Marcia Hoffman speaks at Black Hat
Posted by: Timothy Weaver on 07/24/2013 03:37 PM
[
Comments
]
The Computer Fraud and Abuse Act (CFAA), enacted in 1986 and revisited several times since, is still littered with loopholes and nuances that can be leveraged by a prosecutor in a criminal case, or turned against a white hat in civil litigation.
These two cases in particular illustrate how prosecutors can take advantages of weaknesses in the language of the law to, and in some cases, stack violations one atop another resulting in sentences that rival or exceed those given to violent criminals.
Marcia Hoffman, an attorney and fellow at the Electronic Frontier Foundation, will be speaking next week at the Black Hat Briefings in Las Vegas on the topic.
“The reason I wanted to give this talk is that I feel like people are paying a lot of attention to the CFAA and there are fears and concerns about it,” Hoffman said. “The discussion was prompted by Aaron Swart’s tragic death, and I think that is a situation we need to talk about and consider. There are other things in the act that may be relevant to researchers and their work that they don’t know about.”
“Researchers are unsettled about how vague the (CFAA) is and unsure if they do X-Y-Z whether it violates the law,” Hoffman said. “Loss is not discussed much either, and I doubt they know a lot of about it; they worry more about unauthorized access.”
Hoffman’s talk will focus on a number potential gotchas in the CFAA that concern researchers, such as whether port scanning is legal, or how violations of terms of service can be considered crimes or grounds for civil action. She also said she plans to spend time covering Swartz and weev’s cases, despite the fact that in weev’s example, he’s a controversial and polarizing figure in the security community.
“It’s important to realize that edgy CFAA prosecutions are like this; there are situations where the government is looking for an excuse to go after somebody and this is how they do it by coming up with a novel, aggressive CFAA argument,” Hoffman said. “If the government wins, case law is established that applies to everybody, that’s why [researchers] need to care, even if they don’t like weev or think what he did was appropriate. Even those who are not fans agree what he went to prison for was not worth three and a half years.”
These two cases in particular illustrate how prosecutors can take advantages of weaknesses in the language of the law to, and in some cases, stack violations one atop another resulting in sentences that rival or exceed those given to violent criminals.
Marcia Hoffman, an attorney and fellow at the Electronic Frontier Foundation, will be speaking next week at the Black Hat Briefings in Las Vegas on the topic.
“The reason I wanted to give this talk is that I feel like people are paying a lot of attention to the CFAA and there are fears and concerns about it,” Hoffman said. “The discussion was prompted by Aaron Swart’s tragic death, and I think that is a situation we need to talk about and consider. There are other things in the act that may be relevant to researchers and their work that they don’t know about.”
“Researchers are unsettled about how vague the (CFAA) is and unsure if they do X-Y-Z whether it violates the law,” Hoffman said. “Loss is not discussed much either, and I doubt they know a lot of about it; they worry more about unauthorized access.”
Hoffman’s talk will focus on a number potential gotchas in the CFAA that concern researchers, such as whether port scanning is legal, or how violations of terms of service can be considered crimes or grounds for civil action. She also said she plans to spend time covering Swartz and weev’s cases, despite the fact that in weev’s example, he’s a controversial and polarizing figure in the security community.
“It’s important to realize that edgy CFAA prosecutions are like this; there are situations where the government is looking for an excuse to go after somebody and this is how they do it by coming up with a novel, aggressive CFAA argument,” Hoffman said. “If the government wins, case law is established that applies to everybody, that’s why [researchers] need to care, even if they don’t like weev or think what he did was appropriate. Even those who are not fans agree what he went to prison for was not worth three and a half years.”
Comments
