Information about http://www.icir.org/vern/cs294-28/papers/burstein_legal_leet.pdf

Conducting Cybersecurity Research Legally and Ethically …

Pages: 8
Language: english
Created: Fri Apr 4 16:03:27 2008

Display cached document

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Conducting Cybersecurity Research Legally and Ethically

Aaron J. Burstein
University of California, Berkeley (School of Law)
aburstein@law.berkeley.edu

Abstract license to pursue it without regard to ethical considera-
tions.
The primary legal obstacles to conducting cybersecurity Ethical questions lurk beyond these legal issues and
are not outright prohibitions but rather the difficulty of also deserve researchers' attention. Though the statutes
determining which of a large set of complex statutes discussed here contain expansive prohibitions on certain
might regulate a given research project. Privacy, com- kinds of conduct, they do not address all instances in
puter abuse, tort, and contract law are all potentially ap- which researchers may find themselves wondering, "Is
plicable. Moreover, even when the law permits a re- this the right thing to do?" In addition, many cybersecu-
search activity, researchers may wonder whether it is eth- rity researchers present their data collection and analysis
ically permissible. This paper seeks to clarify these is- plans to institutional review boards (IRBs) and informa-
sues by explaining the areas of law that are most gener- tion officers (e.g., CISOs) for approval. These individu-
ally applicable to cybersecurity researchers and offering als and bodies often are unfamiliar with cybersecurity re-
guidelines for evaluating ethical issues that arise in this search in general and the problems that research face col-
area of research. lecting data in particular. They will often wonder about
how proposed research affects individual privacy and the
1 Introduction security of the organization's information systems. The
better researchers can explain how their activities will af-
Research occupies a central role in cybersecurity policy fect these interests, the easier they may find it easier to
in the United States. It may provide ways to reduce and obtain approval and cooperation.
mitigate the increasingly serious threats to the comput- The overall argument in this paper is twofold. First,
ers and networks that the United States (and other highly though U.S. law does not permit everything that cyber-
developed countries) have come to rely upon so heavily. security researchers would like to do, relatively few re-
Funding this research has been a priority for Congress search activities are flatly prohibited.1 Nonetheless, un-
as well as the National Science Foundation, DARPA, certainty among researchers about what the law actually
the Department of Homeland Security, and other agen- says, as well as doubt about the ethics of some activi-
cies [11]. As networked information systems become ties, may hold back certain research efforts. Though pri-
pervasive, this commitment to research is essential. vacy is an important part of this picture, computer abuse,
But a fog of legal and ethical uncertainty hangs over copyright, tort, and contract law pose issues as well. Sec-
cybersecurity research. A variety of federal and state ond, this paper emphasizes that cybersecurity researchers
statutes either prohibit activities that would provide cy- work within organizations whose interests typically in-
bersecurity researchers with data about real systems and clude far more than improving cybersecurity. Thus, this
real attackers, or cast such doubt on research activities paper strives to provide ways to allow cybersecurity re-
that researchers modify their programs or conduct them 1 Disclaimers: First, this paper considers U.S. law only. Other na-
with a sense of uncertainty as to their legality. Cyberse- tions' laws are part of a more complete picture of cybersecurity re-
curity researchers (and officials within the organizations search legal issues, but, given the limited space available and the com-
that employ them) may also suspect that certain things plexities of U.S. law, it is impossible to address international law in
a helpful manner here. Second, though the author of this paper is an
are illegal when, in fact, they are not; but researchers attorney, nothing in this paper constitutes legal advice. Researchers
nonetheless avoid certain paths. Conversely, researchers who believe they are encountering issues similar to those discussed here
may view the legality of a certain course of research as should discuss their individual circumstances with an attorney.

1
searchers to think through the legal and ethical dimen- ficiently vague to make it unclear whether a given trace
sions of their research, so that they may better explain it collection will violate one or more of them. Nonetheless,
to non-experts and discuss how it is consistent with an or- they argued, legislative reform of these laws is probably
ganization's overall interests. The discussions in this pa- unnecessary and, in any event, would be unlikely to add
per revolve around general problems that cybersecurity much clarity for cybersecurity researchers.
researchers face, rather than particular research efforts.
The hope is that whatever is lost by avoiding discussion
3 Obtaining Data from Networks
of specific research will be recovered by preventing em-
barrassment to researchers and encouraging a frank dis- Data from real networks is critical to several areas of cy-
cussion within the cybersecurity research community. bersecurity research. Intrusion detection research, for
Section 2 reviews previous work examining legal is- example, depends on access to large volumes of net-
sues in cybersecurity research. Section 3 explains the work traffic in order to generate signatures of attacks
legal and ethical issues surrounding collecting and shar- while minimizing false positives and false negatives. The
ing network datasets, ending with a proposal to create a stresses of real systems may also be necessary to test the
cybersecurity research exception to federal communica- performance of real-time collection and analysis tech-
tions privacy laws. Section 4 discusses issues associated nologies. In addition to their importance to individual
with running malicious code on research machines. Sec- research efforts, datasets can contribute to a broad pic-
tion 5 analyzes the law and ethics of mitigating attacks, ture of the Internet when shared among researchers [6].
while Section 6 does the same for publishing results. Fi-
nally, Section 7 concludes with a few suggestions for
action by cybersecurity researchers with respect to their 3.1 Collecting Network Traces
own research, within their organizations, and within the As many cybersecurity researchers are aware, however,
political arena. federal communications privacy laws limit access to the
traffic on computer networks.2 In particular, federal law
2 Background provides the following:
� Wiretap Act [1]: Prohibits real-time interception
A few legal scholars have examined some of the le- of the contents of electronic communications. A
gal issues facing cybersecurity research. Liu, for exam- "provider exception," however, permits the employ-
ple, has examined the effects of the Digital Millennium ees of a network operator to intercept and record
Copyright Act (DMCA) on cryptography research [13]. communications to the extent necessary to protect
He concluded that the DMCA's prohibitions on circum- the "rights and property" of the operator.
venting "technical protection measures" on copyrighted
works are so broad, and the encryption research excep- Unfortunately, the distinction between "content"
tion is so narrow, that researchers are justified in fearing and "non-content" information is not always clear.
liability for researching and publishing about vulnerabil- In particular, the distinction is not as simple as the
ities in certain encryption schemes. separation between packet header and payload. The
Research using honeypots and honeynets raises sig- contents of a communication are defined to mean
nificant questions about liability under the federal Com- the "substance, purport, or meaning" of the com-
puter Fraud and Abuse Act (CFAA) and communications munication, while non-content information refers
privacy statutes (including the Wiretap Act and Pen Reg- to both addressing information as well as records
ister/Trap and Trace Devices Act). Salgado analyzed a pertaining to a network user, e.g., billing informa-
range of honeynet set-ups and found that the risk of lia- tion. Under these definitions, courts have held IP
bility under the communications privacy statutes can best addresses (both sender and receiver) and the To: and
be reduced by incorporating honeynets into production From: fields in e-mail messages to be non-content
systems and networks[20]. He did not, however, give information [25], while the Subject field is com-
much attention to researcher liability under the CFAA, monly regarded as contents [15]. The same defini-
the possibility of which must be taken into account given tions of "contents" and "non-content information"
that more recent honeynet designs involve more interac- apply to the two statutes discussed below.
tion with attackers. � Pen Register/Trap and Trace statute [5] (commonly
Finally, Ohm et al. examined statutory communica- referred to as the "Pen/Trap statute"): Prohibits
tions privacy (including the Stored Communications Act 2 Many states have their own versions of these laws. In particular,
in addition to the statutes named above) issues arising in many have their own version of the Wiretap Act, and in some states, the
conjunction with collecting, publishing, and using net- law is more strict with respect to consent. In California, for example,
work traces [17]. They argued that these statutes are suf- both parties to a communication must consent to its interception.

2
real-time interception of the non-content portions of increasing researchers' access to network data. An em-
electronic communications. The Pen/Trap statute pirical study of institutions' policies and practices could
contains a provider exception that is similar to the shed light on this area.
one provided under the Wiretap Act. Once non- Making use of the provider exception to the Wiretap
content data are stored, analysis and disclosure of Act or the Pen/Trap statute obviates the need for con-
the data are subject to the Stored Communications sent, but it requires coordination with the appropriate of-
Act. ficials within the institution that operates the network.
For large organizations, the key official is likely to be a
� Stored Communications Act (SCA)[4]: Prohibits chief information security officer (CISO) and his or her
providers of "electronic communications service to staff. Convincing a CISO that research that involves tap-
the public" from knowingly disclosing the con- ping into the contents of communications on the institu-
tents of customers' communications, as well as non- tion's network is likely to involve more than an assertion
content records relating to customers' communica- that an appropriately structured research project is legal.
tions. The SCA imposes little, if any, restrictions The CISO will also want to ensure that the fits the insti-
on uses of data within the organization that collects tution's mission and policies. It is here that attention to
them. Publishing or sharing the same data with ethical considerations may be valuable.
employees of other organizations, however, impli-
The question that researchers and institutional officials
cates the more restrictive disclosure rules discussed
must confront is: Even if it is legal to allow research that
in Section 3.2.
involves real-time monitoring and analysis of communi-
Taken as a whole, there are two salient features of cations, why should the institution allow it? The broader
this complex set of laws. First, they contain no re- background of communications privacy law and policy
search exceptions. This is in contrast to other privacy provides a few answers.
statutes, such as the Health Insurance Portability and Ac- First, research that fits within the provider excep-
countability Act (HIPAA), which restricts disclosures of tion is, by definition, potentially applicable to protecting
personal health information but provides means for re- the institution's network. A close relationship between
searchers to obtain such information both with and with- researchers and staff with responsibility for keeping a
out individual consent. The provider exceptions to the network operational may bring immediate benefits--
Wiretap Act and Pen/Trap statute are the closest that improved security--to the network and its users.
these laws come to a research exception. Making use A second answer is based on a more basic look at
of this exception requires close cooperation between re- the interests that the Wiretap Act was intended to pro-
searchers and officials from their institutions. tect. Giving cybersecurity researchers access to real-
The second point to note about the electronic commu- time communications streams would do little to under-
nications privacy statutes is that they create a patchwork mine these interests. When the Wiretap Act was first en-
of prohibitions and exceptions that are difficult for re- acted in 1968, and even when it was expanded in 1986 to
searchers and research organizations to navigate. As the cover electronic communications, intercepting commu-
summaries above indicate, the rules for accessing com- nications in real time was by far the easiest--and perhaps
munications contents are different from those governing the only--way of obtaining their contents. The advent of
access to addressing information; and access to data in essentially unlimited storage of email and other forms of
real-time versus in storage introduces still more varia- electronic communications, however, has made it possi-
tions in the law. ble for law enforcement officials and private parties to
Thus, the Wiretap Act and Pen/Trap statute pose ob- obtain contents from stored communications. The indi-
vious hurdles to cybersecurity researchers. Consider the vidual informational privacy interest is in the contents of
issue of consent under the Wiretap Act. Given that test- a communication, rather than the mode in which it was
ing, say, intrusion detection algorithms may require ac- obtained.
cess to traffic at a university's gateway, obtaining indi- In addition, the Wiretap Act was framed against the as-
vidual consent is probably unworkable. Universities typ- sumption that a person might have one of a few reasons
ically inform their network users, through banner notices for intercepting a communication without authorization,
or terms of use, that the network is monitored. It is un- all of which merit some control under the law: gathering
clear, however, whether these notices cover all situations evidence for a criminal investigation, gathering material
of interest to researchers (e.g., large-scale packet trace to embarrass another person, or simply satisfying a cu-
collection). Even if a university obtains broad consent to riosity in the affairs of other people. Cybersecurity re-
monitors its network users, administrators are likely to searchers do not (or should not) pursue these ends when
give considerable weight to other institutional interests they make use of real-time communications streams. In-
(e.g., student or faculty backlash) that may cut against stead, for the most part, they subject the communications

3
to automated analysis. To be sure, it may sometimes meaning of "governmental entity" is quite broad;
be necessary for researchers themselves to examine the it might refer to any government agency and its
contents of communications to debug software, improve employees [27], including public universities. The
experimental set-ups, or to explain anomalous or unex- term is not limited to law enforcement or intelli-
pected results. Researchers should be frank about this gence agencies and officials.
possibility when discussing proposed projects with in- For those entities covered by the SCA, the prohibition
stitutional officials, and they specify which investigators against divulging non-content records to governmental
would have access to individual communications and entities makes an unrestricted public release of data a
how they would keep the communications confidential. risky proposition. Putting a dataset on a public website,
for example, would make it possible for anyone to obtain
3.2 Sharing and Publishing Network the data. Though a case could be made that this mode of
Traces disclosure does not meet the statutory standard of know-
ingly divulging non-content records to a governmental
A second general problem that cybersecurity researchers entity, researchers (and their institutions) are probably
face in the realm of communications privacy is that of will not want to rely on this argument.
sharing publishing network traces. The scientific bases As discussed above, the SCA only applies to providers
for sharing these data are compelling: common datasets of communications services "to the public." Others may
can provide meaningful comparisons between competing disclose non-content records. For these entities, the
research approaches; simulated data are inadequate for question becomes an ethical one that researchers and in-
some uses; and existing datasets may not reflect present- stitutions must confront: should they publish network
day threats or traffic characteristics [18]. traces?3
The Stored Communications Act (SCA), introduced The SCA's history and structure points toward some
above, poses a significant barrier to sharing these data. answers. The baseline of statutory protection for non-
Some additional detail about this law is warranted at this content records is quite low. The SCA primarily protects
point. against government intrusions into the privacy of non-
content records, as is evident from the prohibition on dis-
� Entities Subject to the SCA. The relevant sections closure to governmental entities, which includes (among
of the SCA do not cover all network providers, but many other things) law enforcement agencies that have
rather providers of electronic communications ser- the power to use such information to surveille or pros-
vices "to the public." Commercial e-mail providers ecute individuals. Though the threat of government
and ISPs generally are thought to be covered by surveillance has not abated, private firms now rival, if not
the SCA, while private businesses that provide In- surpass, the government's power to analyze network data
ternet access to their employees for work purposes at the individual level; and the SCA leaves monitoring
likely are not covered by the SCA. Universities may and analysis by the private sector essentially unregulated.
fall somewhere in the middle, or even have some This legal structure allows commercial datamining, be-
networks governed by the SCA and some that are havioral targeting and other practices that are particularly
not. For example, if a university operates an open offensive to some conceptions of individual informa-
wireless network, records pertaining to that network tional privacy to go forward. It is against this background
might well be covered by the SCA. A research net- that sharing non-content network traces should be evalu-
work that is available only to students, staff, and ated in privacy terms; carefully anonymized datasets re-
faculty, however, might not be a service "to the pub- veal far less about individuals than organizations learn
lic"; and hence the SCA might not apply to content from the data that they control and use for commercial
and records pertaining to that network. To reiterate, purposes. (Compare Allman and Paxson's description
the question of whether an entity provides service of anonymized packet traces and NetFlow records in [6]
to the public is critical; if it does not, the disclosure with Solove and Hoofnagle's description of commercial
provisions of the SCA do not apply. datamining in [22] and Solove's description of govern-
ment datamining in [21]. Yet public and private invest-
� Disclosures regulated by the SCA. A service
ment are heavily tilted toward supporting these invasive
provider subject to the SCA may not disclose con-
forms of analysis.
tent records to another person or entity without con-
A more general solution to the barriers to research
sent (or the appropriate court order).
posed by electronic communications privacy laws would
Moreover, a covered service provider may not dis- 3 For the purposes of this discussion, it is assumed that only non-
close non-content records to any "governmental en- content (i.e., packet header) traces are in question, and that releasing
tity" without consent or the appropriate order. The the contents of communications raises insurmountable privacy issues.

4
be to create a cybersecurity research exception to them. proving that the leak of malicious code caused "an unrea-
A full proposal for such an exception is discussed in [8]. sonable interference with a right common to the general
public" [12]. A third possibility is tort liability for ultra-
hazardous activities, which is governed by a standard of
4 Running Infected Hosts strict liability. In contrast to negligence, which requires
proof that a defendant failed to take precautions appro-
This section discusses legal and ethical issues that arise
priate to prevent harm (discounted by the probability of
in two situations that involve running hosts that are in-
harm), strict liability does not involve any notion of fault:
fected with malicious software. First, it may be neces-
if strict liability applies to an activity (a big if) and an ac-
sary to allow attackers to remotely exploit hosts in order
cident occurs, the person conducting the activity is liable
to collect malware and observe the behavior of both the
for injuries to others.
attackers and the software [19]. Second, researchers may
These theories remain hypothetical; no cases have
run malware in testbeds in order to observe the software's
been brought against testbed operators or users, perhaps
behavior in a controlled environment.
because of a lack of accidents involving testbeds. Still,
should this situation change, each theory discussed above
4.1 Testbeds would face significant hurdles. The negligence theory,
for instance, would require proof that the testbed did
The primary legal concern with running malware in
not have adequate measures in place to prevent exfiltra-
testbeds is liability from accidental exfiltration of mali-
tion. Since testbed designers take pains to keep open
cious traffic beyond the testbed. The exfiltration path-
a minimum number of channels of communication be-
way might be a link from the testbed to the Internet that
tween the testbed and the Internet, the chances of find-
is provided to allow users to run experiments remotely.
ing such a breach of duty seem slim [10]. A second
The Computer Fraud and Abuse Act (CFAA) would be
weakness, which also applies to the nuisance theory, is
the most likely legal theory for holding researchers li-
that it is an open question whether testbed operators or
able [2].
users owe a duty of care to other Internet users in the
The CFAA prohibits a wide variety of conduct directed
first place. It is worth noting that none of these theories
against essentially any computer connected to the Inter-
have been successfully used to sue software vendors for
net. It prohibits not only targeted break-ins of specific
harm arising from security vulnerabilities in their soft-
computers, but also knowingly transmitting a program--
ware [7]. Finally, strict liability applies to activities that
such as a worm or virus--that damages another computer
are, among other things, uncommon and pose a risk of
connected to the Internet.4 Though this provision would
accidents that due care cannot prevent, such as blasting
appear to cover code that escapes from a testbed, it is im-
with dynamite in urban areas [23]. Though running mali-
portant to note that the CFAA also requires intentional
cious code on a testbed may not be within the experience
harm to another computer in order to find an offense. A
of most Internet users, one could argue that that is the
researcher who accidentally allows malicious traffic to
wrong frame within which to judge commonality: In-
escape containment is highly unlikely to possess this in-
ternet users are constantly exposed to malicious traffic.
tent.
Thus, releasing malicious traffic might not be considered
An alternative theory of liability for exfiltrated code is uncommon. Strict liability for accidental exfiltration of
based on tort law, an area of common law, i.e., based on malicious code from a testbed thus seems unlikely.
court-created doctrines rather than statutes. One poten-
tial tort-based theory is negligence, which is the doctrine
that courts apply to compensate injured parties after acci- 4.2 Non-Isolated Hosts
dents.5 Another theory is nuisance, which would involve
4 Specifically,
Research that makes use of hosts that are allowed to in-
18 U.S.C. � 1030(a)(5)(A)(i) prohibits:
teract with attackers present a few additional legal con-
[K]nowingly caus[ing] the transmission of a program, siderations. One concern that researchers might have is
information, code, or command, and as a result of such
conduct, intentionally caus[ing] damage without autho- that allowing a computer to become infected with mal-
rization, to a protected computer. ware that causes the host to join a botnet violates the
A "protected computer," in turn, means any computer owned by a fi- CFAA or other laws. Allowing the infection (or col-
nancial institution or the U.S. government, or any computer used in lecting malware) itself probably is not illegal under the
interstate commerce. 18 U.S.C. � 1030(e). The interstate commerce CFAA, as the researcher does not obtain unauthorized ac-
portion of this definition is sufficiently broad to bring any computer
connected to the Internet within the definition of "protected computer." cess to another computer. Allowing the infected host to
5 A successful negligence suit requires proving that (1) the defen- communicate with an attacker via IRC or other means is
dant owed the plaintiff and duty of care; (2) the defendant breached the
duty; (3) the breach caused harm; and (4) the harm is a legally recog- nized form of injury.

5
more subtle. The contents of the commands, such as in- destroys each image. This defense is narrow, and a re-
structions to request data from a third-party victim, may searcher who stumbles across child pornography planted
not be illegal. But responding to these commands--by by an attacker should immediately contact an attorney.
sending a flood of traffic to an innocent third party as part As was the case with copyright infringement, the poten-
of a distributed denial of service attack, for example-- tial for liability should make researchers think seriously
would raise the concern that the research system is par- about whether projects require allowing attackers to store
ticipating in an attack. Deciding on the appropriate bal- data on research machines.
ance between collecting information and potential liabil-
ity under the CFAA thus deserves careful, case-by-case
5 Mitigating Attacks
analysis.
A second question is whether researchers could be li- Cybersecurity researchers may also find themselves in a
able for data, such as copyrighted works or child pornog- position to disrupt or mitigate attacks. After all, their re-
raphy, that attackers place on their hosts. Attackers might search may yield detailed knowledge of the workings of
even deliberately target researchers with such materials, malware, botnets, etc. This raises the question of what
if they discover the identity of a research host and wish kinds of mitigations are legally permissible, and which
to cause trouble for the researcher. steps are ethical. For the most part, mitigation by re-
Consider the copyright question first. The concern searchers raises serious legal and ethical questions and
for researchers is that merely possessing an unauthorized should be avoided. To explore these issues, this section
copy of a work (music, a movie, a book, etc.) could makes use of three specific but hypothetical examples.
expose them to liability for infringement. This situa- Example 1. Suppose that a researcher finds that a bot-
tion could arise for researchers investigating peer-to-peer net command and control server is running software that
systems. Under the Copyright Act (Title 17 of the U.S. makes it vulnerable to a remote denial of service attack.
Code), if a person takes no action to infringe one of the Taking this server out of commission might seem worth-
exclusive rights of a copyright holder, then there is no while because it would help to disrupt the botnet, if only
infringement. In this case, if an attacker downloads in- temporarily. But to the extent that taking down the server
fringing copies of copyrighted works to a researcher's would involve sending code or data resulting in unautho-
computer without the researcher's knowledge, then the rized access to the server, this action could be a violation
researcher is probably not liable for copyright infringe- of the CFAA. (See footnote 4 above for the pertinent text
ment. This situation could change, however, if the re- from the CFAA.) The fact that the server is being used
searcher analyzes the contents of materials that attackers for malicious purposes does not matter to an analysis of
send. In that case, the researcher may become aware that the proposed mitigation.
he or she is in possession of infringing copies; and anal- Example 2. As a refinement to this example, sup-
ysis of the copies could constitute infringement of one or pose that messages of a certain format or length cause
more exclusive rights (e.g., the right of reproduction6 ). the command and control program to crash; a researcher
Researchers would have a strong argument that such re- (whose computer was infected with malware that the bot-
production is a fair use (17 U.S.C. � 107) of the work; master controls) considers sending crafted messages to
but a full analysis of that argument is beyond the scope of effect a crash. In this case, the researcher is communi-
this paper. Unless analyzing these materials is important cating via a channel that the botmaster has selected; the
for the underlying research, researchers would be better botmaster has arguably consented to receive messages
off deleting such materials or preventing attackers from from the computers enslaved in the botnet, giving the re-
downloading data in the first place. searcher a stronger argument that the crafted message is
Unfortunately, the solutions are not as simple in the "authorized."
case of child pornography. Federal law makes it a Example 3. A final variation to consider on the legal
crime to knowingly possess any image of child pornog- side of mitigation is introducing bogus data (e.g., fabri-
raphy [3]. Thus, if a researcher analyzes the contents of cated usernames and passwords, or fake credit card num-
materials downloaded by attackers and finds that child bers) into botnets or other networks controlled by ma-
pornography is part of the mix, he or she likely meets the licious actors. In this case, a researcher would simply
definition of this possession crime. The law does provide place the data on hosts that he or she controls and allow
a defense if a person possesses fewer than three images, attackers to take the data. This research design has the
reports such possession to a law enforcement agency, and potential to allow researchers to track the flow of data
6 Courts have held that copies made in RAM may infringe the ex-
through malicious networks. Still, even bogus data pose
clusive right of reproduction, even if no permanent copy is made. See,
legal issues worth considering. The CFAA prohibits traf-
for example, MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511 ficking in passwords with intent to defraud and access-
(9th Cir. 1993). ing financial records without authorization (18 U.S.C.

6
�� 1030(a)(6) and (a)(2), respectively). Even if offer- The broad protections of the First Amendment, how-
ing truly fabricated does not meet all elements of these ever, are subject to a few qualifications. Perhaps the most
offenses other issues merit consideration. For example, important is DMCA's prohibition on trafficking in de-
linking the data to an actual brand name, such as a bank vices (which includes software), the primary purpose of
or a credit card network, could raise trademark infringe- which is to circumvent a technical protection measure
ment or dilution issues. on a copyrighted work. Courts have held that publish-
There remain ethical considerations for mitigation ing circumvention software, and even linking to a site
steps that are legal. Perhaps the most important consider- that offers such software, violates the DMCA [24]. But
ation is whether mitigation fits the role of a cybersecurity it is unclear what level of detail triggers the DMCA. For
researcher. Different researchers will view their roles dif- example, after a group of researchers that found vulnera-
ferently, depending not only on their personal beliefs but bilities in a digital watermarking scheme was threatened
also the type of institution for which they work. What- under the DMCA before presenting their work at an aca-
ever these variations may be, a point that seems likely to demic conference, the U.S. Department of Justice wrote
be constant is that researchers are employed primarily to in a court filing that the DMCA did not prohibit publica-
study threats, rather than to take action against them. tion of the paper or the underlying research [16]. Still,
Another ethical consideration is the extent to which the prospect of liability under the DMCA is sufficiently
mitigation (and other forms of investigation, such as realistic that researchers who plan to publish about vul-
probing networks or running honeynets) might harm the nerabilities in software or hardware that protects copy-
reputation of the researcher's institution. Mitigation may righted works may wish to consult an attorney before
be seen as an action on behalf of the researcher's institu- doing so.
tion, and the researcher may or may not have this author- Publications also have the potential to harm an insti-
ity. Furthermore, when mitigation would involve action tution's reputation by revealing network details that the
against remote hosts (as was the case with Example 2 institution would prefer to keep secret. A strictly legal
above), it raises the possibility of interfering with other concern that this raises is a potential breach of contract.
efforts to study or disrupt malicious activity, e.g., law en- Suppose, for example, that an institution holds contracts
forcement investigations. There may also be a risk of that specify a network configuration or bandwidth guar-
misidentifying the parties responsible for malicious ac- antee given to transit or peering partners. Providing de-
tivity; or imperfect or ineffective mitigation might give tails necessary to allow others to understand a data col-
attackers the opportunity to improve their techniques. lection set-up or an experiment might reveal that an in-
For these reasons, researchers should be extremely cau- stitution is not living up to its contractual commitments.
tious about taking steps beyond their own networks to Again, consultation with information officers in an orga-
mitigate threats. At minimum, they should discuss pro- nization could help allay these concerns. Note that the
posed tactics with IT officers at their institutions and, po- objective of this coordination is neither to alter the infor-
tentially, with law enforcement officials. mation in a publication nor to force the organization to
alter its practices; instead, it is to give an organization an
opportunity to identify potential conflicts with contract
6 Publishing Results partners and to plan for remediation.
The possibility that a publication will reveal details
Finally, the topic of publishing results ties together many about an organization's network also raises issues be-
of the issues discussed so far in this paper. The First yond legal liability. Researchers should also consider
Amendment to the U.S. Constitution provides broad whether the papers or datasets that they publish could
protection for publishing cybersecurity-related findings, reveal information that could help adversaries attack the
even potentially damaging disclosures such as zero-day researcher's own network (or other friendly networks).
vulnerabilities.7 Unless a disclosure is part of an agree- Publishing datasets, as discussed in Section 3.2, is likely
ment with another person to commit some other crime to pose a greater risk to an organization's network than a
(i.e., it is part of a conspiracy), or is likely to suc- paper; so data releases may deserve a more careful vet-
ceed in inciting "imminent lawless action" [26], the First ting by IT officers than papers do.8
Amendment provides some protection. A publication The same principles apply to the privacy of users
that merely provide knowledge that might help another whose network use may be discernible from a dataset.
person commit a crime is protected speech [28]. Given recent research demonstrating the difficulty of de-
7 One exception is for classified systems. Another is for systems 8 These officials are usually extremely busy and have limited re-

examined under a non-disclosure agreement (NDA); a researcher might sources; con vicing them of the benefit of collecting and sharing data
be liable for damages resulting from a breach of contract if he or she that could harm the organization may require considerable relationship-
publishes results that violate the NDA. building effort.

7
vising robust anonymization schemes [9, 14], researchers [7] Douglas A. Barnes. Deworming the internet. Texas Law Review,
should be particularly forthcoming about privacy risks 83:279�329, November 2004.
before sharing data. [8] Aaron J. Burstein. Toward a culture of cybersecurity research.
Harvard Journal of Law and Technology, 22, 2008.
[9] S.E. Coull, M.P. Collins, C.V. Wright, F. Monrose, and M.K. Re-
7 Conclusion iter. On web browsing privacy in anonymized netflows. In Pro-
ceedings of the 16th USENIX Security Symposium, pages 339�
The legal environment inhibits cybersecurity research 352, August 2007.
through outright prohibitions and through uncertainties [10] Emulab. Knowledge base entry: Is emulab firewalled?
that make some experiments and data collection and http://www.emulab.net/kb-show.php3?xref tag=SI-FW, August
2005.
sharing efforts too costly to evaluate. Communications
[11] Seymour E. Goodman and Herbert S. Lin, editors. Toward a Safer
privacy laws have also set strong social expectations that
and More Secure Cyberspace. National Academies Press, 2007.
network providers will maintain the confidentiality of
[12] Practicing Law Institute. Restatement (Second) of Torts, page �
their data. Though these expectations often do not match 821B(1). 1977.
reality, they may nevertheless provide a reason that orga-
[13] Joseph P. Liu. The DMCA and the Regulation of Scientific Re-
nizations cite to avoid the expense and legal and reputa- search. Berkeley Technology Law Journal, 18:501, 2003.
tional risk of granting researchers access to network data. [14] Arvind Narayanan and Vitaly Shmatikov. How to break
Reforming these laws is on the agenda of both privacy anonymity of the netflix prize dataset, 2006.
advocates and law enforcement agencies. Researchers [15] United States Department of Justice, editor. Searching and Seiz-
could participate in reform efforts (e.g., through schol- ing Computers and Obtaining Electronic Evidence in Criminal
arly meetings and publications, meeting with policymak- Investigations. 2002.
ers, or testifying before them) to make known how the [16] U.S. Department of Justice. Brief of the United States in Support
lack of a research exception affects them. of the Motion Felten v. RIAA (Nov. 8, 2001), CV-01-2669 (GEB)
(N.D. Cal.).
This paper has also attempted to provide a sense of
the interests that the laws relevant to cybersecurity are [17] Paul Ohm, Douglas Sicker, and Dirk Grunwald. Legal Issues Sur-
rounding Monitoring (Invited Paper). In Internet Measurement
intended to protect. The hope is that this background Conference, October 2007.
will help cybersecurity researchers make decisions about
[18] Ruoming Pang, Mark Allman, Vern Paxson, and Jason Lee. The
their activities in light of broader ethical considerations. devil and packet trace anonymization. Computer Communication
These considerations should include not only the users Review, January 2006.
whose activities may be reflected in network data, but [19] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and A multi-
also the reputation of the researcher's own organization faceted approach to understanding the botnet In Proceedings of
and the interests of researchers who have supplied, or the IMC. ACM, October 2006.
would like to supply data. More work is needed to de- [20] Richard Salgado. Know Your Enemy, chapter Legal Issues, pages
228�252. Addison-Wesley Professional, 2004.
velop the relevant ethical framework.
[21] Daniel J. Solove. Digital dossiers and the dissipation of fourth
amendment privacy. Southern California Law Review, pages
Acknowledgments 1083�1167, 2002.
[22] Daniel J. Solove and Chris Jay Hoofnagle. A model regime of
I acknowledge support for this work from TRUST (The privacy protection. University of Illinois Law Review, pages 356�
Team for Research in Ubiquitous Secure Technology), 403, 2006.
which receives support from the National Science Foun- [23] Indiana Harbor Belt Railroad Co. v. American 916 F.2d 1174.
dation (NSF award number CCF-0424422). I also thank (7th Cir. 1990).
Deirdre Mulligan and Vern Paxson for many helpful con- [24] Universal City Studios Inc. v. Corley. 273 F.3d 429. (2d Cir.
versations, and Mark Allman, kc claffy, and anonymous 2001).
referees for helpful comments on this paper. [25] United States v. Forrester. 495 F.3d 1041. (9th Cir. 2007).
[26] Brandeburg v. Ohio. 395 U.S. 444. 1969.
References [27] Organizacion JD Ltda. v. United States Dep't of Justice. 18 F.3d
91. (2d Cir. 1994).
[1] 18 U.S.C. � 2510-2522.
[28] Euguene Volokh. Crime-facilitating speech. Stanford Law Re-
[2] 18 U.S.C. � 1030. view, 57:1095�1222, March 2005.
[3] 18 U.S.C. � 2252A.
[4] 18 U.S.C. � 2701-2711.
[5] 18 U.S.C. � 3121-3127.
[6] Mark Allman and Vern bPaxson. Issues and etiquette concerning
use of shared measurement data. In Proceedings of IMC '07,
pages 135�140, October 2007.