Saturday, January 17, 2015

Criminalizing Modern Security Research

My high school physics teacher quietly taught me that all locks have vulnerabilities. He was an “amatuer locksmith,” and while I never learned exactly how to pick a lock from him, he explained enough about how locks work that I figured it out. I took this skill to college where, with other like minded individuals, I become a minor part of a like-minded community of students called hackers. With our skills, we were free to roam just about anywhere. My favorite destination was the roofs of various campus buildings. It was a liberating experience.

If I had caused physical harm or damage as part of our “hacker” activities, who would be to blame? Based on the proposed updated law enforcement guidelines, then you may very well hold my high school physics teacher partially responsible for helping me understand the vulnerabilities in standard locks, how I could massage the internal tumblers of a lock until I found the correct sequence that would allow me to turn the cylinder to disengage the lock. When translated to cybersecurity, that same teacher, indeed any security researcher, could face 20 years in prison for disclosing a technology vulnerability due to changes that President Obama is proposing in cybersecurity law.