In the wake of credible allegations of hacking of a water utility, including physical damage, attention has turned to software security weaknesses. One might think that we’d want independent experts – call them whistleblowers, busticati, or hackers – out there testing, and reporting, important software bugs. But it turns out that overblown cease-and-desist letters still rule the day for software companies. Fortunately, when software vendor Carrier IQ attempted to misstate IP law to silence security researcher Trevor Eckhart, the EFF took up his cause. But this brings to mind three problems.
First, unfortunately, EFF doesn’t scale. We need a larger-scale effort to represent threatened researchers. I’ve been thinking about how we might accomplish this, and would invite comments on the topic.
Second, IP law’s strict liability, significant penalties, and increasing criminalization can create significant chilling effects for valuable security research. This is why Oliver Day and I propose a shield against IP claims for researchers who follow the responsible disclosure model.
Finally, vendors really need to have their general counsel run these efforts past outside counsel who know IP. Carrier IQ’s C&D reads like a high school student did some basic Wikipedia research on copyright law and then ran the resulting letter through Google Translate (English to Lawyer). If this is the aptitude that Carrier IQ brings to IP, they’d better not be counting on their IP portfolio for their market cap.
When IP law suppresses valuable research, it demonstrates, in Oliver’s words, that lawyers have hacked East Coast Code in a way it was not designed for. Props to EFF for hacking back.
Cross-posted at Prawfsblawg.