The Hackers, The Lawyers, And The Defense Fund

Presented at DEF CON 31 (2023), Aug. 11, 2023, 9 a.m. (45 minutes)

The hacker community has long conducted important security research that skates the edge of legality. This has led to charges and lawsuits, bogus and serious alike, against hackers. In this panel, we’ll hear from a hacker that faced legal challenges, we’ll describe what legal counseling for hackers looks like in practice, and we’ll discuss a new resource for the hacker community: the Security Research Legal Defense Fund. Legal issues can arise for good faith hackers because computer or software owners want to prevent security research or vulnerability disclosure. Security researchers have rights and defenses against legal claims, but don’t always have access to representation or resources to defend themselves. EFF provides free legal counseling, ideally in advance of security researchers conducting their work so they can steer clear of problematic activity or at least mitigate the risk of legal threats. In litigation, EFF tries to find cases that will advance legal rights for the entire community, but many individuals will need representation even when their particular cases will not have a broader impact. In those cases, EFF endeavors to refer people to cooperating counsel, which can be difficult if funds are not available. What is it like, as a hacker, to face legal threats? What are the common ways hackers encounter legal threats? When that happens, what should hackers do? What is it really like to provide legal representation to hackers? Are there areas of the world with greater or lesser access to legal rights and representation? What resources can hackers leverage to protect themselves, their rights, and others in the community? Join us and find out! REFERENCES: 1) Stanford student vulnerability disclosure, 2021. 2) MBTA vs. Anderson, 2008. 3) US Department of Justice Computer 2022 Fraud and Abuse Act charging policy. 4) Librarian of Congress good faith security research exception to DMCA Section 1201. 5) Disclose.io 6) SecurityResearchLegalDefenseFund.org

Presenters:

• Charley Snyder - Head of Security Policy at Google
  Charley serves as Head of Security Policy at Google. In this role, Charley organizes Google's expertise and technology to help solve the world's pressing public policy challenges related to safety and security online. Before joining Google, he led vulnerability management for a large financial institution, which included responsibility for researcher engagement and bug bounty programs. Previously, Charley served in the United States government, including multiple roles in the Department of Defense, where he helped create and manage the first U.S. government bug bounty program.
• Kurt Opsahl - Associate General Counsel for Cybersecurity and Civil Liberties Policy at Filecoin Foundation
  Kurt Opsahl is the Associate General Counsel for Cybersecurity and Civil Liberties Policy for the Filecoin Foundation, and a Special Counsel to the Electronic Frontier Foundation. Formerly, Opsahl was the Deputy Executive Director and General Counsel of EFF. Opsahl was also the lead attorney on the Coders' Rights Project, and continues to assist EFF with that work as a Special Counsel. In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine. From 2014 to 2022, Opsahl served on the USENIX Board of Directors. Opsahl is a member of the CISA Cybersecurity Advisory Committee’s Technical Advisory Council.
• Andrew Crocker - Assistant Director and Senior Staff Attorney at Electronic Frontier Foundation
  Andrew Crocker is Assistant Director and Senior Staff Attorney at the Electronic Frontier Foundation. He leads EFF’s Coders’ Rights Project, which seeks to protect hackers, security researchers, and others through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers on the digital frontier. Andrew also litigates novel First, Fourth and Fifth Amendment issues involving surveillance, privacy, and cybersecurity.
• Miles McCain - Student at Stanford University
  Miles McCain is a student at Stanford University, security researcher, and open source software developer. He and his friends were once threatened with legal action for responsibly disclosing a security vulnerability in their classmates’ startup. He has previously worked on election security at CISA, privacy at Apple, and trust and safety at the Stanford Internet Observatory. Miles is a member of the Recurse Center.
• Harley Geiger - Counsel at Venable LLP
  Harley Geiger is Counsel and Senior Director at Venable, LLP, where he leads the Security Research Legal Defense Fund and the Hacking Policy Council and counsels clients on a variety of cybersecurity issues. Prior to this, Geiger was Senior Director for Public Policy at Rapid7, where he worked to expand adoption of vulnerability disclosure and legal protections for security research. Geiger also worked as Senior Legislative Counsel in the U.S. House of Representatives, where he drafted Aaron’s Law, and served as Advocacy Director at the Center for Democracy & Technology.

Links:

• https://forum.defcon.org/node/245742

Similar Presentations:

• ToorCon San Diego 12 (2010) / Legal Panel
• DEF CON 8 (2000) / Legal Panel
• H2K (2000) / The Legal Panel