Computer Fraud and Abuse Act

Computer crime laws, like the federal Computer Fraud and Abuse Act (CFAA), are hard to interpret. They attempt to set norms for use of technology, at a time when technology is changing rapidly.

Therefore confusion exists when well-meaning security professionals take assertive actions against hackers. See the comments regarding the white hat take down of the Hlux/Kelihos Botnet: http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet?desc=1#comments

Here is one way to reduce the confusion: Responsible parties like banks and government agencies can post legal terms applicable to hackers. The terms would basically say, "If you hack or attack this bank's network, you consent to the bank surveilling you and taking aggressive technical measures to stop you." In other words, by launching an attack, the criminal #hacker would agree that the the bank's actions against the hacker are authorized by the hacker and therefore not a violation of a law like the CFAA.

What do you think of this method for clarifying that advanced IT security methods are legal?

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute. http://www.sans.org/security-training/law-data-security-investigations-122-mid
Shared publiclyView activity