Info/Law

My friend and Berkman colleague Oliver Day and I have just released a new paper, The Hacker’s Aegis. It argues that intellectual property law has been hacked to block socially valuable research on software security. Moreover, we contend that software vulnerability data challenges existing assumptions, and scholarship, on how information about improvements to works protected by IP should be regulated. You can download the piece from SSRN. Here’s the abstract:

Intellectual property law stifles critical research on software security vulnerabilities, placing computer users at risk. Researchers who discover flaws often face IP-based legal threats if they reveal findings to anyone other than the software vendor. This Article argues that the interplay between law and vulnerability data challenges existing scholarship on how intellectual property should regulate information about improvements on protected works, and suggests weakening, not enhancing, IP protections where infringement is difficult to detect, lucrative, and creates significant negative externalities. It proposes a set of three reforms – “patches,” in software terms – to protect security research. Legal reform would create immunity from civil IP liability for researchers who follow “responsible disclosure” rules. Linguistic reform would seek to make the term “hacker” less threatening either by recapturing the term’s original meaning, or abandoning it. Finally, structural reform would ameliorate failures in the market for software vulnerability data by having a trusted third party act as a voluntary clearinghouse. The Article concludes by describing other areas, such as physical security, where reforming how law coordinates IP improvements may be useful.

We welcome comments and suggestions!

Filed under: badware, Berkman, Computer crime, Copyright, Digital Media, Encryption, Internet & Society, Law School, Microsoft, Patents, Peer Production, RIAA, Scholarship, Security, Software, Trademarks