The Legal Risks of Security Research

Sunoo Park and Kendra Albert have published “A Researcher’s Guide to Some Legal Risks of Security Research.”

From a summary:

Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.

Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today’s uncertain legal landscape, and to provoke public debate towards future reform.

Comprehensive, and well worth reading.

Here’s a Twitter thread by Kendra.

Posted on October 30, 2020 at 9:14 AM9 Comments


Winter October 30, 2020 10:25 AM

anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.

A rather comprehensive list of laws whose main aim is to stifle Research and Free Speech. Any law that makes it a criminal offense to warn consumers about the dangers they face, be it using a product or from applied policies, is nothing less than censorship.

xcv October 30, 2020 11:06 AM

cryptography export controls

They’re out of their minds. And that’s the NSA, which is military. They’re officers, and they took a oath.

An act of 13 May 1884 reverted to a simpler formulation:

“I, A.B., do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign or domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.”

This version remained in effect until the 1959 adoption of the present wording.

That oath is broken every time a military officer recommends that a U.S. citizen be committed to a mental hospital, “mental reservation” or insane asylum, or that gun rights be revoked for mental health. The “purpose of evasion” inherent in mental health treatment pursuant to the Gun Control Act of 1968 as amended, 18 U.S.C. Sect. 922: (d)(4), (g)(4), (h), without the Constitution, is to assume the power to arbitrarily disqualify U.S. persons from military enlistment and/or to arbitrarily impose a discharge on dishonorable conditions on such persons.

There’s a pseudo-religious “service cult” to the whole U.S. military; civil commitment and involuntary hospitalization for mental health are part and parcel of it. The officers drank too much in their quarters, and retained disreputable doctors to diagnose their inferiors and subordinates with mental illness at court-martial. The verdict of the court-martial is never properly explained to the civilian/patient/defendant, either.

ferritecore October 30, 2020 3:06 PM


My conclusion substantially overlaps yours in spite of the fact that I would emphasize “support and defend the Constitution of the United States” rather than “without any mental reservation or purpose of evasion”.

I find your interpretations of “mental reservation” and “purpose of evasion” to be novel and orthoganal to the conventional understanding the phrase. Interesting enough that I don’t want to suggest that you are entirely wrong.

David October 30, 2020 5:54 PM

Last night I was at home and hungry and decided on an impulse to drive to my local Arby’s to get something to eat… Although the Arby’s is closeby I hadn’t eaten at an any Arby’s at all for years, so I decided to look it up on Google maps to make sure I know how to get there and to see when they would close. I looked it up on my phone as well as my desktop computer. I drove there and ordered a meal via the drive-thru since there weren’t dine-in options yet due to COVID, and then drove home. I had my phone with me but while waiting in the drive-thru and read up on some news articles on my phone in the car during the wait but I remember I had not used the instagram app, although it might have been in the background.

In any case, today at home I’m on instagram and I see a big ad for Arby’s in the middle of my Instagram scroll… this is NOT a coincidence since I don’t ever recall seeing any Arby’s adverstisement for ages, certaintly not one in Instagram!… now the day after I visit Arby’s for the first time in years out of a random spur of the moment then I see an Arby’s ad in my instagram means there has to be a connection somewhere… this is NOT a coincidence…

The thing is, I’m using a Huawei P40 phone, which means it doesn’t even work with Google account. The only reason I have Google maps is because I installed the .apk manually, but I’m not “signed in” to anything Google on my phone and infact I don’t even have Google play services etc on my Huawei phone at all… Heck I don’t even have a google account at all! Also I don’t have a facebook account at all, just instagram so its not like it could have been via facebook login. On my Huawei phone I use only mobile data and have never connected it to my home residential wifi at all… (unlimited data plan and living right next to a cell tower)… At Arby’s I paid with my debit card (MasterCard) linked to Bank of America instead of cash. And although I had geo location enabled on my phone for the Google maps to work, for the Instagram app I set the permissions of location settings so that it would allow give it location during when I’m actively using the app itself… and while the app might have been in the background process, I didn’t open or actively use the instagram app at all during the entire time I was making my trip to Arby’s nor during the wait at the drivethru…

So how did I get an Arby’s ad on my Instagram the day after I drive to Arby’s the evening before for the first time in years? Did the instagram app itself get my geolocation and extrapolated that I must have been at Arby’s (I was in the drivethru for at least five minutes) and then showed me an Arby’s ad on their IG app? Or did my bank of america sell my credit/debit purchase history info in more or less real-time to some third party that somehow contributed to my Instagram account being able to display me the targeted Arby’s ad? Or was Google somehow still in the middle of all of this because I used Google Maps to lookup the location to Arby’s although I don’t have it linked to any Google account and my Huawei phone doesn’t support Google account or Google Play/services anyway! In any case, why would looking up something on Google maps, result in an ad on Facebook’s Instagram unless they had some sort of ad partnership or arrangement?

name.withheld.for.obvious.reasons October 31, 2020 5:00 AM

@ David
Two really good books on the subject, from the mind of Bruce Schneierof course, there is “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World” (ISBN 9780393352177) provides the necessary data and information, the relationship between organizations, people, and the technological systems employed to achieve specific goals–such as marketing. But, more specifically, to go to your question related to realtime interaction, Mr. Schneier’s book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World” (ISBN 9780393608885) is appropriate.

Additionally there is “Surveillance Capitalism” by Shoshana Zuboff (ISBN 9781781256855). All of these I highly recommend as would many others of stature far exceeding my own. Commending is easy, especially after the problem description that you’ve given.

Your computer, that also works as a phone, is ratting you out–all the time. Secondly, the answer is yes; everyone of your suspicions can be confirmed–and then some. Do not think there is not a premium to be had by marketing to someone in realtime–even if creepy. Not just marketing, realtime pricing manipulation and control is possible and is a reality. I think of it in the public square as; the discrimination of one, and all. Irrespective of those things, it is at the time prior to a purchase, beforehand, that is influential and opportunistic making such marketing a high priority. The same reasons that these systems make, you the person, just going about their business a high priority. In a nutshell, the more intrusive and insidious or pernicious, the better–quickly press “I agree” to continue or perish.

Most people don’t connect the dots let alone the carbon nanotubes and graphene lattices that form the vertices pointing to their behaviors, habits, and character (to a degree). There is no doubt about the willingness of corporations, organizations, researchers, and technologists to pursue any technologically perceived “superior” and “useful” technology. Here is where the general population, the majority of individuals around the world are unable to name the thing that is affecting their lives in very profound and disturbing ways without really understanding the what, why, where and when–let alone who. And when I say who, I don’t mean a British rock band (what I call Brock) with Eric Clapton or Peter Frampton.

name.withheld.for.obvious.reasons October 31, 2020 5:09 AM

@ Bruce Schneier
Is this a parallel interest with the EFF’s latest call for papers, my words, about experiences with:
“Tell Us How You Want to Modify and Repair the Devices in Your Life”.

It appeared on EFF’s deeplinks on 29 OCT, an article from a staffer, Cara Gagliano.

I have quite a bit (more than 8, less than a googolplex) to offer on the topic, including the affect of government regulatory and behavioral actions. For example, I must treat the United States government as a hostile foreign actor that will do and say anything to subvert my research in a number of areas. Heck, if I am a journalist I’d have this concern. Oops, maybe I am one of those too. Nevermind.

EvilKiru November 2, 2020 9:29 PM

@David: The Arby’s wifi sniffed your phone’s wifi and passed publicly available information on to their advertising partners, just like when you visit any national or regional chain store.

name.withheld.for.obvious.reasons November 3, 2020 11:57 PM

@ Bruce Schneier
I am completely surprised that this topic hasn’t raised more interest. This seems to be one of those big “Well if you knew this was happening why didn’t you do something about it.” situations. Just has the DCMA and the Library of Congress have managed to make a mess of the space that is copyright and knowledge (though the Library of Congress does not provided knowledge, just the basis for it). Just look at media and digital content, the space has become less transparent then before. And that is saying something. If starting from say tape, to disk, to portable media (Flash, Optical, etc) each iteration seems to be more convoluted than the last. And, the ability to archive and retrieve data held largely by the public that could one day find broad interest, will quite possibly be lost.

We are becoming less able to peer into the spaces that control so much of the world, I am afraid we will suffer from this loss and what it portends. If academic and institutional research organizations cannot lay hold of the truth, what’s the chance the rest of us will.

xcv November 12, 2020 3:42 PM

@ ferritecore • October 30, 2020 3:06 PM


My conclusion substantially overlaps yours in spite of the fact that I would emphasize “support and defend the Constitution of the United States” rather than “without any mental reservation or purpose of evasion”.

“Mental reservations and purposes of evasion” are usually in reference to communist spies and draft-dodgers, who maintain a large mental health industry with numerous psychiatric wards, mental hospitals, and insane asylums throughout the United States.

Military officers in fraternization with psychiatrists, psychiatrists, mental health workers, therapists, counselors, and pharmacists, water-witching and ditch-digging — a little too picky and choosy about recruitment and fitness for duty, and whose lives they choose to ruin without cause, inside or outside the military.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.