Classroom Glossary Public page

Lab 10: Personal Ethics Statement

869 words

~3 hr. Write a 2-page personal ethics statement covering CFAA, DMCA §1201, state-law variation, and professional-conduct boundaries. The statement is the standing position your per-action records express; you carry it forward into industry work.

Goal: ship ~/adv-101/lab-10/ethics-statement.md of ~2 pages (~800-1200 words). Covers CFAA, DMCA §1201, state law specific to your jurisdiction, and at least one professional-conduct framework (SDVOSB engagement; bug-bounty safe harbor; academic IRB; or contractual / consulting boundaries).

Estimated time: ~3 hr.

Prerequisites: Week 10 lecture. Lab 9 (disclosure-draft practice; informs the CVD-position section).

Authorization line: Lab 10 is paper-only.

Lab 10 session, 2026-MM-DD HH:MM. Personal ethics-statement drafting; no hardware contact.

Setup

mkdir -p ~/adv-101/lab-10
cd ~/adv-101/lab-10

Have ready:

  • Notes from Week 10 lecture
  • CFAA §1030 (Cornell LII link bookmarked)
  • Van Buren ruling syllabus
  • DMCA §1201 + 2024 triennial exemption
  • Your jurisdiction's state computer-crime statute
  • EFF Coders' Rights Project page

Part A: Outline (~30 min)

The 2-page format admits these sections (adjust as your articulation requires):

  1. Personal posture (~150 words). Who you are; what professional path you intend; why ethics matters in that path specifically.
  2. CFAA position (~200 words). How you interpret "without authorization" and "exceeds authorized access" post-Van Buren; what behaviors you commit to; what behaviors you decline.
  3. DMCA §1201 position (~150 words). When you operate under the security-research exemption; how you stay within its conditions; what you do if a future renewal lapses.
  4. State-law position (~150 words). The specific state-law statute that applies to you; the major differences from CFAA in your jurisdiction; how you adapt.
  5. Professional-conduct position (~150 words). The engagement framework you expect to operate under (SDVOSB; bug-bounty; in-house red team; academic research); the specific commitments that framework requires.
  6. Standing escalation procedure (~100 words). When you stop and ask versus when you proceed; who you escalate to; how you document.
  7. Personal commitment (~100 words). What you commit to your future self about this work.

Total ~1000 words; that's ~2 pages at standard formatting.

Part B: Draft (~120 min)

Write each section in your own voice. The statement is YOURS; the academy provides the framework but not the words.

Worked example for the CFAA position section (your version should differ in voice and specifics):

## CFAA position

My reading of CFAA §1030 after Van Buren v. United States (2021) is that
"exceeds authorized access" has been narrowed to "accessing information or
files that the user has no permission to access at all," but the statute's
"without authorization" reach remains broad. The narrowing is welcome but
not a complete safety valve.

In practice, my CFAA discipline is:

- Every authorized access has a documented authorization basis. The cohort
  cyber-use authorization is my working example; in industry work, a signed
  statement of work, a written bug-bounty program acceptance, or a written
  contract serves the same role.

- I do not rely on verbal authorization. Verbal authorization can be
  withdrawn or denied retroactively; written cannot.

- When authorization status is ambiguous, I stop and clarify before proceeding.
  The cost of pausing to ask is bounded; the cost of acting without
  authorization is unbounded.

- I document my interpretation of "authorized" at the start of any engagement.
  If the system owner later disagrees, my documentation is the evidence base
  for good-faith adherence.

I commit to NOT relying on the Van Buren narrowing as an affirmative defense
in any work where authorization is genuinely ambiguous. The narrowing reduces
prosecutorial risk for accidental-overreach cases; it does not authorize
intentional ambiguity-exploitation.

The voice is direct; the commitments are specific; the citations are accurate.

Part C: Self-review against the rubric (~30 min)

Score your draft against:

  • Personal posture present and specific (not generic)
  • CFAA position cites §1030 + Van Buren accurately
  • DMCA §1201 position cites the triennial-exemption mechanism
  • State-law position names your specific state's statute
  • Professional-conduct position picks a SPECIFIC framework (not all of them; you pick the one you most expect to operate under)
  • Standing escalation procedure has specific triggers ("when X, I do Y")
  • Personal commitment is in your voice, not boilerplate
  • Total ~800-1200 words (2 pages at standard formatting)
  • No marketing language; no em-dashes; voice is practitioner-direct
  • References are real (CFAA section number; Van Buren citation; DMCA section; state statute number)

Fix any unchecked items.

Part D: Commit + portfolio (~15 min)

cd ~/adv-101/lab-10
git add ethics-statement.md
git commit -m "Lab 10: personal ethics statement (CFAA + DMCA §1201 + state law + professional-conduct + standing escalation)"

cd ~/adv-101
cat >> lab-portfolio.md <<EOF

### Lab 10 session, 2026-MM-DD HH:MM

**Target:** none (paper-only)
**Action:** drafted personal ethics statement covering CFAA, DMCA §1201, <state>, and
<professional-conduct framework>
**Authorization basis:** paper-only
**Session duration:** ~3h
**Artifacts produced:** lab-10/ethics-statement.md
**Incidents:** none
EOF
git add lab-portfolio.md
git commit -m "Portfolio: Lab 10 session entry"

Expected output / artifact

~/adv-101/lab-10/ethics-statement.md: ~800-1200 words; 7 sections per the outline; in your voice; with real citations.

What's the failure mode?

  1. Generic statement. "I will always do the right thing" is not a statement; it is a placeholder. Specific commitments are the discipline.
  2. Boilerplate citations. Citing CFAA without a specific subsection; citing DMCA without a section number; citing "state law" without naming the state. The specificity is the artifact.
  3. Avoiding personal commitments. "A researcher should..." is third-person; the statement is YOUR commitments in first person.
  4. Missing escalation procedure. "When in doubt, I'll figure it out" is not a procedure. A procedure has triggers ("when X happens, I do Y") and accountability ("I escalate to Z").

Common pitfalls

  • Picking too many professional-conduct frameworks. SDVOSB AND bug-bounty AND IRB AND consulting; the statement becomes a tour rather than a commitment. Pick the ONE you most expect to operate under.
  • Hedging. "I would consider stopping if..." is not a commitment. "I stop if..." is.
  • Ignoring jurisdiction. State law varies; the statement that does not name a specific state is incomplete for the assigned scope.
  • Treating the statement as a contract. The statement is a standing position; it can evolve over a career. Acknowledge the evolution in the closing commitment if it helps.

What would a reviewer ask?

  1. "Walk me through your standing escalation procedure. What is the trigger? Who do you escalate to in your current context?"
  2. "Your state-law position cites . Does it differ from CFAA in any way that affects your day-to-day work?"
  3. "The 2024 DMCA triennial exemption lapses in 2027. What is your contingency?"

Stretch (optional)

  1. Write the statement for two different paths. One for SDVOSB engagement work; one for bug-bounty solo work. Compare; what changes; what stays the same.
  2. Read an academic-research IRB protocol (if you have access to a university). Compare the IRB framework to the academy cyber-use authorization. What does each capture that the other does not?
  3. Draft a contract clause. Write the engagement-letter clause that captures your CFAA position. The clause is what a client would sign; it must be specific and unambiguous.
  4. Read EFF's amicus briefs on CFAA cases. The EFF has filed in many CFAA prosecutions; the briefs articulate legal-defense reasoning you may want to internalize.

Lab 10 v0.1.