Speculation Trumps Academic Freedom: UK Court Censors Security Researchers for Reverse Engineering Publicly Available Software
Next week, one of the most respected security research conferences in the world, the USENIX Security Symposium, will be held in Washington D.C. Thanks to a gag order from a British court, however, it won't go quite as planned. The order forbids the authors of a paper describing fundamental flaws in car lock systems from discussing key aspects of the work, based on nothing more than speculation about a third party's alleged “misuse of confidential information.”
We’ve taken a closer look at the court’s ruling and it’s a doozy. According to the court, the researchers (1) reverse engineered a software program called Tango Programmer that’s been sold online since 2009; (2) in the process, identified an algorithm used in a popular car unlocking system; (3) identified fundamental security flaws in that algorithm; and (4) disclosed those flaws to the vendor of the system nine months before the conference. One month before the deadline for final submission to the conference, Volkswagen, who uses the software, ran to court to stop it.
The researchers acted responsibly and methodically. They used the time-honored technique of reverse engineering publicly available software and disclosed in plenty of time to address the issue. So, why can’t they advise car owners of the problem to that they can protect themselves?
Because, according to the court, Tango Programmer was of "clearly murky origin.” While the software had been available online for years without any apparent problem, in the court's view, the researchers had an affirmative obligation to establish that the software did not contain stolen confidential business information.
It is all too clear that the court’s opinion is clouded by its view that the researchers – respected scholars at major universities – are irresponsible hackers:
The claimants do not have an overwhelming case on the merits, not even a very strong one, but the Tango Programmer has a clearly murky origin, and that is obvious to the defendants… In my judgment, the defendants have taken a reckless attitude to the probity of the source of the information they wish to publish.
To be clear, there’s no evidence in the record as to how Tango Programmer was developed, and the researchers stated that they assumed it was developed based on perfectly lawful technique, chip splicing. The court dismissed that statement out of hand, and looked instead to the website on which the program was sold. Based on language on the site, the court concluded that the sellers of Tango Programmer knew the software “is likely to facilitate crime.” And, the researchers themselves observed that Tango Programmer offers “functionality that goes beyond 'legitimate' usage.”
As an initial matter, this is looking at security research presentations through the wrong lens. Research on programs that could be misused enhances security by exposing the flaws and encouraging fixes. Computer security would be a farce if it avoided all "murky" software.
But even accepting the court's framing, the possibility of misuse says nothing about whether the program was developed using stolen confidential information, much less whether the researchers acted recklessly in using the program for their legitimate purposes.
The court pays a fair amount of lip service to academic freedom, but it’s just that: lip service. Even though it concedes that the case against the researchers is “not very strong,” even though there are many easier ways of stealing cars than the exploit that would be disclosed, even though Tango Programmer could have been developed without relying on stolen information, and even though car owners might be better off knowing about the flaws in the security systems on which they rely, the court nonetheless concludes that academic freedom has to give way to “the security of millions” of cars.
Again, the court gets it exactly backwards. The security of millions of cars depends on robust research into their flaws, and presentions of vulnerabilities and exploits at academic conferences ultimately enhance security. Security through obscurity is widely and correctly rejected by the security community, and security through willful ignoring a publicly available program is even worse.
Taken as a whole, the ruling sends a terrible message to researchers: if the flaws you expose are sufficiently consequential, you can be censored based on nothing more than sheer speculation about the activities of third parties. The irony, of course, is that these researchers have been punished precisely because they acted responsibly and disclosed their research well in advance of publication. Indeed, the whole situation could have been avoided if the vendor had done its part and addressed the flaw in the first place.
This ruling was issued by a U.K. court. If the case had been brought in the U.S., things might have been quite different. Under U.S. law, the person who wishes to publish doesn’t have the burden of proving there was no misappropriation just because the information is of "'murky' origin." More broadly, a U.S. court would not issue preliminary injunction where the claimants case was "not even . . . very strong" -- quite the contrary. U.S. law has been used to thwart the publication of security research in a number of ways, but a bogus trade secret claim is the weakest tool in the kit.
EFF senior staff attorney Kurt Opsahl will be participating in a USENIX-sponsored workshop on academic freedom on the eve of the Security Symposium. We hope the workshop will provide a much-needed opportunity for USENIX community members to share their perspective on this censorship, and consider ways to take action.
Recent DeepLinks Posts
Apr 27, 2015
Apr 27, 2015
Apr 24, 2015
Apr 23, 2015
Apr 23, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games