White Hats and Computer Crime Law

An issue of growing importance to the IT security community is that computer crime laws are written so broadly they arguably prohibit legitimate security activities. A law like the federal Computer Fraud and Abuse Act can roughly be interpreted to punish unauthorized access to a computer which causes the computer owner a problem. But sometimes responsible security professionals have good reason to do just that on the Internet.

Example: Security professionals researching applications for weaknesses produce valuable results for the computing community. They find vulnerabilities that application developers have overlooked. But historically these good researchers have performed their testing with examples of the applications loaded on their own computers. Now, under Web 2.0 applications reside on servers available on the Internet. So if an independent researcher tests the security of a Web 2.0 application via the Internet, some have argued she is accessing a computer (i.e., the server) without authority and therefore committing a crime.

I, however, believe criminal law is enlightened enough to distinguish between white hat hacking and black hat hacking. Criminal law has long recognized that someone suspected of a crime can raise defenses such as necessity and self-defense. And in practice the legal system generally declines to prosecute people who arguably cross a boundary, but with valid reason. See the CSI Working Group on Web Security Research Law, Inaugural Report, June 11, 2007. It suggests a Web 2.0 researcher can avoid prosecution if, among other things, she does not cover her tracks (such as with anit-forensics tools) or attempt to blackmail the developer of the application she researches.


Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update: See what Facebook says on the subject of security research.