The complicated process of granting exemptions by the DMCA, as well as the historical breadth and vagueness of the CFAA, have had a significant deterrent effect on security research in the United States. A 2017 study found that companies are generally unwilling to give security researchers permission to audit their products and that researchers are very concerned about the legal threats they face. A study by the Center for Democracy and Technology documented these concerns in more detail the following year. Even students just starting their careers can feel the cold: MIT operates a legal clinic with Boston University School of Law solely to advise student researchers on legal risks and help them respond to real or threatened litigation. “DEF CON is an important event that brings together some of the brightest minds in cybersecurity. While we are not officially partnering with DEF CON, we are proud that they choose to hold their conference on Discord,” the messaging platform said in a statement. More broadly, Discord has a zero-tolerance policy for illegal activities, and this also applies to all DEF CON participants. We use a combination of proactive and reactive tools to keep it out of our service. While the entire conference is free, if you want to post images and links, or use the voice and video chat features, you`ll have to pay $20 for a “Human Plus” badge on PayPal. This process makes it easier for the conference to identify bad actors posting illegal content on Discord. The catastrophic state of cybersecurity in both the public and private sectors is a national emergency. Unnecessary barriers to professional access and retention in cybersecurity deserve to be considered a matter of national security. A major obstacle is the continued deterrent effect of legal risks on bona fide cybersecurity research.
Van Buren has lowered this barrier somewhat, but there is still much to be done. As a result, many commentators toned down their celebrations of the decision with caveats. As CDT put it, “the court`s decision does not remove any ambiguity surrounding the CFAA” and leaves open questions that browser maker Mozilla says “will likely need to be resolved through litigation in the coming years.” According to the Cato Institute, it remains to be seen whether Van Buren will end the CFAA`s “private abuses.” For years, the CFAA and another law, the Digital Millennium Copyright Act (DMCA), have cast an air of legal uncertainty on the work of white-hat hackers. Section 1201 of the DMCA prohibits circumvention of technological access control measures for copyrighted works. Researchers risk violating this provision if they look for vulnerabilities in consumer technologies, as Princeton professor Ed Felten (who was personally threatened with a DMCA lawsuit) explained in 2013. The DMCA allows for limited security testing, and a complicated rule-making process that takes place every three years has led to temporary exemptions for “bona fide security research.” However, these are imperfect safeguards: eligibility for the DMCA security testing exception can be complex and depends on non-violation of the CFAA. In addition, exemptions are not permanent, meaning researchers must request that they be renewed (or extended) every three years. Success is not guaranteed, which seriously affects long-term planning and investment in security research.
These failures of the DMCA, which were not at issue in Van Buren, continue after the judgment. But even after Van Buren, the white hats continue to face ongoing legal uncertainty under the CFAA and other laws. Meanwhile, the U.S. is facing a cybersecurity crisis, and U.S. authorities have begun to recognize that “black hat” hackers (especially overseas) appear to be largely untouched by the threat of prosecution. Simply put, the specter of liability could deter white hats from conducting harmless or useful security research without significantly deterring malicious hacking. This perverse state of the law — and those who use it as a hug to threaten researchers — is a weakness in the United States.