The only thing worse than driving a car with defective breaks is unknowingly driving a car with defective brakes – and learning about them the hard way.
That’s why Zack Whittaker’s excellent roundup of civil lawsuits filed
against infosec researchers and journalists is so fucking terrifying.
Deep-pocketed, thin-skinned companies are able to abuse the law in bids
to become the custodians of who can utter inconvenient truths about the
defects in their products. Whittaker describes these suits and threats
used against young, independent researchers, senior researchers at large
corporations, and journalists who report on their findings.
He also reveals that in the past year his own employer, Zdnet, “did not
publish three security stories after researchers’ abandoned their work,
fearing legal threats.”
The belligerents involved in these suits run the gamut as well: there’s
Keeper Security, suing Ars Technica and reporter Dan Goodin over news of
a defect in their flagship password manager; River City Media is suing
veteran security researcher Chris Vickery, reporter Steve Ragan and his
publisher CSO over an investigation into evidence that River City had
been running a “massive, illegal spam operation…using illegal IP
hijacking techniques during some of their campaigns”; PwC threatened to
sue a researcher who found a defect in a security product; Ashley
Madison threatened to sue a reporter who obtained information suggesting
the company had hacked its competition; drone maker DJI threated to sue
a researcher who submitted a critical bug to its bug-bounty program.
Whittaker quotes researchers who say they’re now just dumping bugs
anonymously, rather than risking civil liability for going through
channels.
Securing computers is hard. Getting it right requires, at a minimum:
1. The right to investigate computers;
2. The right to tell the truth about what you find in those investigations; and
3. The right to reconfigure computers to try to fix defects affect you or people you want to help.
This is the minimum, necessary precondition for security. But laws like
the CFAA and DMCA 1201, as well as license agreements, civil threats,
weak anti-SLAPP protections and patchwork cost-shifting mechanisms for
people victimized by corporations seeking to silence them means that all
of these are under threat.
Our world is made of computers; they are woven into devices in our
bodies and devices we put our bodies into – they hold the power of
financial security, integrity in our health and personal information,
and even life-or-death. Unless we get this right, we are in enormous
trouble.
