the accent. So in true Israeli fashion, I want to start with a direct question. How

00:40

many of you here know this guy? None? Nobody? Okay. This is Kevin Finster. He's a respected security researcher that found a vulnerability in one of DJI drone systems, a vulnerability that, according to reports, leaked personal information of their consumers. Now, although

01:04

he has tons of hair, Kevin wanted to wear the white hat. He wanted to report the vulnerability to DJI in their newly just launched bug bounty program. Now, when this program was launched, it wasn't launched with a clear scope or terms. So Kevin contacted

01:24

DJI and, according to reports, in fact, DJI authorized that the vulnerability he found was in scope. Not only that, my friends, they offered him $30,000 for that bug. That's a lot of money for you bug hunters here in the room. That is considered very

01:45

high. But then the plot thickened. DJI also wanted Kevin to sign an agreement that he found was one sided, one that left him exposed. And when he refused, according to reports, they threatened him with legal action under a notorious computer fraud and

02:07

abuse act. Well, how does the story end? Kevin ended up walking away from a $30,000 approved bounty. That's right, my friends, a new Tesla. Let's take a moment to

02:25

appreciate that lesson, Tesla. And this is a wake up call for all of us here. Legal threats are on the rise. We hear more about security researchers, even reporters that are being threatened with respect to issues concerning security research and

02:45

vulnerabilities. In fact, this is such a huge topic that the Center for Democracy and Technology, CDT, just asked 50 experts to sign a letter basically going to the community and telling everybody that we need to address this now. The chilling effects are creating an

03:04

atmosphere of anonymously disclosing full disclosure vulnerability instead of working together in coordinate disclosure. Not only that, they conducted an interview with 20 leading security researchers. Half of those researchers suggested that the DMCA, corporate

03:27

law, and we're going to talk about the DMCA, and the CFAA, the computer fraud and abuse act, the main two federal anti-hacking laws have basically undermined their research in a certain way. There were concerns with respect to those laws that affected their

03:44

research. One researcher even said that he avoided implicating a CFA claim when researching a vehicle. So these are real relevant concerns and we need to address it now, even when it comes to bug bounties or vulnerability disclosure programs that are used

04:01

to be considered quite safe. So this is a legal talk and a terms of use talk and in two terms of use fashion we have a disclaimer. Although we are lawyers, I'm not admitting the United States and we are not yet your lawyers. You can definitely talk with EFF about them becoming your lawyers, but this is not legal advice. So let's take a

04:26

deep dive to what we're going to talk today here. Alright, let's see. Alright, so there's good lawyers in the world, like us, and there's crafty lawyers and they use the, these

04:43

are the tools that we're going to talk about today that these lawyers use, um, for companies to go after security research. So the first is the computer fraud and abuse act, which is a criminal law that has a civil enforcement provision. Um, very vague, passed in 1986, we'll talk about that more. Also state anti-hacking laws, which are very

05:05

similar to the CFA. The DMCA and its security exemption. Contracts, in terms of service EULA's and um, the consumer review fairness act, we're going to go over as well. In

05:25

one example, this is Nest's terms of service. Um, people are, I think, hacking on Nest in the back and we wonder if they've read these terms of service, but um, for instance, if you breach a terms of service, and that could be a contract violation or get you into

05:42

trouble with the CFA. One very common restriction is this restriction here, um, against modifying, making derivative works of, disassembling, reverse compiling, or reverse engineering any part of a soft, of a software product. Um, and then there's also here a, a limit on disclosure. So not just, um, not just what, the security research

06:07

that's prohibited, but also actually disclosing it. And this, this doesn't necessarily apply. So if you, even if it didn't constitute hacking, it could, you could get in trouble under this disclosure provision. Yeah, so this is really interesting. This is a new

06:21

development. If you look at this language here, they suggest that even the performance that is going, while they're in the back, the analysis on the basically security practices of the devices, you need their consent before you go disclose it to any third party. Now,

06:41

here there is a new development. This is a new law. We still don't have much clarity because the courts or the FTC have yet to weigh on this, so this is still emerging. But this suggests that actual security researchers as consumers of products should be able to communicate as, like a review, right? What are the actual

07:07

implications of the product? What are the assessments of the performance of the product? And contracts that try to limit such disclosure that is important for transparency,

07:20

for consumers are not allowed or prohibited. So this is a new thing to look at. Uh, what's interesting here is that they do not allow disclosing potentially damaging computer code. So you need to think about the limitation of the proof of concept that you're publishing. How are you going into depth about allowing others to reproduce

07:42

this? Probably not a good idea. Again, this is a law that is just emerging and something to look at. But, while this is a new law, unfortunately, the CFAA is, or the DMCA are not new at all. They were enacted in a very early, early stage before the Internet as we

08:01

know it. So let's hear more about those main anti-hacking laws. Alright, so I want to talk first about the Computer Fraud and Abuse Act and as Amit mentioned, this is a 1986 statue originally. Um, Congress was trying to go after serious computer break-ins and

08:20

actually cited to war games in a Senate report. Um, and, but back then, of course, I mean, maybe even still, Congress doesn't necessarily always understand how computers work. Um, and had a little bit of trouble defining what they were, um, trying to get at. So they criminalized intentionally accessing a computer without authorization or in

08:42

excess of authorization. And the term, the, the statute defines exceeding authorization but it refers back to without authorization. So the key terms of the statute are without, with authorization and then without authorization. Where is the line between those two? And the statute doesn't define that. Um, there's other sections of the law. This

09:01

is just one of them. This is the broadest section and the language has to be interpreted the same through every section. It also prohibits unauthorized damage, which is a separate provision, um, of the law. And courts have been confused about what this language means. So there's currently a circuit split. Um, at first, courts were

09:23

interpreting terms of service violations or actually employment contracts. So, uh, computer use restrictions that your employer would place on you. They were interpreting violations of those or duties of loyalty to your, to your employer. So, as, if you accessed a computer for non-work purposes, you are breaching your duty of loyalty and

09:44

therefore violating the Computer Fraud and Abuse Act by accessing this computer without authorization. These are older cases. That interpretation of the law, of course, taken to its end is, okay, so if I lie about my age on Facebook, is that a Computer Fraud and Abuse Act violation? And actually, the government tried to go

10:03

after a woman for lying about her age on, um, in a MySpace profile back in the day. And, kind of ever since that case especially, the constitutional issues of this being a completely broad and insane statute have been kind of more apparent to courts. So, courts started going the other way. And the 9th Circuit interpreted the law, um,

10:21

narrowly in a case called Nozil, United States versus Nozil. And in that case, the court said that, no, terms of service violations, computer use restrictions, those are not, violating computer use restrictions does not constitute a Computer Fraud and Abuse Act violation. It's not without authorization according to what Congress was intending. Um,

10:44

but, violated an access restriction, which the court characterized as circumventing technological access barriers, was a CFA violation. And so, other courts started following that, the 4th Circuit, the 2nd Circuit, um, but then there was a couple of interesting password sharing cases with kind of bad facts. So this is Nozil 2 and Power

11:06

Ventures. And these cases kind of threw a wrench in this whole circuit split situation because they were password sharing, they weren't really hacking. And in both cases, um, the person who accessed the computer was using the password with the valid consent and authorization, valid credentials with, with permission. In Power Ventures it involved a, um, a

11:29

scraping information and putting it all in a different place for users who wanted to, um, go to one place and check multiple social media accounts and, um, Facebook didn't like that, so they sued them under the CFA. Nozil 2, which is a, the 2nd version of the 1st Nozil

11:45

case, involved, um, an employee giving her password to somebody else who came and instilled some trade secrets. Um, trade secrets definitely covered it, so the court didn't need to go out and reach it. Facebook could have sued Power Ventures for intentional interference with, um, uh, with economic relations or business relations, but

12:03

instead they went after it under the CFA and the ca- the courts somehow found a way to contort the law in a very confusing way. I personally don't think the opinions are consistent with Nozil 1, which is an en banc decision, um, which it should have been consistent with. So this has created a lot of confusion. The court said in Nozil 2, you

12:23

know, you can't, if you're not the computer owner, you can't even give authorization, which is pretty confusing because people share passwords all the time. The dissent recognized there was no difference, um, between password sharing in that case and normal password sharing. Not that you should share passwords. Don't share passwords. Um, and then in Power Ventures, the court said that Facebook users had given

12:45

the company authorization, but when Facebook sent a cease and desist letter saying you are no longer authorized and they violated the cease and desist letter, that was a computer fraud and abuse act violation. And so now companies are trying to use this law actually, um, to go after, to actually go after, like, companies for scraping online in the public,

13:07

in publicly available data context. So, um, it's becoming an anti-competitive tool and then, as, if they interpret it super broadly, of course it's going to be an anti-security researching tool. And in fact, the ACLU, oh, this is a, this is an old 2010, um,

13:25

computer crime manual from the DOJ which talks about it's relatively easy to prove that a defendant had only limited authority to access a computer, such as when they violate a terms of service. They have since, the government has since watched back from prosecuting these cases, but companies are still doing it and they def- the way that

13:43

these cases are interpreted in civil context applies equally in the criminal context. Which is why people are so scared when you see this in a, in terms of, or in a cease and desist letter, or a threat letter. So it, in, we have one good case recently though, out of a district court in DC, security researchers, um, and the intercept, represented

14:04

by the ACLU, brought a case against the government arguing that, um, the constitution was, or the, that the CFA violated the first amendment, violated the constitution because it was unconstitutionally vague and, um, blocked their constitutionally protected security researchers, research. And in that case the court actually narrowly interpreted the

14:25

CFA to avoid the constitutional issue and found that, um, scraping or using automated tools, that's, you can access that information anyway, it's not hacking to use technology to help you get information that you already can, even when the terms of

14:41

service prohibits it. And so employing a bot to crawl a website or apply for jobs may run afoul of a website's terms of service, but it does not constitute an access violation when the human who creates the bot is otherwise allowed to read and interact with that site. And they actually, the website, the court actually quoted Star Wars as well in the

15:03

decision, which was, which is, makes it extra cool. Yeah, so what we're seeing here with IQ, which is another important scraping decision, at, still, still basically litigation and, or argument within our circuit, in the Sandvik decision, there might be a

15:20

future for our bots. So in public facing infrastructure, the idea that you're gonna use terms of use or even technological measures, like IP blocking, to limit the way researchers, companies, competitors, algorithmic auditors that are often engaged in scraping in order to

15:42

uncover bias and deception in bot, black box algorithms. Um, all of these people are gonna be greatly, greatly influenced, and all of us, by those two main decision basically progressing right now, IQ in the 9th circuit and Sandvik in the DC circuit. So let's say a

16:00

future for bots. Let me add one thing. Um, I also just wanted to quickly mention, because you mentioned IP address blocks, that it is our position at EFF that an IP address block is not a technological access barrier, because it does not keep anyone out. Um, that's an issue that's coming up in these cases, and companies are trying to argue that it does, so that's one issue to watch. So, and this is, um, extremely interesting, because

16:24

in the argument, we just, we saw in the whole argument in IQ, the lawyer is saying, wait, is it, is it in fact a technological measure if it's just slowing me down and not actually preventing me to access, so great point on that. But, the CFIA is not alone in the

16:42

land of anti-hacking laws, especially for you guys out there in the back, and for IOT hacking, for car hacking, for all of these devices that have embedded security, the DMC aid, the digital name copyright act, an amendment to the copyright law, is a very important anti-hacking law. So this is a federal law with criminal and civil

17:03

liability, most, mostly civil, and it basically prohibits circumvention of technological measures that effectively control, and this is one of the components of, of this clause, the access to software code as copyright pocket protected work. Now the question is, do

17:23

we actually need copyright infringement when we evaluate the circumvention and whether the DMCA was violated? Now here we have murkiness and a split, there's some decision that suggests that if you are circumvention for the purpose of basically establishing

17:41

interoperability, so jailbreakings, etc, the DMCA should not be an issue, but when it comes to media and videos, etc, courts have been more willing to think that you don't have a really close relationship to copyright infringement, so this is the Lexmark

18:01

decision, one example, versus the Blizzard decision for those of you writing citations. Now the courts and the regulator and the congress recognize that this is a law that might not keep up with technology, exactly like the CFA, this is a law from 98 that was basically inspired by big entertainment companies seeking to prevent

18:25

piracy. So in order to make sure that the law keeps up with technology, we actually have some statutory exemption for security testing and encryption, but as you can see, they have tons of requirements. For security testing, you need authorization from the

18:45

owner, yeah, I'm sure that he, that person is gonna let you hack their product. We actually have empirical research showing that when people try to get authorization, they were either often refused or even got flat letters back, so the statutory exemptions are

19:04

murky in extent because they have tons of requirements and it's not clear what is the weight of each requirement. We also have a temporary good faith security, so I talk about the law basically being at risk of not keeping up with technology and basically

19:22

stifling new developments. So we do have a process that basically every three years, a copyright office is engaged in this multi-stakeholder discussion to figure out what kind of carve-outs, what kind of safe harbor and exemption we need to create from

19:40

that very broad anti-hacking law. And one of those exemption from 2015 and now pending renewal probably gonna be renewed at very final process, um, is the temporary good faith security exemption that doesn't require the authorization like the statutory exemption, but guess what? You thought that it's gonna be free and broad? No, we do have tons of

20:05

limitations. So, first of all, we have a device limitation. Right now, as it's written, it's geared towards devices that are basically designed to be used by individual consumer. So let me ask you, an elevator versus Nest device? What about commercial printers, right? So

20:27

this is quite vague, but this also includes voting machines by the way. So our friends right here, the voting hacking machine village, great job, the DMCA security exemption was really important for that. This also includes motorized land vehicles, car hacking

20:44

village friends, yes, they also rely on that to some extent, and medical devices in certain circumstances. But this is only one requirement. Guess what? You need to lawfully acquire the machine. So our friends here in the IOT village probably got their machines from Nest, that's great, you need to lawfully acquire the machine. Then,

21:03

you also need to only be engaging in your research for the purpose of good faith security research, not violate any other law, and this is the real main issue, because as we will show you, there is a relationship between the laws. So for example, if my Nest

21:20

comes with the terms of use, and I'm violating the terms of use because I'm hacking, you saw our anti hacking language before? I'm violating that contract. Do I get the DMCA exemption or not? Because now I'm risking the CFA and other law violations. So this is a very important component that there is a lot of debate right now, and basically we are,

21:41

there are a lot of people requiring, requesting that this will be removed. Then, the researcher, not only that, should be conducted in a controlled environment. Is this a controlled environment, etc. So, the idea here, there are plenty of requirements as well, and we are not trying to remove them, remove some of them. In fact, the Department of

22:02

Justice itself, weighed on this issue, and they suggested, in their comments, that there is an issue with the limitation on security research exemption only for trially designed for consumer devices, so we might see this removed, and also they just suggested this idea that

22:23

everything should be in a lab-like environment is not realistic, and it's not what we need. That's not how products are being used in reality. So, whatever is going to go with the DMCA and good security exemption is going to be really, really important for all you IoT hackers, uh, so stay tuned. Now, I mentioned bug bounty in the, in the

22:43

beginnings, because there is another aspect here, which is the relationship between the CFA, the DMCA, and believe it or not, bug bounty contract terms. So this is my own project, legal bug bounty, and the relationship basically is dependent on that clause you

23:00

just saw that suggested that violating the CFA contract law might undermine the DMCA security exemption. So, by show of hands here in the room, who here heard about the bug bounty, ever visited a page like this, or vulnerability reward program? Yeah, we have some hunters in the room, that's cool. Well, this is on the rise, um, not only bug

23:22

bounties, only vulnerability, also vulnerability disclosure programs, and one reason is that regulators are actually pushing that, and that includes IoT regulators like the FDA, um, and NHTSA. In fact, the FTC has written, just two months ago, I'm not mistaken, in one

23:42

document, that they think that failure to maintain a process to get security vulnerability from the community and addressing them is, in fact, unreasonable under the FTC act. This means that we're gonna see more and more companies coming to you, coming to

24:00

us, coming to everybody, and setting at place at least a vulnerability disclosure program, a communication channel, and the language of that program, that contract is gonna be also very important. Why? I'm not sure that anyone here perhaps encountered this piece of bug

24:20

bounty terms. So, these are bug bounties, not vulnerability disclosure program, although they also have legal terms, but what's funny is there are a lot of terms of use in bug bounties, and often we ignore the legal part of a bug bounty and we just focus on the technical scope, but this part could actually create liability, so why don't I

24:42

talk about, I actually conducted a research and I read hundreds of terms, and what I found was, in some cases, pretty conflicting stuff. For example, this is AVG bug bounty terms, they suggest that when you submit a bug, you also agree to the EULA, the end user license agreement that is geared towards users, and guess what? That EULA has the

25:04

same anti-hacking language that we just saw. No spoofing, no attempt to gain unauthorized access, no hacking. So, this combination between the bug bounty terms and the EULA creates civil and criminal potential liability. It shifts the risk to the

25:23

hacker. Now, these are taking away the terms, so you should be careful in reading them and addressing them and knowing what's at stake. This is just one example. To kind of summarize this point, from what I saw, there are a lot of cases where companies are shifting the risk to the hacker. Now, this is not, as we saw, this is not just contractual

25:44

liability, this is CFA liability and DMCA liability because it's all boiling down to authorization. So, piece of good news, I don't know if anyone here knows Ed Overflow, um, but we are working together on standardizing safe harbors and legal language for bug bounties. This is my own project, legal bug bounty, you can check it

26:04

out. And in fact, we had, um, some developments, background is now launched, Disclose.io is in collaboration with me, background is a hacker platform facing, creating almost like open social, one type of language people can adopt, bug bounty and

26:22

vulnerability disclosure program can adopt in order to make sure they don't put the crowd, the hackers at risk. So, check that out, it's called Disclose.io. And we did have some success and I really want to give a shout out here for Dropbox, adding an explicit safe harbor in the bug bounty from the CFA and the DMCA and Mozilla, yes my friends, the

26:47

pioneer of bug bounties this month, uh, basically, um, launching a new safe harbor in the bug bounties, so slowly we're gonna see this, uh, type of language in bug

27:00

bounties and VDP with respect to authorization and waiver of, of potential claims against the researcher. Now this is key, you need to be at the lookout because this affects your liability. If a company has that type of language in their contract, you are probably safer than in the case that they don't have it, right? Because basically when they

27:23

authorize access and if you are staying in scope, you are like a pen tester. The legal foundation of the claim is negated. So this is another part of the conversation. Um, and I have my own project where I actually list all the companies with safe harbors and you can

27:41

check that out. Uh, just to finalize that note, a final comment on wiretaps and I'm not gonna get into the weeds of this too much, but I'm happy to say that this is actually one of my own projects. We just presented it at the crypto, crypto village. Uh, we conducted an

28:00

at-scale audit on Android apps that included a lot of security testing, let's put it that way. Um, and one of the concerns, one of the actual comments that we got from the reviewers and I have my co-author here in the room, Parmal, shout out for him, um, was, uh, is there a potential wiretap problem here? So let me explain what was the

28:23

issue. We created basically a stock, a cluster, a database of 6,000 apps from Google Play store and we created an infrastructure where we basically looked at all the network analysis, but in order to do a dynamic analysis at scale, we actually needed to quote

28:42

unquote play the apps. What we wanted to see is what is being collected from a data perspective, each and every moment the app is basically being, interacting with the user. But, instead of having real users interacting at 6, with 6,000 apps all the time, that's

29:02

impossible, right? We had to, to automate the, the process, so we used something that is called a monkey, an exerciser, basically a software that is acting like a user and touching the interface. Bottom line, what was interesting here, that the wiretap claim

29:21

wasn't relevant because our communication wasn't human at all. The person, so-called quote unquote person interacting, the network that was basically monitored wasn't created by any human, but our software, our monkey. So when you're basically, um, doing

29:42

IoT testing, wiretap is also important. Make sure, especially if it's speakers, um, um, Google Home and the like, that you don't have other people in the room that you are listening to or others that you didn't obtain their consent to. Wiretap is another thing to be on the lookout. So I want to wrap it up and I need to Jamie to think, to talk

30:04

about a little bit of actual particle accommodations that we have for you people here in the room. Alright, so as Amit mentioned, one thing you could do is ask for permission, but that definitely doesn't always work and it's not always an option, but one of the first

30:21

things you need to do is be aware, so are there terms of service, what do they say, read them, um, and also if there's a bug bounty program, read those terms and if you get a cease and desist letter or someone saying you're not authorized to do something, just be aware that that could be a red flag for the CFAA. It's good to just know what laws

30:42

that they're using, know how they're interpreted, know that there's a circuit split and you might be at issue because then you can know one other thing that you can ask EFF. So who all knows what EFF is or who EFF is? Well, not everybody. So we are a digital rights non-profit, we've been around since 1990 and we have a coders rights

31:01

program where people come to us with security research questions, we represent in a consulting basis and give advice about what to do, what not to do, if the research already happened, what's, what legal risks are and things like that. So it's free, so that's one thing that I definitely want everyone to take away from is come ask us if you have any

31:22

questions, uh, we're happy to help. Also CDT, another non-profit, the Center for Democracy and Technology, posts recommendations online that are, can be really useful. Another thing to do is use your own computers and accounts and your own devices rather than your neighbors without their permission. Devices that you are definitely, they're

31:42

authorized to use, accounts that you're definitely authorized to use. Um, that doesn't always work in some cases, for instance, under the CFAA, if you're accessing a server or doing anything on the cloud, you're accessing someone else's computer, um, and therefore this won't actually protect you, but offline testing could help. So if you get, if you're downloading things and doing things on your own system, then you're not

32:04

accessing anyone else's computer. Um, also, minimizing interactions with users' data and also second hand devices, which helps with the first sale doctrine, so if you're entering into, uh, buying a phone, you have a terms of service agreement with the, with

32:22

the phone company, like I said, it's not the best, but, but if you sell the device, it's not necessarily, I don't have, you don't have the same contractual re-relationship. And then, again, bug bounty, wait, what is this? Yeah, I'm gonna add on that, sorry, late edition, but, um, maybe newsflash to the audience here in the room. Um, so, bounty

32:43

factories are European bug bounty, they're really cool, and recognizing that this landscape isn't perfect, they actually created a tool to report vulnerabilities via 4. I haven't tried it, but just wanted to let you know, I heard it was used in some circumstances, the idea is basically minimize your risk, uh, I am hoping that we will get

33:04

to a point that there will know, there will not be any question of whether if you're engaging in a coordinate disclosure and trying to work with a company under a VDP, there are, there are no risk of legal threats, but this is not our case yet. Uh, so this is

33:21

with respect to that, and also important with respect to bug bounties, is with respect to basically, what are the lines when it comes to demonstrating impact? So, again, the idea is, if you see user's data, that's a very, very, very hard stop. Even if you want to show the impact of vulnerability in a bug bounty, you should be very mindful of

33:44

what is the proof of concept that you are producing, and communicate basically with the program owner. If there is any doubt, we see a lot of tension and kind of imp, imp, uh, vagueness around that issue of where does the line stop when it comes to proof of concept. If you want to hear more about bug bounty, I'm doing a legal bug bounty talk

34:02

tomorrow at Skytalks at 3. So, finally, we want to give you some takeaways, some websites, you can check out. So, we have here the EFF website and the quarter rights project. You want to say something about that? Uh, sure. Well, I already talked about the quarter's rights project. We also have a website online with lots of blog posts about

34:22

all sorts of things, which is a really great resource. We also have a booth in the vendor area if you want to come ask any questions. And, if you want to contact the quarter's rights program, I should say, email info at EFF dot org and we will help you. Yeah, and, uh, legal bug bounty, you can check out my project, CDT report that I

34:42

just mentioned. That is a really cool report, um, basically coming from their interviews with 20 leading researchers. They have a bunch of recommendations there. They also explain the law. Check it out. That's, here's the link. You can check it out on CDT and just Google it on their website. And, if you want to have a general CFA

35:01

overview, there are great talks by Leonard Bailey and others on YouTube. There is also this great overview document. The main idea is be mindful, consider learning more about this issue. Yes, the situation is not perfect, but we're doing what we can to deal with it, especially Jamie here, who is doing amazing, amazing work. Uh, that's it. I want to end

35:24

with a very kind of good note and a kind of final hopeful story to the CFA mess. You remember Kevin, our guy? The loss of 30,000 bounty? Well, guess what? Although DJI threatened him with the suit later thereafter, they added an explicit safe harbor to

35:44

their bug bounty policy, communicating to the security researchers that they will not pursue legal action. And the point here, this community has tons of power. It's not just the law, it's also reputational issues that will basically come hunt you if you

36:03

threaten a researcher. And, we have a lot of power to change stuff. Stay tuned, be involved, ask questions. Uh, we are here, and that's it. Thank you so much. Uh, and follow also the IOT bill. This is not logged yet, but it has a CFA and DMCA safe

36:22

harbor. This is work by Andrew Cavalieri, he's doing amazing work. This is also kind of a positive, uh, final note to f- to end with. Okay, we are here for your questions. If we have a bit more time, I think we do.