When is hacking legal? Host and security researcher Laura Kankaala delves into this topic with guest and Detectify General Counsel Cecilia Wik. NOTE: this episode does not give any official legal advice, but Laura picks Cecilia’s brain about the legalities of hacking with her area of expertise, the law.
Their discussion covers different laws concerning the information security community such as copyright law, the Computer Fraud and Abuse Act and Wire Fraud Act. Cecilia gives her take on the highly-publicized cases of Kevin Mitnick and Aaron Swartz and lastly, hacking the legal way. Here are highlights from this episode, and the dialogue has been edited for brevity. Let’s dive in:
Undetected – a web security podcast is a Detectify production that uncovers different depths of web security. You can listen to the full length of Episode 5 on SimpleCast or your preferred podcast platform.
Laura: Is hacking illegal? The word hacker has traditionally been linked with a lot of negative things and attributed to criminal activities. Today, hackers have become one of the most important things for improving information security. Detectify’s General Counsel, Cecilia Wik, and I will discuss what is legal or illegal hacking, and go back to some famous cases in the past.
Who is Cecilia?
Laura: You work as a General Counsel at Detectify, can you tell me what does that mean?
Cecilia: A general counsel is responsible for the legal matters at the company. I’m overseeing all different kinds of issues when it comes to, for example, employment law and issues relating to our software service. I’m covering a broad spectrum.
From compliance to the fast-pace of IT security:
Laura: Freedom of speech and human rights are linked quite a lot with information security when it comes to privacy and an individual’s rights. In our case, for example, the rights of security researchers. You seem to have a front seat view into the realm of web security and its legal aspects of it.
Cecilia: I’ve seen two different sides of the coin. I was previously a lawyer at an enormous organization and working a lot with compliance and information security checklists. Working at Detectify, everyone here is knowledgeable about information security and the technicalities behind it. I’ve learned that web security is not always only about compliance and ticking checklists. It’s actually about people in the company understanding information security in theory and practice, and not only taking the compliance boxes. We get deeper into it to raise awareness and educate people. That’s where it becomes tricky.
How does IT law differ from other sectors?
Laura: IT moves so fast, and new technologies are coming all the time, new machine learning algorithms, new security research, etc. This makes it hard to figure out what is legal and what is not.
Cecilia: That’s an excellent and topical question. It’s something that’s always in the discussion as society moves faster than the law does. And that’s especially true in the world of IT and the world of tech. The legislation takes a long time to implement. There are often political and commercial reasons behind whether or not laws are being implemented or amended even if the society moves forward. This can lead to legal loopholes; it can lead to misinterpretations or interpretations that are not current with society.
Cecilia: Another example of how technology and law don’t always move in parallel is machine learning and the world of AI. The law doesn’t manage to keep up in pace from the viewpoint of, for example, copyright law. For instance, it’s debated what happens when an AI tool creates software or artistic work as a painting or could be a piece of music. In Sweden, copyright law requires that the art piece is original. That includes a human touch, meaning a person is affecting the work in the sense of applying intelligence or applying creativity or a piece of personality in it. And you can’t employ that to AI. At least at the moment, that’s how it’s interpreted. Unless the AI can be proven to have a human touch, the work that’s created through said AI tool can’t enjoy copyright protection. There are situations like these that can’t be and haven’t been covered in the law because it takes years to implement a new law or change.
Laura: I think it also makes sense that the world of law is not changing that rapidly. We could end up in a very interesting situation if bills moved just as fast as these technologies, we could have a lot of ad hoc laws, and maybe it wouldn’t then serve its purpose.
Cecilia: There are cases such as now during pandemics or crises where governments can enact emergency laws in a couple of weeks. But generally, there aren’t resources to do that in terms of fast-moving technology, if it’s not urgent for national health or security. It needs a lot of preparation, and it needs time. And also, I think it would be a good thing to include the technology community when preparing and making amendments to existing IT laws. That also requires a lot of time to engage different stakeholders as well.
What is wire fraud?
Laura: Illegal hacking has been around for ages. So it’s not a new method of crime, and it’s been going on ever since there were computers. And even before computers, people were trying to hack signals and so on.
Laura: For example, there have been memorable cases in the past based in the US, so naturally, the laws applied were US-based laws and not Nordic or EU legislation. The famous pursuits of hacker Kevin Mitnick resulted in his arrest in 1995, and he was charged with 14 counts of wire fraud. What does the Wire Fraud Act mean?
Cecilia: It’s a fascinating case with many different accounts he could have or was held accountable. The Wire Fraud Act considers wire fraud a crime where a fraudster intends to or gets money or property by giving false representations or false promises. Generally, this happens through electronic communication or, for example, telephone. It could even occur analogically. This typically includes phishing or social engineering as well.
Cecilia: A classic example is the Nigerian Prince Scam. It’s based on the advanced fee scam called the “Spanish Prisoner,”, which originated from the 18th century. The fraudster contacts the victims using charisma, creating a trusting relationship, and getting them to support in the bailout of a Spanish prisoner who allegedly has a big inheritance or a property somewhere. Upon his release, the victims will then get an even bigger reward. And this is the similar principle that’s used in a Nigerian Prince Scam, where you are promised a bigger reward if giving a smaller sum of money. This is an example of wire fraud, and there are many different ways to scam people.
Laura: It’s funny how the methods change, but the aim is the same.
Cecilia: Legislation could come into play here. If we look at the definition, does it cover these new types of scams with “electronic communication?” Sometimes the definition in legislation is very narrow, and it wouldn’t cover it, and then that would create a legal loophole. But if you manage to define the terms in the legislation broad enough, that would include new methods of wire fraud even if the principle behind it is the same.
The case of Aaron Swartz
Laura: I want to talk about Aaron Swartz. He was a very active person on the Internet. He was one of the creators of the web feed format RSS, the Markdown publishing format, and founded Creative Commons for publishing and licensing rights. He was also a co-founder of the social news website Reddit. He was a very active figure and notable figure when it comes to developing the Internet and developing tools on the Internet.
He got into trouble when he broke into server rooms at Massachusetts Institute of Technology (MIT) and exfiltrated data, including copies of academic papers and journals, and then distributed these online. Because of this, he was charged with the Computer Fraud and Abuse Act. The case never really went through because he ended up taking his life before it was settled. This is a tragic case.
Cecilia: The Aaron Swartz case is sad, and also a situation where a lot of criticism towards the Computer Fraud and Abuse Act culminates. It’s a US federal law and dating back to 1986. It has gone through certain amendments, the last to one in 2008. However, many modifications lobbied by the IT community haven’t been taken in.
Cecilia: It covers the different types of illegal hacking carried out, unauthorized access to computers or exceeding authorized access, computer fraud, recklessly or intentionally damaging machines, obtaining national security information, and so on. Consequences can go up to 20 years imprisonment, which is also the case for wire fraud. So quite heavy imprisonment sentences.
Do you like the highlights of this episode so far?
Check out the full episode in the web player.
Criminal and Civil sides of the Computer Fraud and Abuse Act
Cecilia: What’s particular about the Computer Fraud and Abuse Act is that it has both a criminal and a civil side. Private companies can claim civil damages under the Computer Fraud and Abuse Act, which gives private corporations a lot of power. There’s a lot of lobbying opposing the amendment attempts, and it’s been criticized along the years for being quite ambiguously written and allowing for very broad interpretations of the types of alleged crimes that you can carry out under the law. So far, no notable amendments have been made.
Cecilia: Aaron Swartz case is a good example in connection of the law because when that case surfaced, the criticism towards the act culminated. There was even a proposal of Aaron’s Law, I think it was called that, which the intention behind that was not to make breaches of private companies’ terms and conditions considered as unauthorized accesses.
Cecilia: There have been various civil and criminal cases where this question has been tried, but there isn’t any consensus yet on what would be considered unauthorized access. Is it enough for a company to write terms and conditions, saying what you can and what you can’t do? If you break them, could you be civilly liable or even criminally liable? But there are some cases ongoing, and the situation is evolving all the time.
Laura: What is the difference between a civil and criminal offense?
Cecilia: A criminal offense is an offense towards the government, society, or other people’s security at large. Civil offenses would traditionally be breaching a contract or damaging a civil or a private party in some way. The difference is in the consequences, so civil misconduct would not put you in jail but could lead to you having to pay damages to a private entity. Criminal offenses can lead to fines or imprisonment.
Cecilia: In a criminal case, you would need to be beyond a reasonable doubt that you are a criminal and have committed a crime. But then in civil cases, you have to prove and show that it’s more likely that it happened than it didn’t, so there’s a difference in evidence as well.
Laura: It sounds like the Computer Fraud and Abuse Act could have been intentionally made broad so that they could cover future cases, and then, maybe it fell short because then it let this loophole happen.
Cecilia: Yeah. And traditionally, prosecutors have interpreted it very widely. Still, then, of course, it’s a question of how the judges and the courts interpret it and how they decide. In the US, which is a common-law jurisdiction, case law is the preceding source.
Laura: What is case law?
Cecilia: A common law jurisdiction follows case law in that previous court cases, and Supreme Court cases take precedence and are a source of interpretation. Whereas in civil law, in which Sweden, the Nordic countries, and most of the European countries follow, have preparatory works that as a primary source of information.
In the US, the cases that surface are of importance as they can lead and direct how the law should be interpreted in the future. Even if the law was originally written sometime in the 80s, there is room for different interpretations as long as new cases are surfacing and the Supreme Court taking the stance in how specific clauses should be interpreted. For example, could the terms and conditions of a private company be considered a blocker, and can they be considered something that can lead to unauthorized access if you breach them? It will be interesting to see how it develops.
Laura: Do Nordics or the EU level have something similar to the Computer Fraud and Abuse Act?
Cecilia: Yes. In Sweden, for example, there is a law that criminalizes data breach. The consequences aren’t as harsh as in the US; I believe the maximum penalty is six years imprisonment. This means unlawful access or intentionally giving unauthorized access to a computer or electronic information. So that could even cover reading someone’s email. In Sweden, there was a case involving a police officer that gained unauthorized access into the register about himself. That would be then trespassing or going over the authorization you have, and for that, he was fined.
Laura: It’s all always important to take into account where you are operating and whose software you are looking at, and in what way. Going back to Aaron Swartz, he was arrested in 2011 and charged with two counts of wire fraud, and then 11 violations of the Computer Fraud and Abuse Act. It resulted in a cumulative maximum penalty of one million in fines and 35 years in prison, and then some other terms as well. So it was a substantial penalty that he was potentially facing from that act that he committed.
How to ensure your hacking is legal
Laura: Operating in this field of web security, it’s still good to remember that hacking, by default, is illegal unless you know what you’re doing and have permission to carry it out. How does one make sure that hacking activities will not result in any legal action or minimize the risk of legal action taken against us?
Cecilia: That’s an important question. You have responsible disclosure policies, bug bounty programs, penetration testing contracts, and security research assignments. Here you are allowed to hack, and you’re incentivized to do it. Make sure you have the authorization, so you’re not trespassing and keep within the scope of what you are asked to do.
Laura: Are there any best practices when it comes to asking for permission to do any security assessment?
Cecilia: First thing I would say is to ask a legal adviser to make sure you’re doing the right thing. Then check that the person authorizing you has the mandate to do so. The individual within the company must prove that they have the right to sign a contract or allow you to do a penetration test.
Laura: My tip would also be to keep a common sense when you’re doing these things, and sometimes the proof of concept doesn’t have to go overboard. It can be something simple and trivial that demonstrates the vulnerability but doesn’t need to alter any data, or it doesn’t need to access too much data. If you gain access to sensitive data, a proof of concept doesn’t have to be dumping the whole of the database out there.
Laura: Another question, if you’re a pentester, does it matter if it’s a verbal agreement, or does it need to be written, or is email enough? How should the contract be delivered?
Cecilia: Always have stuff in writing if you can, and as far as you can, because if and whenever it becomes a court case, it might be impossible to prove what you have discussed over the phone. A signed contract is always preferred.
DISCLAIMER: this episode does not give any official legal advice, but Laura picks Cecilia’s brain about the legalities of hacking with her area of expertise, the law.
Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts or another preferred podcast platform.
Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Detectify works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Detectify a go? Start your 14-day free trial today.