EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to examine computer systems, and relay their discoveries among their peers and to the wider public.
To kick off the project, EFF published a whitepaper today, “Protecting Security Researchers' Rights in the Americas” (PDF), to provide the legal and policy basis for our work, outlining human rights standards that lawmakers, judges, and most particularly the Inter-American Commission on Human Rights, should use to protect the fundamental rights of security researchers.
We started this project because hackers and security researchers have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, hackers are able to improve security for every user who depends on information systems for their daily life and work.
Computer security researchers work, often independently from large public and private institutions, to analyze, explore, and fix the vulnerabilities that are scattered across the digital landscape. While most of this work is conducted unobtrusively as consultants or as employees, sometimes their work is done in the public interest—which gathers researchers headlines and plaudits, but can also attract civil or criminal suits. They can be targeted and threatened with laws intended to prevent malicious intrusion, even when their own work is anything but malicious. The result is that security researchers work in an environment of legal uncertainty, even as their job becomes more vital to the orderly functioning of society.
Drawing on rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence, this paper analyzes what rights security researchers have; how those rights are expressed in the Americas’ unique arrangement of human rights instruments, and how we might best interpret the requirements of human rights law—including rights of privacy, free expression, and due process—when applied to the domain of computer security research and its practitioners. In cooperation with technical and legal experts across the continent, we explain that:
- Computer programming is expressive activity protected by the American Convention of Human Rights. We explain how free expression lies at the heart of researchers’ creation and use of computer code to examine computer systems and to relay their discoveries among their peers and to the wider public.
- Courts and the law should guarantee that the creation, possession or distribution of tools related to cybersecurity are protected by Article 13 of the American Convention of Human Rights, as legitimate acts of free expression, and should not be criminalized or otherwise restricted. These tools are critical to the practice of defensive security and have legitimate, socially desirable uses, such as identifying and testing practical vulnerabilities.
- Lawmakers and judges should discourage the use of criminal law as a response to behavior by security researchers which, while technically in violation of a computer crime law, is socially beneficial.
Cybercrime laws should include malicious intent and actual damage in its definition of criminal liability.
- The “Terms of service” (ToS) of private entities have created inappropriate and dangerous criminal liability among researchers by redefining “unauthorized access” in the United States. In Latin America, under the Legality Principle, ToS provisions cannot be used to meet the vague and ambiguous standards established in criminal provisions (for example, "without authorization"). Criminal liability cannot be based on how private companies would like their services to be used. On the contrary, criminal liability must be based on laws which describe in a precise manner which conduct is forbidden and which is punishable.
- Penalties for crimes committed with computers should, at a minimum, be no higher than penalties for analogous crimes committed without computers.
- Criminal law punishment provisions should be proportionate to the crime, especially when cybercrimes demonstrate little harmful effects, or are comparable to minor traditional infractions.
- Proactive actions that will secure the free flow of information in the security research community are needed.
We’d like to thank EFF Senior Staff Attorney Nate Cardozo, Deputy Executive Director and General Counsel Kurt Opsahl, International Rights Director Katitza Rodríguez, Staff Attorney Jamie Lee Williams, as well as consultant Ramiro Ugarte and Tamir Israel, Staff Attorney at Canadian Internet Policy and Public Interest Clinic at the Centre for Law, Technology and Society at the University of Ottawa, for their assistance in researching and writing this paper.