http://www.wired.com/news/privacy/0,1848,69655,00.html By Jennifer Granick Nov. 23, 2005 Last week Black Hat, the Vegas security conference that was at the center of the Ciscogate controversy last summer, was purchased by CMP Media. The sale has the internet hens clucking about whether ownership by a larger, wealthier corporation will protect Black Hat from future legal challenges, or make it more susceptible to pressure from companies wanting to control vulnerability disclosures. The more worrisome question is why Black Hat and other purveyors of security information must worry so much about what they disclose. For better or worse, the settlement I negotiated with Cisco in its case against researcher Michael Lynn kept some important legal issues from reaching a courtroom, and these unsettled questions cast a long shadow over security research today. As a brief background, Michael, my client, worked for ISS, a company that provides security products and services. While there, Michael's job was to study Cisco products, to figure out how they worked and to analyze them for security flaws. Cisco did not give ISS or its employees Cisco source code and ISS had no nondisclosure agreement, or NDA, with Cisco. Michael had the typical NDA with ISS that he would not reveal confidential information obtained during the course of his employment there. When Michael discovered the now-famous Cisco flaw, ISS initially was pleased to have Michael tout the success at Black Hat. Michael's presentation demonstrated for the first time that it was possible to execute remote code on Cisco routers, and encouraged systems administrators running vulnerable versions to upgrade fast. But in the weeks leading up to the conference, Cisco and ISS butted heads over what information Michael would reveal about the router code. The day before the conference, Cisco and ISS cut a deal and informed Black Hat that it had to cut Michael's presentation out of the conference materials. Michael, concerned that important information was being suppressed, gave an edited version of his talk anyway, and by that afternoon, Cisco and ISS had jointly filed a federal lawsuit against Michael and Black Hat. Among other claims, the lawsuit alleged that Michael and Black Hat misappropriated trade secrets by revealing Cisco code in his presentation. In California, where Cisco is located and the lawsuit was filed, misappropriation means "acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge." Improper means "includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." Importantly, "Reverse engineering or independent derivation alone shall not be considered improper means" under the law. Michael didn't steal anything, and he never had access to confidential Cisco source code. He took the binary distributed with every Cisco router, decompiled it into machine code and used some pointers to the machine code to illustrate the claims made in his presentation. Machine code is probably copyright-protected, but copyright's fair-use doctrine allows some copying for the purpose of critique and study. California law makes it clear that people are allowed to study products on the market, and that a trade secret loses its special status when a company sells it to the public. When a company distributes confidential information to insiders, it can assure that that information remains protected by requiring the employee or contractor to sign an NDA. Since Michael was not under an NDA with Cisco, he and Black Hat should have been in the clear. (At some point, Cisco and ISS lawyers claimed that Michael's NDA with ISS prevented him from reporting information he learned on the job about Cisco products, but arguing that Cisco flaws are ISS confidential information is a real stretch.) But what about the Cisco End User License Agreement that ships with the router code? That's where things get interesting, and troubling for Black Hat's future. Almost every piece of software today comes with a click-through EULA that purports to regulate how customers can use the product, including a limitation on reverse engineering. Companies have argued that the EULA has the exact same effect as an NDA -- essentially letting every single customer in on a "secret" that they're legally obliged to protect. If courts adopt this view, instead of keeping insiders loyal, trade-secret law can help companies force the public not to discuss published information. And if EULAs do confer trade-secret protection, that might mean magazines, newspapers and conferences have a duty to screen information to make sure it wasn't obtained by prohibited reverse engineering. In a variety of cases, courts have held that the press has a right to disseminate information of a public concern even if it was illegally obtained. In the Pentagon Papers case, The New York Times battled the Nixon White House over its right to publish a secret Department of Defense report on U.S. involvement in Vietnam that had been leaked by DOD employee Daniel Ellsberg. The Times won and the documents were published, calling the government version of the nation's decision to go to war into question. In Barnicki v. Vopper, the Supreme Court said that a radio station could not be sued for playing a tape of an illegally intercepted telephone call between two union leaders involved in a matter of public interest, even though it knew that the person who recorded the call did so illegally, in violation of the Wiretap Act. Those are good decisions. But one of the only cases that addressed the issue of trade-secret publishers went the other way. In a lawsuit filed by the DVD Copy Control Association against a California man who posted the DeCSS DVD-decryption code on his website, the California Supreme Court held that the First Amendment doesn't mean courts can't stop people from publishing trade secrets when the publisher knows or has reason to know that the information was acquired by improper means. That case is different from the Pentagon Papers case and Barnicki because the court found that DeCSS wasn't a matter of public interest. Of course, most security vulnerabilities are, especially those that affect the machines that form the backbone of the internet. Today, it's unclear how a court would rule in a trade-secret case where Cisco sued ISS for violating the prohibition against reverse engineering. The rule should be that EULAs don't make published information secret, under any circumstance. The contrary would be dangerous for Black Hat, Michael, future bug finders and computer security. And while trade-secret law can prohibit accomplices and co-conspirators from publishing stolen data, reporters who merely know that information was improperly obtained should have a free-speech right to publish -- especially if the information reaches a matter of public interest, like the safety and security of the foundation of the internet. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Wed Nov 23 2005 - 23:17:08 PST