We are excited to announce the release of A Researcher’s Guide to Some Legal Risks of Security Research (pdf), a report authored by Sunoo Park and Kendra Albert, and co-published by the Cyberlaw Clinic and the Electronic Frontier Foundation (EFF). Just last month, over 75 prominent security researchers signed a letter urging the Supreme Court not to interpret the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking / computer crime statute, in a way that would criminalize swaths of valuable security research. The case in question, Van Buren v. United States, is still pending. Meanwhile, security researchers routinely face legal risks and receive legal threats, with documented chilling effects on their work.
This harms security research, which in turn harms the security of the technologies on which we all increasingly rely. Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.
Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today’s uncertain legal landscape, and to provoke public debate towards future reform.
Sunoo Park (HLS JD ’21, MIT PhD ’18) is a cryptography scholar and Harvard Law School student who enrolled in the Cyberlaw Clinic in fall 2019, during her 2L year. Kendra Albert is a Clinical Instructor and leads many of the Clinic’s projects relating to security research.