The Hacker's Aegis
Derek E. Bambauer
Brooklyn Law School
Oliver Day
affiliation not provided to SSRN
March 1, 2010
Brooklyn Law School, Legal Studies Paper No. 184
Abstract:
Intellectual property law stifles critical research on software security
vulnerabilities, placing computer users at risk. Researchers who
discover flaws often face IP-based legal threats if they reveal findings
to anyone other than the software vendor. This Article argues that the
interplay between law and vulnerability data challenges existing
scholarship on how intellectual property should regulate information
about improvements on protected works, and suggests weakening, not
enhancing, IP protections where infringement is difficult to detect,
lucrative, and creates significant negative externalities. It proposes a
set of three reforms – “patches,” in software terms – to protect
security research. Legal reform would create immunity from civil IP
liability for researchers who follow “responsible disclosure” rules.
Linguistic reform would seek to make the term “hacker” less threatening
either by recapturing the term’s original meaning, or abandoning it.
Finally, structural reform would ameliorate failures in the market for
software vulnerability data by having a trusted third party act as a
voluntary clearinghouse. The Article concludes by describing other
areas, such as physical security, where reforming how law coordinates IP
improvements may be useful.
**********************
“The Net interprets censorship as damage and routes around it.”
– John Gilmore