IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape

Video thumbnail (Frame 0) Video thumbnail (Frame 985) Video thumbnail (Frame 1720) Video thumbnail (Frame 3006) Video thumbnail (Frame 3725) Video thumbnail (Frame 4816) Video thumbnail (Frame 6084) Video thumbnail (Frame 8059) Video thumbnail (Frame 19979) Video thumbnail (Frame 20847) Video thumbnail (Frame 22092) Video thumbnail (Frame 34012) Video thumbnail (Frame 35116) Video thumbnail (Frame 36347) Video thumbnail (Frame 38266) Video thumbnail (Frame 39131) Video thumbnail (Frame 41552) Video thumbnail (Frame 45009) Video thumbnail (Frame 51255) Video thumbnail (Frame 53058) Video thumbnail (Frame 54348)
Video in TIB AV-Portal: IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape

Formal Metadata

Title
IoT VILLAGE - Internet of Laws: Navigating the IoT Hacking Legal Landscape
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
The world might be getting more connected but not less risky to hack. This talk will give IoT hackers a quick intro to the variety of legal pitfalls that govern IoT hacking, from the notorious Computer Fraud and Abuse Act and the DMCA to bug bounty legal terms and the “good-faith” security exemption now pending renewal. Hackers will learn which terms they should beware of in light of recent developments in anti-hacking laws, recent developments in CFAA case law and bug bounties legal scandals, and which strategies could be useful to comply with the DMCA security exemption and anti-hacking laws in general.
Intel Internetworking Civil engineering Staff (military) Hacker (term) Associative property Neuroinformatik Associative property
Information Information security Traffic reporting Vulnerability (computing) Physical system
Group action Term (mathematics) Plotter Software Variable (mathematics) Traffic reporting Computer programming Software bug Neuroinformatik
View (database) Moment (mathematics) Time zone Information Group action Hacker (term) Information security System call Information security Traffic reporting Information privacy Vulnerability (computing)
Server (computing) GUI widget Expert system Sound effect Computer programming Information privacy Software bug Neuroinformatik Connected space Type theory Personal digital assistant System programming Information security Associative property Information security Vulnerability (computing)
Addition Service (economics) Civil engineering State of matter View (database) State of matter Civil engineering Computer Design by contract Neuroinformatik Goodness of fit Term (mathematics) Hacker (term) Information security Error message Information security Associative property Exception handling Associative property
Suite (music) Context awareness Digital electronics State of matter Direction (geometry) Covering space Source code Execution unit Sheaf (mathematics) Design by contract Mereology Machine code Neuroinformatik Formal language Facebook Heegaard splitting Hypermedia Different (Kate Ryan album) Process (computing) Information Information security Adventure game Source code Theory of relativity Software developer Shared memory Computer Bit Instance (computer science) Right angle Authorization Hacker (term) Reverse engineering Service (economics) Vapor barrier Image resolution Mathematical analysis Product (business) Power (physics) Revision control Telecommunication Term (mathematics) Internetworking Profil (magazine) Software Authorization Musical ensemble Associative property Traffic reporting Faktorenanalyse Multiplication Myspace Information Validity (statistics) Computer program Line (geometry) Statute Limit (category theory) Similarity (geometry) Software Personal digital assistant Web service Password Sheaf (mathematics) Design by contract Interpreter (computing)
Context awareness Information Robot Computer Coma Berenices Term (mathematics) Product (business) Similarity (geometry) Personal digital assistant Term (mathematics) Computer crime Personal digital assistant Design by contract Authorization Website Website Information security
Decision theory Equaliser (mathematics) Source code Design by contract Parameter (computer programming) IP address Machine code Formal language Heegaard splitting Hypermedia Videoconferencing Encryption Information Website Extension (kinesiology) Information security Position operator Exception handling Algorithm Regulator gene Block (periodic table) Software developer Digital media Computer Control flow Measurement Virtual machine Process (computing) Order (biology) Website Software testing Encryption Authorization Information security Freeware Physical system Associative property Point (geometry) Game controller Vapor barrier Civil engineering Robot Connectivity (graph theory) Copyright infringement Virtual machine Black box Product (business) Goodness of fit Hacker (term) Term (mathematics) Software Authorization Integrated development environment Software testing Associative property Renewal theory Robot Copyright infringement Inheritance (object-oriented programming) Weight Operator (mathematics) Limit (category theory) Statute Voting Integrated development environment Personal digital assistant Sheaf (mathematics) Social class Identity management Cloning
Web page Term (mathematics) Projective plane Design by contract Term (mathematics) Information security Associative property Computer programming Software bug Social class Vulnerability (computing)
Vulnerability (computing) Regulator gene Design by contract Mereology Computer programming Formal language Software bug Mathematics Process (computing) Term (mathematics) Telecommunication Personal digital assistant Sheaf (mathematics) Entropie <Informationstheorie> Process (computing) Information security Vulnerability (computing)
Point (geometry) Shift operator Firewall (computing) Civil engineering Combinational logic Computer network Coroutine Average Term (mathematics) Software bug Formal language Malware Hacker (term) Term (mathematics) Personal digital assistant Authorization Information security Hacker (term) Reverse engineering Force Singuläres Integral
Source code Collaborationism Software developer Projective plane Angle Term (mathematics) Template (C++) Machine code Computer programming Formal language Software bug Type theory Hacker (term) Lie group Order (biology) output Information security Router (computing) Buffer overflow Computing platform
Android (robot) Mobile app Dynamical system Greatest element Consistency Multiplication sign Design by contract Mereology Prime number Perspective (visual) Software bug Formal language Blog Shared memory Authorization Integrated development environment Software testing Data conversion output Information security Vulnerability (computing) Scaling (geometry) Interface (computing) Projective plane Moment (mathematics) Civil engineering Mathematical analysis Computer Drop (liquid) Database Line (geometry) Group action Cryptography Vector potential Subset Type theory Process (computing) Software Personal digital assistant Telecommunication Order (biology) Right angle Information security Matrix (mathematics)
Point (geometry) Server (computing) Service (economics) Digital electronics Divisor Link (knot theory) Flash memory Maxima and minima Computer programming Computer Neuroinformatik Software bug Heegaard splitting Term (mathematics) Computer configuration Factory (trading post) Flag Software testing Website Information security Associative property Traffic reporting YouTube Condition number Physical system Area Context awareness Email Information View (database) Digitizing Projective plane Interactive television Basis <Mathematik> Bit Instance (computer science) Line (geometry) Proof theory Personal digital assistant Blog Point cloud Website Software testing Right angle Quicksort Information security Fingerprint
Point (geometry) Suite (music) Vulnerability (computing) Group action Civil engineering Computer Digital signal Term (mathematics) Group action Software bug Power (physics) Goodness of fit Event horizon System programming Authorization Information security Information security Associative property Associative property
Internetworking Multiplication sign Bit Hacker (term) Hydraulic jump Associative property Associative property
hello good afternoon it's a pleasure to be here with you in this excellent wonderful village and it's very exciting and see people hacking things on the back and we're gonna talk about the legal implication of this my name is anita Lazzari I'm a doctoral candidate with Berkeley law and a steel TC grantee here with me Jamie and I'm a staff attorney at the Electronic Frontier Foundation and I am on our civil liberties team and do a lot of work with the Computer Fraud and Abuse Act which we'll be talking about today oh and as you might have heard I'm Israeli that's the accent so in true Israeli fashion I want to start with a direct question how
many of you here know this guy none nobody okay this is Kevin Finster he's a respected security researcher that found a vulnerability in one of DJI drone
systems a viability that according to reports leaked personal information of their consumers now although he has tons of hair Kevin wanted to wear the right hat he wanted to report their own
ability to DJI in their new way Just Lunch bug bounty program now when this program was launched it was a lunch with a clear scope or term so Kevin contacted DJI and going to reports in fact DJ i authorized the variability he found was in scope not only that my friends they offered him 30,000 for that bug that's a lot of money for you bug hunters here in the room that is considered very high but then the plot thickened DJ I also wanted Kevin to sign an agreement that he found was one-sided one that left him exposed and when he refused according to reports they threatened him
with legal action under the notorious computer Fraud and Abuse Act well how does the story end Kevin
ended up walking away from a thirty thousand dollar approved bounty that's
right my friends a new Tesla let's take a moment to appreciate that lesson Tesla and this is a wake-up call for all of us
here legal threats are on the rise we
hear more about security researchers even reporters that are being threatened with respect to issues concerning security research and vulnerabilities in fact this is such a huge topic that the
Center for Democracy and Technology CDT just asks 50 experts to sign a letter basically going to the community and telling everybody that we need to address this now the chilling effects are creating an atmosphere of anonymously disclosing full disclosure vulnerability instead of working together in coordinated disclosure not
only that they conducted an interview with 20 leading security researchers half of those researchers suggested that the DMCA corporate law and we're going to talk about the DMCA and the CFAA the Computer Fraud and Abuse Act the main to federal anti hacking laws have basically undermined the research in a certain way there were concerns with respect to those laws that affected their research one researchers even said that he avoided implicating a cfa claim when researching a vehicle so this is are these are really relevant concerns and we need to address it now even when it comes to bug bounties or one ability disclosure programs that are used to be considered quite safe so this is really
good talk and in terms of use talk and in to terms of use fashion we have a disclaimer although we I'm not admitting the United States and even we are not yet your lawyers you can definitely talk with the FF about them becoming errors but this is not legal advice so let's
take a deep dive to what we're gonna talk today here all right let's see all right so there's good lawyers in the world like us and there's crafty lawyers and they use it but these are the tools that we're gonna talk about today that these lawyers use for companies to go after security research so the first is the Computer Fraud and Abuse Act which is a criminal law that has a civil enforcement provision very vague passed in 1986 we'll talk about that more also state anti hacking laws which are very similar this is CFA the DMCA and its security exception contracts in terms of service you EULA's and consumer view Fairness Act we're gonna go over as well in addition to a bear - applause all
right wait so for one example this is nests Terms of Service people are I think hacking on nests in the back and we wonder if they've read these Terms of Service but for instance if that you breach the Terms of Service and that could be a contact can't direct violation or get you into trouble with the CFA one very common restriction is
this restriction here against modifying making derivative works of disassembling reverse compiling or reverse engineering any part of a software a software product and then there's also here a limit on disclosure so not just not just what the security research that's prohibited but also actually disclosing it and this doesn't necessary applies if you even if it didn't constitute hacking it could you could get in trouble under this disclosure provision yeah so this is really interesting this is a new development if you look at this language here they suggest that even the performance that is going during the factor analysis on the basically security practices of the devices you need their consent before you go disclose it to any third party now here there is a new development this is a new law we still don't have much clear see because the courts or the FTC have yet to weigh on this so this is still emerging but this suggests that actual security researchers as consumers of products should be able to communicate as like a review right what are the actual implications of the product what are the assessments of the performance of the product and contracts are try to limit such disclosure that is important for transparency for consumers are not allowed are prohibited so this is a new thing to look at what's interesting here that they do not allow disclosing potentially damaging computer code so you need to think about the limitation of the proof-of-concept that you're publishing how are you going into depth about allowing others to reproduce this probably not a good idea again this is a law that it's just emerging and something to look at but well this is a new law unfortunately the CFAA is or the DMCA are not new at all they were enacted in a very early early stage before the internet as we know it so let's hear a bit more about those main anti hacking laws all right so I'm gonna talk first about the Computer Fraud and Abuse Act and as I mentioned this is a 1986 statute originally Congress was trying to go after serious computer break-ins and actually cited two wargames in a Senate report and but back then of course I mean maybe even still Congress doesn't necessarily always understand how computers work and had a little bit of trouble defining what they were trying to get at so they criminalized intentionally accessing a computer without authorization or in excess of authorization and the term the statute defines exceeding authorization but it refers back to without authorization so the key terms of the statute are without with authorization and then without off at the resolution where's the line between those two and the statute doesn't define that there's other sections of the law this is just one of them this is the broadest section and the language has to be interpreted the same through every section it also prohibits unauthorized damage which is a separate provision of the law and courts have been confused about what this language means so there's currently a circuit split and at first courts were interpreting Terms of Service violations or actually employment contracts so computer use restrictions that your employer would place on you they were interpreting violations of those or duties of loyalty to your and to your employer so as if you access the computer for non work purposes you are breaching your duty of loyalty and therefore violating the Computer Fraud and Abuse Act by accessing this computer without authorization these are older cases that interpretation of the law of course taken to its end is okay so if I lie about my age on Facebook is that a Computer Fraud and Abuse Act violation and actually the government tried to go after a woman for lying about her age on in on myspace profile back in the day and ever since that case especially the constitutional issues of this being a completely broad and insane statute have been kind of more apparent to court so courts started going the other way and the Ninth Circuit interpreted the law narrowly in a case called nose ville United States versus nosal and in that case the court said that no terms of service violations computer used restrictions those are not violating computer use restriction does not constitute a Computer Fraud and Abuse Act violation it's not without authorization according to what Congress was intending but violated an access restriction which the court characterized as circumventing technological access barriers was a CFAA violation and so other courts started following that the Fourth Circuit the Second Circuit but then there was a couple of interesting password sharing cases with kind of bad facts so this is Nosal - and power adventures and these cases kind of threw a wrench in this whole circuit split situation because they were password sharing they weren't really hacking and in both cases the person who accessed the computer was using the password with the valid consent and authorization valid credentials with with permission and power ventures it involved a social media aggregator who was basically scraping information and putting it all in a different place for users who wanted to go to one place and checked multiple social media accounts and Facebook didn't like that so they suit them under the CFAA Nosal - which is a the second version of the first Nosal case involved an employee giving her password to somebody else who came in and sold some trade secrets trade secrets definitely covered it so the court didn't need to go out and reach it Facebook could have sued power ventures for intentional interference with with economic relations or business relations but instead they went after it under the CFAA and the camp the courts somehow found a way to contort the law in a very confusing way I personally don't think the opinions are consistent with nosal one which is an important which should have been consistent with so this has created a lot of confusion the court said in nozzle 2 you know you can't if you're not the computer owner you can't even give authorization just pretty confusing because people share passwords all the time that doesn't recognize there was no difference between password sharing in that case a normal password sharing not that you to share passwords don't share passwords and then in power ventures the court said that Facebook users had given the company authorization but when Facebook sent a cease-and-desist letter saying you are no longer authorized and they violated the cease and desist letter that was a computer for our an abuse Act violation and so now companies are trying to use this little actually to go after to actually go after like companies for scraping online in the public and publicly available data context so it's becoming an anti-competitive tool and then that's just if they interpret it super broadly of course it's gonna be an anti security researching tool and in fact they easily
oh this is a this is an old 2010 computer crime manual from the DOJ which talks about it's relatively easy to prove that a defendant had only limited authority to access a computer such as when they violate the Terms of Service they have since the government has since watched back from prosecuting in these cases but companies are still doing it and they do the way that these cases are interpreted in civil context applies equally in the criminal context which is why people are so scared when you see this in the terms of a cease and desist letter or a threat letter so it in we
have one good case recently the audit of a district court in DC security researchers and the intercept represented by the ACLU product case against the government arguing that the Constitution was or the that the CFA violated the First Amendment violated the Constitution because it was unconstitutionally vague and blocked their constitutionally protected security researchers research and in that case the court actually narrowly interpreted the CFA to avoid the constitutional issue and found that scraping or using automated tools that's you can access that information anyway it's not hacking to use technology to help you get information that you already can't even when the Terms of Service prohibits it and so employing a bot to crawl website
or apply for jobs may run afoul of a website's Terms of Service does not constitute an access violation when the human who creates the bot is otherwise allowed to read and interact with that site and they actually the
website the court actually quoted Star Wars as well in the decision which what which is makes it extra cool yeah so what you're seeing here with IQ which is another important scraping decision at still still basically mitigation and argument in with a Ninth Circuit in this Sandvik decision there might be a future for our BOTS so in public facing infrastructure day idea that you're gonna use terms of user even technological measures like IP blocking to limit the way researchers companies competitors algorithmic auditors that are often engaged in scraping in order to uncover bias and deception in black box algorithms all of these people are gonna be greatly greatly influenced and all of us by those two main decision basically progressing right now IQ in the Ninth Circuit and Sandvik in the DC Circuit so let's say a future for BOTS I also just wanted to quickly mention because you mentioned IP address blocks that it is our position and AFF that an IP address block is not a technological access barrier because it does not keep anyone out that's an issue that's coming up in these cases and companies are trying to argue that it does so that's one issue to watch so and this is extremely interesting because in the argument we just we saw and or argument in IQ the lawyers saying wait is it a is it in fact the technological measure if it's just slowing me down and not actually preventing me to access a great point on that but the CFAA is not the land of anti-hacking laws especially for you girls out there in the back and for IOT hacking for car hacking for all of these devices that have embedded security the DMC eight the aluminum copyright docked an amendment to the copyright law is a very important anti hacking law so this is a federal law with criminal and civil liability most mostly civil and it basically prohibits circumvention of technological measures that effectively control and this is one of the components of this clause the access to software code as copyright Poquette protected work now the question is do we actually remit copyright infringement when we evaluate the sir Convention and whether the DMCA was violated now here we have murkiness and a split there are some decisions that suggest that if you are circumventing for the purpose of basically establishing interoperability so jailbreaking etc the DMCA should not be an issue but when it comes to media and videos etc quotes have been more willing to think that you don't have a really close relationship to copyright infringement so this is the Lexmark decision one example versus the Blizzard decision for those of you writing citations now the court and the regulator the Congress recognized that is that this is a law that might not keep up with technology exactly the CFAA this is a lot from 90a that was basically inspired by big entertainment companies seeking to prevent piracy so in order to make sure that the law keeps up with technology we actually have some statutory exemption for security testing and encryption but as you can see they have tons of requirements for security testing you need authorization the owner yeah I'm sure that is that person is gonna let you have their product we actually have empirical research showing that when people try to get authorization there were either often refused or even got letters back so the statutory exemptions are murky in extent because they have tons of requirements and it's not clear what is the weight of each requirement we also have a temporary good-faith security so I talked about the law basically being at risk of not keeping up with technology and basically stifling new developments so we do have a process that basically every three years the Copyright Office is engaged in this multi-stakeholder discussion to figure out what kind of carve-outs what kind of safe harbor and exemption we need to create from that very broad anti-hacking law and one of those exemption from 2015 and now pending renewal probably going to be renewed at very final process is the temporary good-faith security exemption that doesn't require the authorization like the statutory exemption but guess what you thought that it's gonna be free and broad know we do have tons of limitation so first of all we have a device limitation right now as it's written it's geared towards devices that are basically designed to be used by individual consumer so let me ask you an elevator versus nest device what about commercial printers right so this is quite vague we but this also puts voting machines by the way so our friends right here the voting hacking machine village great job the bill sale security exemption was really important for that this also includes motorized vehicles car hacking village friends yes they also rely on that to some extent and medical devices in certain circumstances but there's only one requirement guess what you need to lawfully equality the machine so our friends here in the IOT village probably got their machines from nest that's great you need to lawfully acquire the machine then you also need to only be engaging in your research for the purpose of good-faith security research not violate any other law and this is the real main issue because as we will show you there is a relationship between the laws so for example if my nest comes with the Terms of Use and I well I think the Terms of Use because I'm hacking you saw our anti hacking language before I'm writing that contract do I get the DMCA exemption or not because now I'm risking a CFA and other law violations so this is a very important component that there is a lot of debate right now and basically we are there are a lot of people requiring and requesting that this will be removed then the researcher not only that should be conducted in a controlled environment is this a controlled environment etc so the idea here to plenty of requirements as well and we're not trying to remove some of them in fact the Department of Justice itself weighed on this issue and they suggested in their comments that there is an issue with the limitation on security research exemption only for try only designed for consumer devices so we might see this removed and also to just suggest that this idea that everything should be in a lab like environment is not realistic and it's not what we need that's not how products are being used in reality so whatever is gonna go with the DMCA to parent good safe security exception it's gonna be really really important for all you yo T hackers so stay tuned
now I mentioned by mounting the in the beginnings because there is aspect here which is the relationship between the CFAA the dmca and believe it or not bug bounty contract terms so this is my own project lego bug bounty and the relationship basically is dependent on that class you just saw that suggested that violating the CFL contract law might undermine the DMCA security exemption so by show of hands
here in the room who heard about the bug bounty ever visited a page like this or vulnerability we watch program yeah we have some hunters in the room that's cool well this is under eyes not only bug bounties only fun but it's also vulnerability disclosure programs and
one reason is that regulators are actually pushing that and that includes IOT regulators like the FDA and it's in fact the FTC has written just two months ago I'm not mistaken in one document that they think that failure to maintain our process to get security vulnerability from the community and addressing them is in fact unreasonable under the FTC act this means that we're gonna see more and more companies coming to you coming to us coming to everybody and setting at place at least a vulnerability disclosure program a communication channel and the language of that program that contract is going to be also very important why I'm not
sure that anyone here perhaps encountered this piece of bug bounty terms so these are bug bounties not run ability disorder program although they also have legal terms but what's funny is there are a lot of terms of use in bank bounties and often we ignore the legal part of a bug bounty and we just focus on the technical scope but this spot could actually create liability so
what am I'm talking about actually conducted the research and I read hundreds of terms and what I found was in some cases pretty conflicting stuff for example this is bug bounty terms they suggest that when you submit the back you also agree to the EULA the end-user License Agreement that is geared towards users and guess what that EULA has the same ante hacking language that we just saw no spoofing no attempt to gain unauthorized access no hacking so this combination between the bug bounty terms and the EULA creates civil and criminal potential liability it shifts stories to the hacker now these are taken away with chirps so you should be careful in reading them and addressing them and knowing what's at stake this is just one example to kind
of summarize this point from what I saw there are a lot of cases where companies are actually shifting the risk to the hacker now this is not as we saw this is not just contractual liability this is CFIA liability and Eve Sierra with liability because it's all boiling down to authorization so good news I don't
know if anyone here knows at overflow but we are working together standardizing safe harbors and legal language for bug bounties this is one project legal bug bounty you can check it out and in fact we had some
developments background is now that lunch disclosed iOS in collaboration with me back routers and hacker platform facing creating almost like OpenSocial one type of language people can adopt bank bounty and wombly discussion for disclosure program can adopt in order to make sure they don't put a crowd the hackers at risk so check that out it's closed disclosed IO and we did have some
success and I really want to give a shout out of here for Dropbox adding an explicit safe harbor in the bug bounty from the CFA and the DMCA and Mozilla yes my friends the pioneer of bug bounties this month basically launching a new safe harbor in the Bounty's so slowly we're gonna say this type of language in bug bounties and VDP with respect to authorization and waiver of potential claims against the researcher now this is key you need to be enter lookout because it is a factual liability if a company has that type of language in their contract you are probably safer than in the case that they don't have it right because basically when they authorize access and if you are staying in scope you are like a pen tester the legal foundation of the claim is negated so this is another part of the conversation project where I actually list all the companies which safe robbers and you can check hit that out just to finalize that note final
comment on wiretap and I'm not gonna get into the weeds of this too much but I'm happy to say that this is actually one of my own project we just presented at the creeper crypto village we conducted that at scale audit or Android apps that included a lot of security testing let's put it that way and one of the concerns one of the actual comments that we got from the reviewers and I have my co-author in there here in the room primal shout out for him was I is there a potential wire top problem here so let me explain what was the issue we created basically a stalker a cluster a database of 6000 apps from Google Playstore and we created an infrastructure we basically look at all the network alanis analysis but in order to do a dynamic analysis at scale we actually needed to quote-unquote play the apps what we wanted to see is what is being collected from a data perspective each and every moment the app is basically being interacting with the user but instead of having real users interacting at 6 that with 6000 apps the time that's impossible right we had to automate the process so we use something that is called a monkey and exercisers basically a software that is acting like a user and touching the interface bottom line what was interesting here that the wiretap claim wasn't relevant because our communication wasn't human at all the person so called quote unquote person interacting the network that was basically monitored wasn't created by any human but our software our monkey so when you're basically doing IOT testing wiretap is also important make sure especially if it speakers Google almond alike that you don't have other people in the room that you are listening to or others that you didn't obtain their consent to wiretap is another thing to be on the lookout so I want to wrap it
up in any to Jamie to think to talk about a little bit of actual practical recommendations that we have for you people here in the room all right so as a meet mentioned one thing you could do is ask for permission but that definitely doesn't always work and it's not always an option but one of the first things you need to do is be aware so are there Terms of Service what do they say read them and also if there's a bug bounty program read those terms and if you get a cease and desist letter or someone saying you're not authorized to do something then just be aware that that could be a red flag for the CFAA it's good to just know what laws that they're using know how they're interpreted know that there's a circuit split and you might be at issue because then you could know one other thing that you can ask EF F so who all knows what EF F is or who EF f is well not everybody so we're digital rights nonprofit we've been around since 1990 and we have a coders rights program where people come to us with security research questions we represent in consulting basis and give advice about what to do what not to do that the research already happened what's what legal risks are and the like that so it's free so that's one thing that I definitely want everyone to take away from its come ask us if you have any questions and we're happy to help also CDT and other nonprofits the Center for Democracy and technology posts recommendations online that are can be really useful another thing to do is use your own computers and accounts and your own devices rather than your neighbors without their permission devices that you are definitely acts they are authorized to use accounts that you're definitely authorized to use that doesn't always work in some cases for instance under the CFAA if you're accessing a server or doing anything on the cloud you're accessing someone else's computer and therefore this won't actually protect you but offline testing could help so if you get if you are downloading things and doing things on your own system then you're not accessing anyone else's computer also minimizing interactions with users data and also second-hand devices which helps with the first sale doctrine so if you're entering into buying a phone you have a Terms of Service Agreement with with the phone company like this it's not the best but but if you saw the device it's not necessarily I don't have you don't have the same contractual relationship and then again bug bounty wait what is this yeah I'm gonna add on that sorry late condition but maybe news flash to the audience here in the room so bounty factor is a European bug bounty they're really cool and recognizing that this landscape isn't perfect they actually created it a tool to report when abilities via for I haven't tried it but just wanted to let you know I heard it was used in some circumstances the idea is basically minimize your risk I am hoping that we get to a point that they will know there will not be any question or whether if you're engaging in a coordinate disclosure and trying to work with a company under a VP there are there are no risk of legal threats but this is not our case yeah so this is with respect to that and also important or respect to bug bounties is with respect to basically what are the lines when it comes to demonstrating impact so again the idea is if you see users data that's a very very very hard stop even if you want to show the impact of your own ability in a bank bounty you should be very mindful of what is the proof of concept that you are producing and communicate basically with the program owner if there is any doubt you see a lot of tension and kind of improv Ignace around that issue of where does the line stop when it comes to prove concept if you want to hear more about the bounty I'm doing go they go by bounty talk tomorrow at sky talks at free so finally we want to give you some takeaways some website to see you can check out so we have here the EFS
website the quarter rights project you want to say something about that sure well I already talked about the quarters rights project we also have a website online with lots of blog posts about all sorts of things which is a really great resource we also have a booth in the vendor area if you want to come ask any questions and if you want to contact the coders rights program I should say email info at EFS org and we will help you yeah and legal bug bounty you can check out my project CDT report that I just mentioned that is a really cool report basically coming from there interviews with twenty lead leading researchers they have a bunch of recommendations there they also explain the law check it out that's here's the link you can check it out on CDT and just google it on their website and if you want to have a general say CFA overviews they're great talks by leonard bailey and others on youtube there is also this great overview document the main idea is be mindful consider learning more about this issue yes the situation is not perfect but we're doing what we can to deal with it especially jamie here who's doing an amazing amazing work that's it i want to end
with very kind of good news and a kind of final awful story to this CFA a mess you know Kevin our guy the last of three 30,000 bounty well guess what although DJ I him with the suit later thereafter they added an explicit safe
harbor to their bug bounty policy communicating to the security researchers that they will not pursue legal action and the point here this community has tons of power it's not just the law it's also reputational issues that will basically come hunt you if you threaten a researcher and we have a lot of power to change stuff stay tuned being involved ask questions we are here and that's it thank you so
much and follow also the IOT pot bill this is not law yet but it has a CFA in dmca say provinces work but I'm the Cavalier is doing amazing work this is also kind of a positive final note too far to end with okay we are here for
your questions if we have a bit more time I think we do [Applause]
Feedback