EFF White Paper Examines Nexus Between Cybercrime Laws, Human Rights & Security Researchers

The Electronic Frontier Foundation (EFF) released a timely white paper this week examining the negative implications and chilling effects that various cybercrime provisions throughout the Americas can have on coder's rights and specifically on security researchers. Entitled "Protecting Security Researcher's Rights in the Americas", the analysis explores a range of cybercrime regimes nominally intended in principle to criminalize unauthorized access to or disruption of computer systems. However, these laws have been framed so broadly as to impose a serious chilling effect on vital activity of security researchers. Drawing on the Inter-American human rights framework (of which Canada is a partial adherent), some national jurisprudence, and principles of criminal law, the paper argues for cybercrime regimes that accommodate beneficial security work. There must be latitude for non-malicious security testing, for the dissemination of critical security tools and for the responsible publication of discovered security breaches.

Sadly, current laws are framed so broadly that they have had a serious chilling effect on socially beneficial security work. Those who discover security breaches face severe legal threats and sometimes even criminal consequences for attempting to bring these to host organization's attention. The result is that security breaches are increasingly likely to remain unresolved until they are discovered by someone seeking to exploit, rather than to merely expose. The paper, to which CIPPIC provided substantive contributions, calls for clearer standards to remedy this situation

This call for improvements could not be more timely. Just this April, criminal charges were brought by the government against a 19 year old Nova Scotian who did nothing more than download documents the Nova Scotian government had accidentally made publicly available on its website. Not only were the documents left unprotected by any technical safeguards, but the documents themselves were responses to freedom of information requests, leaving the individual who discovered them with little indication that their publication by the Nova Scotia government was in error. While the charges were ultimately dropped, the chilling effect caused by their initial laying remains.

A few weeks ago, the Ontario Superior Court heard criminal charges against another Canadian, who faces potential jail time for the crime of notifying Family and Childern's Services of Lanark, Leeds and Grenville (FCSLGG) that highly sensitive reports were publicly exposed on their servers for all to see. The reports in question identified private details regarding domestic family issues investigated by FCSLGG, including details pertaining to the individual who discovered them. The individual apparently attempted to notify FCSLGG that the reports were publicly exposed, but was ignored. The individual then posted a hyperlink to FCSLGG website, where the reports remained publicly available, on a Facebook page in an attempt to draw them to the attention of other local families that might have been affected by FCSLGG's privacy breach. In response, the Ontario government has charged the individual with violating cybercrime laws and 'illegally hacking' the FCSLGG website. While admitting that the website's security "wasn't very good", no explanation has been forthcoming as to how accessing and hyperlinking documents made publicly available by FCSLGG itself can be considered an 'illegal hack'. It is also notable that, had the individual not taken such steps to raise attention to FCSLGG's security breach, the highly sensitive documents would remain exposed on the website for anyone to find. The FCSLGG faces an additional class action for failing to properly secure the documents in the first place.

Private companies are no less forgiving to those who try to responsibly disclose their cyber mistakes than government agencies. Individuals who come across vulnerabilities and seek to bring these to companies' attention frequently face heavy resistance, an aversion to any form of public disclosure, and legal threats.

Given the high stakes involved, a solid cyber security strategy is integral. It is of great social benefit to encourage individuals to seek out security flaws and, once discovered, to report these so they can be fixed before they are exploited by malicious actors. Moreover, it is fundamentally unfair to subject individuals to criminal jeopardy for doing no more than attempting to prevent a security breach from becoming the next security disaster.

---

Tamir Israel, Staff Lawyer, CIPPIC