Classroom Glossary Public page

Week 10: Professional Ethics; CFAA; DMCA §1201; State Law; SDVOSB Rules

1,989 words

The legal framework. CFAA's "exceeds authorized access" reach; DMCA §1201's anti-circumvention provision; state-law variation; the engagement rules SDVOSB and consulting work impose. The lab is a 2-page personal ethics statement.

Theme

ADV-101 is the academy's offensive-track course; ADV-101 graduates are the academy's offensive-track graduates. The work is professional security research; the work happens in a legal environment that does not always distinguish security research from criminal activity at the surface. Week 10 surfaces the framework that lets a researcher operate within the legal environment without becoming the prosecution's example case.

Three U.S. statutes do most of the work:

  • CFAA (Computer Fraud and Abuse Act, 18 U.S.C. §1030). The federal anti-hacking statute. Its broad reach is its problem; "exceeds authorized access" can be argued to apply to behaviors the researcher considered routine. The Van Buren ruling (2021) narrowed the reach but did not eliminate it.

  • DMCA §1201 (Digital Millennium Copyright Act, anti-circumvention). Bans circumventing technological measures that control access to copyrighted works. RE work routinely touches DRM; without the triennial DMCA exemption for security research, RE work would be uniformly actionable.

  • State computer-crime statutes. Vary by state; some narrower than CFAA, some broader. The state where the conduct occurs (researcher's residence; target's location) determines what applies.

Beyond U.S. statutes, professional-conduct frameworks shape engagement work:

  • SDVOSB engagement rules. Service-disabled veteran-owned small businesses (and other federal-contract security vendors) operate under contract-specific scopes and federal-acquisition rules.
  • Bug-bounty safe harbors. HackerOne and Bugcrowd publish per-program safe-harbor language; the program's terms define what the researcher can do.

The lab is a 2-page personal ethics statement. The student articulates their own ethical position covering each framework: when do you act; when do you abstain; how do you document; how do you escalate. The statement is the artifact the student carries forward into industry work.

By the end of Week 10 you can: cite CFAA §1030(a)(2) and §1030(e)(6) and the Van Buren narrowing; explain DMCA §1201 and the triennial exemption for security research; name two state-law variations that affect security research; articulate a personal ethics position you can defend.

Schneier weave (~290 words, A Hacker's Mind Ch 17)

Schneier devotes Chapter 17 of A Hacker's Mind to the question of how legal systems handle adversarial behavior that the system did not anticipate. His worked examples include tax avoidance versus tax evasion (the line between "use of the rules" and "violation of the rules" is itself a hack of the rules), high-frequency trading (which exploits microsecond-scale latency differences the regulators did not anticipate), and the security research community's negotiation with CFAA (where the statute's broad language created prosecutorial latitude the researchers worked for decades to narrow).

Schneier's argument is that legal systems are themselves rule systems that hackers (in his broad sense) probe. The 1986 CFAA was drafted in a world without the modern Internet; the statute's "exceeds authorized access" phrase was written by drafters who could not have foreseen that decades later it would be applied to web-scraping cases, security-research cases, and academic-research cases. Each application is a hack of the rule system, executed by prosecutors operating within the statute's broad language.

The implication for the ADV-101 student is that operating within ambiguous law requires more discipline than operating within clear law. CFAA's ambiguity is the reason the cohort signs the cyber-use authorization document; the document is the artifact that converts ambiguous "authorized" into documented "authorized." DMCA §1201's anti-circumvention reach is the reason RE work happens under the triennial-renewed security-research exemption; without the exemption, RE itself would be legally fraught.

Schneier's broader argument is that the discipline of operating within an ambiguous rule system is the discipline that distinguishes a hacker who builds something durable (Aaron Swartz's open-access advocacy; Marcus Hutchins's malware research) from a hacker who builds something that gets prosecuted. The ADV-101 ethics framework is the academy's attempt to teach the discipline directly. Week 10's lab is your first articulation of where you, personally, draw the lines.

Reading list (~1 hour)

  1. Schneier, A Hacker's Mind, Ch 17 ("Hacking the Law"). Academy library; calibre id 677.
  2. U.S. Code, 18 U.S.C. §1030 at https://www.law.cornell.edu/uscode/text/18/1030. Read §1030(a)(2) and §1030(e)(6) ("exceeds authorized access"). The statute that defines the federal dividing line.
  3. Van Buren v. United States (2021) at https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. Read the syllabus + Section II. The Supreme Court's narrowing of "exceeds authorized access."
  4. DMCA §1201 at https://www.copyright.gov/title17/92chap12.html. Read §1201(a) and (b). The anti-circumvention provision.
  5. 2024 DMCA §1201 Triennial Exemption: Security Research at https://www.copyright.gov/1201/2024/. Read the security-research exemption text. The safety valve for RE work.
  6. EFF Coders' Rights Project at https://www.eff.org/issues/coders. The legal-aid resource for security researchers.
  7. Marcus Hutchins case background: WIRED's coverage at https://www.wired.com/story/marcus-hutchins-malware-prosecution/ or any reputable journalism on the case. Read for the contemporary cautionary tale.

Lecture outline (~50 min)

Part 1: CFAA §1030 (15 min)

  • The structure of §1030. Seven subsections covering accessing a computer without authorization, exceeding authorized access, transmitting damaging code, trafficking in passwords, conspiracy, threats, and extortion. Each has specific elements; §1030(a)(2) (the "access" subsection) is the most-cited in security-research cases.
  • "Without authorization" vs "exceeds authorized access." Pre-Van Buren, the latter was the prosecutor's preferred theory because it could be argued against researchers who had some legitimate access but used it in ways the system owner disapproved of.
  • Van Buren v. United States (2021). The Supreme Court narrowed "exceeds authorized access" to mean "accessing information or files that the user has no permission to access at all" rather than "using authorized access for a purpose the system owner disapproved." This narrowed the prosecutor's reach significantly but did not eliminate it.
  • What Van Buren did NOT do. The decision left open "without authorization" cases (where there is no legitimate access at all). The decision did not address state-law equivalents. The decision did not give security researchers an affirmative defense; the researcher's burden is still to demonstrate authorization.
  • The Aaron Swartz case. Swartz had legitimate JSTOR access as an MIT visitor; the prosecution argued his bulk-download exceeded authorization. The case predated Van Buren; post-Van Buren the theory might have failed; pre-Van Buren the case caused Swartz's death by suicide while facing decades of imprisonment. The case is the cautionary tale that motivated the CFAA-reform movement.

Part 2: DMCA §1201 (10 min)

  • The anti-circumvention provision. §1201(a) prohibits circumventing technological measures that control access to copyrighted works. §1201(b) prohibits trafficking in tools that do the circumventing. Both are broad.
  • Why this affects security research. Reverse-engineering firmware often touches DRM (the firmware is encrypted; the protections are technological measures; circumventing them is the work). Without an exemption, RE itself is potentially actionable.
  • The triennial exemption. Every three years the Copyright Office reviews exemption petitions and grants narrow exemptions for specific categories. Security research is one of the recurring exemptions; the 2024 exemption (most recent at academy-time) permits good-faith security testing of consumer devices.
  • The exemption's limits. Specific scope (academic + good-faith); specific conditions (do not bypass for unauthorized commercial purposes; do not redistribute the circumvention tools). The exemption is narrower than the security-research community would prefer; ongoing advocacy continues.

Part 3: State-law variation (10 min)

  • Why state law matters. Most computer-crime cases are prosecuted at the state level. California, Texas, New York all have computer-crime statutes; each has different "authorized access" definitions, different penalties, different statute-of-limitations.
  • Two example variations.
    • California Penal Code §502. "Authorized access" defined narrowly; some scope-disagreement scenarios are state-law actionable even if Van Buren narrowed CFAA.
    • Texas Penal Code §33.02. Broader than CFAA in some respects; narrower in others.
  • Practical implication. Know the state where you and your target reside. The cohort cyber-use authorization document is intended to provide written authorization that satisfies state-law variation; verify with academy counsel if a specific cohort spans multiple states.

Part 4: Professional engagement frameworks (10 min)

  • SDVOSB (Service-Disabled Veteran-Owned Small Business) engagement rules. Federal contractors operate under FAR (Federal Acquisition Regulation); per-contract scope statements; specific deliverable requirements. ADV-101 graduates entering federal-contract work inherit these rules; the academy's discipline transfers.
  • Bug-bounty safe harbors. Per-program; HackerOne, Bugcrowd, Synack, Open Bug Bounty, etc. each have program-specific terms. The researcher's protection is the program's specific safe-harbor language; "I assumed it was OK" is not protection.
  • Penetration-testing engagement letters. The pre-engagement statement of work defines what the tester can do; behaviors outside the SoW are unauthorized regardless of intent. The TrustedSec sample engagement letter and the OWASP Penetration Testing Execution Standard pre-engagement guidance are industry references.
  • Academic ethics review. University-based security research often falls under IRB (Institutional Review Board) review when human-subject data is involved. ADV-101 work on hardware does not typically require IRB; work on services involving real user data does.

Disclosure-Ethics Sidebar

Norm system Week 10 The personal ethics statement does
Responsible disclosure The statement names how the researcher will handle vendor non-response Frame the researcher's commitment to the CVD framework
Academic ethics The statement names how the researcher will handle scope ambiguity Document the researcher's escalation procedure
Legal authorization The statement names how the researcher will document authorization Establish the researcher's pre-commitment to discipline

The personal ethics statement is the researcher's commitment to their own future self. The lab portfolio is the per-action record; the ethics statement is the standing position the per-action records express.

Labs (~3 hr)

Lab 10: Personal Ethics Statement (labs/lab-10-ethics.md)

  • Goal: write a 2-page personal ethics statement covering CFAA, DMCA §1201, state-law variation, and professional-conduct boundaries
  • Time: ~3 hr
  • Artifact: lab-10/ethics-statement.md in ~/adv-101/lab-10/

Independent practice (~5 hr)

  1. Read three security-research-prosecution case backgrounds (1.5 hr). Aaron Swartz (suicide while facing CFAA charges); Marcus Hutchins (Kronos malware case; eventual probation after lengthy detention); weev (CFAA conviction overturned on jurisdictional grounds). Each shows a different failure mode of the legal framework. WIRED, EFF, and Krebs on Security are reliable sources.
  2. Read EFF Coders' Rights Project in full (1.5 hr). The legal-aid resource for security researchers; bookmark.
  3. Schneier A Hacker's Mind Ch 18 (45 min). Continues the legal-framework analysis.
  4. State-law lookup for your jurisdiction (45 min). Identify the state where you reside; look up the state's computer-crime statute; compare to CFAA. Cite the specific section number.
  5. Bug-bounty safe-harbor reading (30 min). HackerOne's standard safe-harbor language at https://www.hackerone.com/policy/disclosure-guidelines; one specific program's safe-harbor (your choice). Compare.

Reflection prompts (~30 min)

  1. CFAA's "exceeds authorized access" was narrowed by Van Buren. Is the narrowing sufficient? What ambiguity remains?
  2. DMCA §1201's triennial security-research exemption is granted in 3-year cycles. What does the cyclical nature say about the legal community's posture toward security research?
  3. State-law variation means the same conduct can be legal in one state and actionable in another. How does this affect cross-state remote work?
  4. Your personal ethics statement is the standing position the per-action records express. Will the statement change over your career? In what direction?
  5. One thing from this week you want to know more about?

Adversary Diary (Week 10)

New entries:

  • U.S. Code, 18 U.S.C. §1030 at https://www.law.cornell.edu/uscode/text/18/1030. The CFAA full text.
  • Van Buren v. United States (2021) at https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf. The narrowing precedent.
  • DMCA §1201 and the 2024 triennial exemption at https://www.copyright.gov/1201/2024/.
  • EFF Coders' Rights Project at https://www.eff.org/issues/coders.
  • State computer-crime statute for your jurisdiction (specific citation for your state).
  • Bug-bounty safe-harbor template language (HackerOne; Bugcrowd; specific-program references).

What would a reviewer ask?

  1. "Walk me through CFAA §1030(a)(2). When does it apply to security research?"
  2. "Your personal ethics statement says you would 'escalate to instructor before proceeding' in scope-ambiguous cases. Walk me through a specific scenario."
  3. "DMCA §1201's security-research exemption is renewed every three years. What happens to your in-progress research if the exemption lapses?"

What comes next

Week 11 is the capstone workshop. You bring your Tool v0.3 (Lab 7); your disclosure draft (Lab 9); your ethics statement (Lab 10). The instructor reviews; you respond. The workshop's purpose is to identify the gaps between v0.3 and the v1.0 capstone target; you close them in weeks 12-13.