Security researchers often walk a very thin line between what is legal and what is illegal, and knowing the difference is not all that easy, especially given the current state of the law.
So what do security researchers need to know about the law? Attorney Marcia Hoffman addressed that question during a pair of speaking sessions at the Black Hat and DEF CON security conferences last week. While there are risks associated with computer security research and hacking, Hoffman, who works with the Electronic Frontier Foundation (EFF) and currently runs her own legal practice, said that the goal of her talk was not to scare people. Rather her purpose is to increase awareness about some of the sticky situations the law can create.
The primary law that security researchers need to be concerned about is the Computer Fraud and Abuse Act (CFAA). Originally passed in 1984, the CFAA was a response to the movie War Games, according to Hoffman. Members of Congress apparently saw the movie and got worried, she said.