Why the HeartBleed bug highlights problems with computer crime laws
One of the most unique aspects of the HeartBleed vulnerability is the impact that it has had on consumers. Usually, when a computer security vulnerability is disclosed, the only thing that people have to worry about is making sure that their own software is up to date. In this case, consumers have been asked to pay attention to the software behind the websites that they use, instead. They’ve been told that it’s not safe to log in to vulnerable websites, and they have to change their passwords on sites that have been patched.
Naturally, these instructions have prompted people to look for ways to test websites in order to see if they are vulnerable. A number of services have cropped up that make it easy to run these tests, and there are even browser plugins that automatically test every website you visit as you surf the web. These tests are the best way for consumers to determine whether or not a site is safe to log into.
But, could these tests have put consumers on the wrong side of the law?
Running a HeartBleed test on a website involves sending traffic to the web server that exploits the vulnerability, and reveals information in the server’s memory that you may not be authorized to see. Even if you are running a tool that doesn’t show you the data that was returned, the tool still ran the attack and retrieved that data. Running one of these tests could be construed as unauthorized access to a computer system and could put you on the wrong side of the federal Computer Fraud and Abuse Act.
I’m not seriously suggesting that the FBI might launch a criminal investigation into the many thousands of people who’ve used these tests over the past few days. On the contrary, the problem is not with the behavior that people are engaged in, the problem is with the law.
Currently, our computer crime laws don’t do a good job drawing a distinction between behavior that is intended to investigate a technical security issue and behavior that has truly malicious intent. Security researchers have often found themselves facing criminal charges for poking at systems that have been connected to the open Internet. Furthermore, our laws don’t do a good job of distinguishing misdemeanor behavior from felonies, so those criminal charges can sometimes be unreasonably severe.
In general, website operators will tell you that they don’t want anybody to be able to test the security of their systems without authorization, but the HeartBleed vulnerability provides a perfect example of a situation where the security concerns of consumers outweigh those of website operators. The law should anticipate and accommodate this sort of scenario.
It is important to recognize that the Internet is a public place. When everyone has a computer connected to the Internet and anyone can use their computer to send packets to any other computer, the law must take a realistic approach to distinguishing actions with computers that involve different degrees of malice. In general, sending a request to a server on the open Internet shouldn’t be a crime, unless there is real intent to cause harm or violate privacy. Felony prosecutions should be preserved for the most serious offenses. As the Internet now plays a central role in the lives of ordinary people, it is more important than ever that our actions online be governed by a set of criminal laws that are practical and fair.
Tom Cross is the director of security research at Lancope