What Security Researchers Need to Know About Anti-Hacking Law

Presented at Black Hat USA 2013, July 31, 2013, 11:45 a.m. (60 minutes)

The federal anti-hacking law, the Computer Fraud and Abuse Act, is infamous for its broad language and tough penalties, and has been used in recent years to bring heavy-handed charges against targets like Andrew Auernheimer (aka Weev) and Aaron Swartz. This presentation will explain why the CFAA is such a dangerous tool in the hands of overzealous prosecutors. I'll survey some of the legal precedents most relevant to the infosec community, including cases on port scanning, violating website terms of use, and designing tools capable of bypassing technical access controls. I'll also explain the prosecution against Weev in depth and discuss its greater implications for security researchers. Finally, I'll discuss what security professionals can learn from these cases to reduce the potential for legal trouble.


  • Marcia Hofmann - Electronic Frontier Foundation
    Marcia Hofmann is an attorney who litigates, counsels, writes, and speaks about a broad range of technology law issues, including computer crime and security, electronic privacy, free expression, and copyright. She recently launched a boutique law practice focusing on these topics, and is a member of the legal team appealing Andrew Auernheimer's criminal conviction on hacking charges. She is a fellow at the Electronic Frontier Foundation (EFF) and the Stanford Law School Center for Internet and Society. She also teaches Internet law as an adjunct professor at the University of California Hastings College of the Law. You can follow her on Twitter at @marciahofmann.