EFF on how researchers should navigate anti-hacking laws

US attorney and Electronic Frontier Foundation fellow Marcia Hofmann has offered advice on how security researchers can better protect themselves from violating fraud and hacking laws.  

Speaking at this year's Black Hat 2013 in Las Vegas, Hofmann said researchers should seek legal advice prior to commencing work that could potentially breach hackings laws.

"My goal here is to help educate and inform you about some of the potentially sticky situations that the law creates so you can recognise them early and talk to a lawyer to help you navigate them," Hofmann said.

Researchers must also brush up on the policies and confidentiality agreements relating to relevant organisations, he said.

Many in the security industry say the 30-year-old US Computer Fraud and Abuse Act was broadly worded, leading to what Hofmann said were  "very unfortunate" situations.

She pointed to the case of Andrew Auernheimer, aka Weev, the security researcher recently sentenced to 41 months in prison for discovering and exploiting a weakness on the website of AT&T.

She was part of the legal team that has filed an appeal in this case.

Auernheimer presented the data and information regarding his hack to the news and gossip blog Gawker without first informing AT&T. Hofmann said researchers who take similar actions could complicate their situation.

“If you're in a tense situation and you're talking about it publicly, that ups the ante,” she said.

She said the "vague language" of US hacking laws lent itself to "selective enforcement", but said a security professionals credentials as a white hat were "atmospherics that do help"

This article originally appeared at scmagazineus.com