My notes for the talk I gave to a group of distinguished law professors at the Seventh Annual Works in Progress Intellectual Property (WIPIP)
I am not a law professor
i am and am not a hacker.
the term hacker has undergone significant change in the last two decades so the meaning is ambiguous these days.
let me give you this definition and for the sake of the next 4 mins of my talk consider it to the the authoritative one
hackers are computer users who are adept enough to bend the function of a program to their will.
security researchers are much like the hackers of the 1990′s but unlike what the term has come to mean lately.
when researchers find security flaws in software they will generally contact the manufacturer. they are met with one of three responses:
When met with contempt they have been threatened with law suits using a variety of novel legal theories. Reading though our history is like walking through a catalogue of existing IP frameworks. Patent, Trademark, Copyright, Contract and Criminal have all been used in response to an individual making claims that a product contains a security flaw.
In 2007 Chris Paget of security firm IOActive was going to give a talk at a security conference about the insecurity of HID badges. These badges are ubiquitous in corporate America and the issues he discovered need to be discussed. HID forced his talk to be canceled with the threat of patent infringement.
A few years earlier in 2005, researcher Mike Lynn had discovered a security flaw in Cisco routers. These devices are largely responsible for the backbone of the Internet. Interestingly Cisco had already fixed the flaw yet filed a TRO against Lynn to prevent him from talking about his work to a group of like minded peers at a security conference. In the aftermath of this incident Lynn had to agree to a permanent injunction forbidding him from ever talking about it again.
Lessig famously said that on the Internet “Code is Law”. I would like to reverse that turn of phrase for the real world.
“Law is code”
It is compiled by legislators and debugged by judges
And in this sense what the companies we write about in our paper did was impressive. They hacked the law. The bent these disparate legal frameworks to their will and used seemingly unrelated laws to silence researchers who were making claims that their product was flawed.
what our paper proposes to do is patch the law so that legal hackers can not continue to subvert the legal system anymore. And with that I’ll turn it over to Derek to explain how that would work. [pdf]