How to Security Research Without Getting Sucked into a Courtroom

Presented at LayerOne 2018, May 26, 2018, 3 p.m. (60 minutes)

The idea for this talk came from several clients asking the same basic legal questions about security research and what they can and shouldn't do to avoid criminal liability. I thought this would be a good forum to try to answer these questions, especially for private and independent researchers who do not have the backing of a large firm behind them. We're going to try to answer a couple of generic legal questions that affects anyone who performs security research. Where's the line in the sand regarding what a security researcher can do and shouldn't do to avoid criminal liability, and what happens if it's crossed? What happens when a security researcher wants to disclose a vulnerability to the manufacturer? Can that manufacturer sue the researcher to stop them from publishing their research or giving talks, and can the manufacturer sue for compensatory damages (i.e. money)?

Presenters:

• Robert Adams
  Robert is a licensed attorney and a member of the State Bar of California, the U.S. District Court Bar for the Central District of California, and the American Bar Association. I am listed as a Cooperating Attorney with the EFF and holds multiple certifications. He established his own law firm, RobbLAW, that specializes in information technology law, corporate compliance, privacy and data security law, computer law, and Internet/cyber law (even though he hates the term cyber, it's how the State Bar categorizes it). Robert grew up in the 80's and was fortunate enough to have a computer in his bedroom. He enjoyed playing with it but always wanted to be a lawyer; he loved arguing too much. Robert never thought about computers as a career until being discharged from the United States Marine Corps. He had just moved to Los Angeles and the only job available at the time was in desktop support. He knew enough about computers to figure out how to do the job so he took it. Over the years, Robert learned as much as he could and eventually worked my way up to becoming the Technical Lead Engineer in North America for Universal Music. After running their engineering program for a couple of years, Robert decided it was time to follow my calling and go to law school. He worked fulltime and went to law school in the evenings. After graduating, Robert transitioned from systems engineering to information security and compliance because it allowed me to keep my technical skills and apply my legal education.

Links:

• https://www.layerone.org/speakers/#robertadams
• https://infocon.org/cons/LayerOne/LayerOne 2018/How to Security Research Without G.mp4
• https://infocon.org/cons/LayerOne/LayerOne 2018/How to Security Research Without G.eng.srt (subtitles)
• https://www.youtube.com/watch?v=-6mmYYJQJiA

Similar Presentations:

• DEF CON 31 (2023) / The Hackers, The Lawyers, And The Defense Fund
• Diana Initiative 2019 / Research at the Speed of News: Lessons Learned Building & Managing a Cybersecurity Research Publication Process
• Black Hat USA 2014 / The Big Chill: Legal Landmines that Stifle Security Research and How to Disarm Them