During our in-class discussion, we touched on various laws that could potentially restrict what could be construed as “legal”. Laws in various parts of the world may limit what you can do in order to research security vulnerabilities. The Electronic Frontier Foundation, www.eff.org, has a posted an FAQ article regarding coder’s rights when reverse engineering software. ( https://www.eff.org/issues/coders/reverse-engineering-faq )
Penetration testing can be considered security research; After reading this article, how would you ensure that your actions as a security researcher stay within the exceptions provided by DMCA Section 1201?
Dan Bilenker says
Penetration testing can be considered security research; After reading this article, how would you ensure that your actions as a security researcher stay within the exceptions provided by DMCA Section 1201?
The basis of your research should be identified in the agreement between the parties prior to under taking the research. A quick note on the laws of contracts, there are FIVE elements in a contract required to make it valid. These are:
1.) Offer – Any contract requires a demand of some sort. In this case, my IT firm is promising conduct security testing another firm’s systems.
2.) Acceptance – Both parties must agree to the terms in the contract. In IT, the firm being audited must agree to the methods, time frame, and systems being tested. The IT auditor must agree to abide by those terms.
3.) Consideration – Both parties are to receive a tangible benefit. My firm is being paid to conduct security testing for another firm. I am promising to conduct the tests and deliver the results, in exchange for compensation.
4.) Capacity- Both parties must be legally able to authorize the contract. A random IT worker is not authorized to initiate this contract, and I my workers are not authorized to accept the contract without my discretion.
5.) Lawful Purpose – The contract must be for a legal purpose.
If any of these elements are missing, the contract is null. Assuming you have these elements in your contract, staying within DMCA Section 1201 Exceptions is easier as many are laid out in the elements of a valid contract.
1.) Per the initial contract, I have obtained the right to access the client’s systems and data. My client is aware of the methods I intend to use, and off limits areas or times have been identified.
2.) Per the contract, I am promising to disclose the information I collect to the client, while respecting their right to privacy, nondisclosure to third parties, and integrity of their data & proprietary information.
3.) I am to abide by the guidelines agreed upon in the contract, and not deviate from those without disclosure and approval of the client, which may require an addendum to the original contract.
4.) The techniques used are for the sole purpose of gathering the information requested by the client, and I am not using any techniques to access systems or information beyond what is specified in the contract.
5.) Any results from my test, used to create corrective measures for other clients, will not infringe upon copyrighted material of the client, nor will it infringe upon the intellectual property of my client. Additionally, I will not disclose information about the client.
6.) I am authorized by the client to undertake these measures, for legitimate purposes, to identify risks and vulnerabilities on their behalf. I am also properly credentialed, and certified to be taking these measures.
7.) I will provide my findings to the client NLT the agreed upon date. Should the project take longer than anticipated, I will notify the client in advance of the completion date.
Brandan Mackowsky says
Dan,
I really thought the explanation of the 5 elements to make a valid contract were very beneficial to providing insight to the post. Through analysis of this, it is crucial to ensure that the elements of a valid contract are met in order to avoid legal issues by conducting or utilizing research contained within a firm’s security plan and setup. By having this information clearly stated and laid out prior to beginning research, it allows the researcher to remain safe and avoid any potential litigation if it is clearly stated in the valid contract.
Duy Nguyen says
Based on the readings and the class presentation for a researcher to be absolutely sure, one must have a clearly written agreement on what is to be tested and when. Written permission from the appropriate authority is always critical; permission of any kind from a person with no authority on the subject matter is useless. In addition to permissions, the below area should be included and expanded on:
• Contractual liability: what is include and the researcher is liable for, any insurance if needed
• What the researcher is responsible for testing or researching and time frame if any for the test to take place. Vs incognito penetration testing. What type of system exists for the clients and what is on the and off the table and what type of scope the organization is expecting from this research.
• Clearly define what is to be done if critical data or information is encountered,
The most important point is still getting written permission and definition of scope before any system interaction.
Vince Kelly says
Definitely agree with your reply Duy as well as Daniels reply – having everything in writing that is as explicit and transparent as possible and spelled out contractually is critical whether or not DMCA or any other laws apply, but that being said, (and I may be WAAAAAY off base here so correct me if I’m wrong;) It appears that testing the security of computer systems is expressly permitted as an exception under DMCA Secction 1201 – (see my post below) – so doesn’t that make the DMCA consideration moot?
Vince Kelly says
I’m probably completely misunderstanding the question here but according to the article, Section 1201 of the DMCA is an anti-circumvention provision which:
“…prohibits circumvention of “technological protection measures” that “effectively control access” to copyrighted works. The law also prohibits trafficking in tools that are primarily designed, valuable or marketed for such circumvention.”
This being the case, as I understand it, Section 1201 prohibits the act of decoding, decompiling, disassembling or in any other way dismantling, disabling or trying to undo any copy-protection system or protective measures that have been put in place in order to keep trade secrets, copyrighted or otherwise legally protected material from being known, disclosed or profited from, (without legal consent of course).
But THAT being said, according to
“The Law and Economics of Reverse Engineering” (page 1635, https://www.law.berkeley.edu/php-programs/faculty/facultyPubsPDF.php?facID=346&pubID=142):
” DMCA now permits circumvention for seven purposes:
1. Legitimate law enforcement and national security purposes
2. Achieving program-to-program interoperability
3. Engaging in ‘legitimate’ encryption research
4. Testing the security of computer systems
5. Enabling nonprofit libraries, archives and educational institutions to make purchasing decisions
6. Allowing parents to control their children’s use of the Internet
7. Protecting personal privacy
Circumventing access controls are also held to lawful for two other circumstances:
1. When an access control system is broken
2. When the person doing the circumvention has the right to access the material,and when circumvention is necessary to assess the effectiveness of a software filtering program to determine which sites it blocks.
So if the question is:
“how would you ensure that your actions as a security researcher stay within the exceptions provided by DMCA Section 1201?”
Then according to the interpretation of the law by the UC Berkeley whitepaper cited above, security researchers are exempt from DMCA Section 1201 because of point number 4 of the seven exceptions to DMCA Section 1201, (Testing the security of computer systems).
Am I missing something here?
Dan Bilenker says
I don’t think you’re missing anything. From my understanding, although auditors/researchers are allowed to perform reverse engineering – per point 4, it’s not a carte blanche permission. There are still rules that need to be followed in performing the reverse engineering, and legalities that need to be considered. The major concern is that an auditor may exploit their opportunity to reverse engineer a client’s system and profit off of it. For example, a medical technology pays you to test a networked system they have developed. In testing, you find vulnerabilities, and decide to try to use the opportunity sell your fixes back to the client, or to a third party. Although you are allowed to have performed the testing, you’re original agreement with the client/the legal framework prohibits you from attempting to further profit off of the exposed vulnerabilities.
At least that’s what I took away from it.
Dan Bilenker says
Sorry, pet peeve, **Your
Duy Nguyen says
Hi guys, good point. I definitely agree a client must be able to protect their vulnerabilities by ensuring that the testers they’ve allowed on their system will not sell their findings. No organization would like to broadcast the holes in their information systems.
Vince Kelly says
I completely agree – absolutely no doubt that you need to have everything in place, documented and agreed upon in writing (and structured in such a way that it holds up under any form of legal scrutiny). I also agree that point 4 – as Daniel correctly observed is:
“… not a carte blanche permission. There are still rules that need to be followed in performing the reverse engineering, and legalities that need to be considered.”
I think we are all in total agreement here. BUT that being said, and again as I understand it Section 1201 is about the circumvention of any protection measures that have been put in place in order to *prevent* reverse engineering –
The definition per Section 1201.
“…prohibits circumvention of “technological protection measures” that “effectively control access”
So in my mind, Section 1201 really isn’t about reverse engineering, it’s really just a narrow definition that’s focused on disabling any kind of mechanisms that may have been put in place in order to stop the reverse engineering process *BEFORE* it starts – i.e., trying to circumvent access protection “door locks” in order to actually perform the reverse engineering activity.
As I understand it according to point number 4, disabling those “door lock” mechanisms in order to start the reverse engineering process are legal as long as you are doing security research – right?
Dan Bilenker says
I believe that you are correct. If the circumvention of the measure is:
a.) for the purpose of performing authorized testing
b.) expressly authorized in the contractual agreement
c.) performed using legal testing methods
You are authorized to disable or circumvent security measures.
Jonathan Reid Kerr says
There are many important aspects of making sure that the actions you take are legal:
– Make sure that you have written permission from all involved parties, and that permission is given by those who have authority to do so. This way you have explicit permission, by the company, to access otherwise sensitive information.
– Make sure that you clearly outline the extent of your research when writing the initial contract. This includes the time-frame, the intention of the tests, the access to potentially confidential information, and any other restrictions that the company may have.
– When writing reports on the results found make sure that it is kept confidential and that, within the contract, there are specific guidelines for the handling of sensitive information.
– If you are uncertain if something is legal or not, consult with a lawyer who specializes in this field, be sure that what you’re doing falls within the bounds of the law.
From what I have read, an important area to consider is the gathering of information during a test.. This also includes information gathered as a result of testing, such as any vulnerabilities or the condition of a company’s security operation. This is where I would look to be as careful as possible, especially if there are no specific guidelines regarding the dissemination of information within the contract.
Brandan Mackowsky says
In order to stay within the exceptions provided by the DMCA, it is crucial to understand what could potentially be infringing upon with copyrights based around the reverse engineering of software. By understanding that nondisclosure agreements may be affected or legal liability may be present, it is crucial to understand what limits any legal action prior to entering into any reverse engineering of software. The most critical thing to cover in this realm is generating a written legal contract that clearly states the purpose, what will be tested, why it is being tested, how it will be tested, and when it will be tested. By ensuring that all aspects of the contract are met, the contract will remain valid and serve as a clear indicator as to what is allowed while reverse engineering any software. To ensure legality, make sure that written permission to activate the contract has been provided prior to initiating any testing. Ensure that all testing conducted is within the defined scope in the contract and make sure that all research remains private unless otherwise stated in written permission from the concerned parties. Lastly, make sure that information obtained from the testing is not used to assist other parties not defined in the contract or for personal gain to redevelop software that was accessed as this can cause concern for the copyrights defined for the software. Any grey areas that may exist should be consulted to a lawyer who can conduct legal research and ensure copyright law is not violated when conducting or planning testing.