Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study

a mint al-azhar she's a doctor doctoral candidate at Berkeley law and she's going to give a talk today here she is

I'm very excited hear me even better because this is my first visit to hacker summer camp and I'm honored to present here I had it's creep and everything but you're getting like kind of our raw you know a version of it because I decided to go without my Kindle and without my notes but I think it's better so I'm a doctor log kinda dated Berkeley law and a City speak fellow at Berkeley School of Information and I know it's pretty tough to be the last one okay last speaker today but think of it of this is like a legal appetizer for your parties tonight okay so first of all a little bit of a disclaimer while I am a lawyer and this

is a terms of your stock this is by no means the legal advice kind of talk and I'm not admitted to practice law here in California okay so without further ado they told us they tell us that the bag economy is exploding right millions pay it around different platforms hundreds of thousands of hackers everybody is in into this new best practice in information security but who dictates the rules of this developing industry well I did the first novel research of legal bag bounties I go I went and you know read all the terms of the platform's of background of hacker one platform terms and to Google and Facebook terms to see if there really are the kind of safe harbor they're

supposed to be so the motivation for this is also inspired by recent development in the Computer Fraud and Abuse Act and the DMCA Act the two promise the two most important anti hacking laws okay that made the contractual terms the focal point of the legal analysis of whether the hacker is indeed the legal risk for doing penetration testing and backhanding okay so now as we see a growing number of bug bounties we really need to understand are these truly safe harbors as they claim to be so what I found out is the lot of programs are not clearly constructing the safe harbor they're supposed to be we see kind of language that hackers need to comply

with all laws domestically and internationally hackers are not allowed to reverse engineering and doing you know tinkering and basic cybersecurity techniques they need to do in order to do their job and we also see very paradoxical terms just clearly stating that no license or permission is giving to any penetration or attack against any of the systems now this is from Alibaba and this is across you know across platforms I deal more than 20 legal bounties research you know sample and we this is consistent this is not you know related to any particular platform where they're hacking one or background we see problems that Facebook terms are also in you know independent bad bounty programs it's just all over the place and I think

that no one is really given attention to this problem so I'm here today to speak with you the direct audience of hunters who are we are influenced by this and to start a conversation about the problems you see so what I also saw this a lot of you know kind of attention and a lot of emphasis on the technical scope of the problem so just as an experiment here who here is the hunter okay and ever read or pay attention to the legal terms right no one reads them except for me okay so we really need to think about that because as you will see right now there are legal implications I know I know that no one is prosecuting bug

hunters but there is no reason that you know the terms we see now will create a situation where hackers are basically the de facto you know default breach for doing their job so what is most important is this is not new to us we in the Academy we've been speaking about these issues for years there is an article from 2014 talking about this issue although I'm not doing a survey live illegal bug bounty charms but saying you know pay attention to the way you craft the terms of the bug bounty but the message hasn't synced in in the community okay because we need you to take action and vote in your legs or rather fingers not participating in you

know in programs that are problematic legally okay making sure you collaborate with the platforms that you will negotiate on your behalf with with the companies to ensure you have you know that your legal risk are mitigated so hackers actions speak louder than skulls works we need your help so let's begin I'm gonna do a very short preview I have a full article I have a lot of you know knowledge about this if you want to talk let's do that I'm gonna do that like really short so there are two let's say three important points you need to know first of all the two main anti hacking laws in the United States the DMCA and the Computer Fraud and Abuse Act they

have an extra toriel reach so even if you're from India for somewhere else and I know there are hundreds you know community is well-versed and I appreciate that you need to be aware that you know United States law might apply to you but the things to you know main anti hacking laws in the end after years and years they what it comes down to is consent and authorization right now the combination of these three laws one the DMCA okay which prohibits some convention of systems okay that protect copyrighted work you know code in this in this situation and the CFAA which which restricts and criminalized criminalizes unauthorized access okay to system two protected computers in the

end both of them with the new DMCA exception with security research so the Copyright Office the you know the legislature they understand that we need to facilitate security research and they say okay that if it's a consumer-oriented product and good-faith security research under certain terms it's no problem with copyright law but what these both of these law require is consent both of these laws require the contract will allow you to do that so even if copyright law gives you a various right reverse-engineered even the DVI says you're allowed to do you know informational information security research but the platform the hacker platforms or the company in the end-user License Agreement which they sometimes subject hackers to say you're not

allowed to reverse-engineer you're not allowed to penetrate the systems they take back these protections the law give gives you so in the end the contract language is really important and I don't know why people are not paying attention so it's kind of a you know it's kind of a system even if the a DMCA allows do something and the CFAA in the map in the end the fact the bad boundary terms need to allow you the access needs needs to give you the authorized access so a little bit of proof of concept I know that you like demos and everything and if someone in the end is you wanna you know just name a daggone T term set up a

bug bounty program and when we go and you know take a look at the terms I'm up for that so a little bit of proof of concept so many programs they say stuff like this you're going to comply with all applicable domestic and international no sir I know you however whatever everything right you know them by heart audiences what it is the wind you know mandate and regulations regarding your use of our website okay I will not say from which platform is this but you can I mean and this is you say that with you know this language of compliance with all walls you see it in Twitter is sitting yeah we see it in

Google it's all over the place then you have platforms the don't saying they don't say nothing about loss okay nothing this is also fusing because they need to provide you with authorized access right this is also it might create a representation for the hack for the hunter there is no legal limitation to what is doing okay and as I mentioned another problem is this kind of disclosure problem like we have in consumer law so progress sponsor companies and platforms they divide the legal terms from the general you know technical score up and you know the money you get you know everybody reads that they divide it and they don't put it together it's also problem I think

because you don't read it when it's there but if you put it somewhere else you know with the terms of use hyperlink that might sell for it at all so we see that for example in Huber and I know that platforms are working on you know creating these interfaces where they clearly define the scope for the hackers but you know you need to think about making sure hunters know where they're going and what the legal what are the legal risks they're taking so this is for example for Google of course your testing must not violate any law and this will relate to my very important message if you don't give them authorized access explicitly if you're

subjecting hackers to Euler's you're not allowing them to comply with the law the law right now gives the companies and the platforms the tool to facilitate security research but you cannot just say vaguely you know comply with all laws without crafting the disclaimer the exemptions saying you will not take action against researchers that are in compliance with the scope of the terms with the disclosure guidelines of the of the program so the most paradoxical example are you know terms that create almost a by definition breach so this is like terms that's that subject in the back bounty program the hacker to the general EULA language so the end user License Agreement of the company so we still at for

example it AVG and even believe it or not Facebook okay they say that your participation in this program has complied with all guidelines of all their products so if you go to what's up terms if you go to literally almost any software companies and user License Agreement you're gonna expect you know it the legal language saying you should not reverse engineering you should not copy you should not you know be decompiling and all of this stuff you know I'm not a researcher but I know you need to do this kind of stuff in order to you know be successful in the bug bounty program so this is the most problematic because this creates a by definition legal breach under the

DMCA and other Computer Fraud and Abuse Act and these are I mean there are serious serious civil and criminal liability step so and I don't know I don't see I know you know we should also think about the legal you know the legal risk of the companies but this is clearly I mean this there is no logic at this so this is for example and I showed you this Alibaba example which is clearly I mean please penetrate our system and you know we give you money when you give us bugs but please don't penetrate the system so I don't get it at all and this is Facebook so you can see you do not access or use or copy or

adapt or modify or prepare you know the legal corporate language we are used to see so we also have some examples from hackers platforms and during day don't get me wrong I love their work they're doing important work for hackers okay but in this kind of case they have they are a very important part of the problem but also of the proposed solution I will get to so you see they say I mean you need to represent your poor does infringe any you know violate any third party you should right but you know hackers are doing what they're doing so they might be infringing copyright laws okay and we see you know you need to

comply with all applicable domestic and international laws we see this kind of language okay I will get to the wall in the end okay they should be actually the intermediates that make sure that all of the bug bounty program terms are facilitating safe harbors for research and they can do that they can do that in the process of negotiation I also say this kind of hackers catch-22 okay now this is happening where the most rewarding vulnerabilities are also the one that requires the most legal risk okay and together with that there is no authorizing language so for example technically Netgear say that unauthorized access to net guilt cloud storage video files for all customers will get you the best you know we were

they might give an annulment they might offer you know more what's now but this is problematic if you're not clarifying the hackers are able to you know authorize your your systems some discussion about exceptions so as I mentioned this is we have this disparity in terms across different companies but there are exceptions then the exceptions are really interesting okay so some Punkins specifically include language that exempt actors from liability noting in the contract so they take an obligation among themselves that they will not take any legal action against hackers that comply with the guidelines so this is tesla for example and the department of defense in their very important tactic pentagon and now hack the army and i need to think think k

team users for this they include some guy might saying that if you are if you're in compliance with their guidelines they will not take action against you and moreover if someone will initiate a third party will initiate a case against you they will help you they will say you are part of my program now if governmental organizations with very sensitive system okay they allow after discussing with the Department of Justice which is who's in charge you know for the law they did it in collaboration with the Department of Justice they allow themselves to put that to put this kind of language I do not see any rationale in the world that a private company trying to protect

their IP you know in account of the legal risk of the hacker will not do the same if Tesla can do it why cannot Facebook so this these are examples of stuff that could be done and honestly I think that no one paid attention so a little bit of more like proof of concept why do I say platforms matter so they have an additional layer of terms like 20 or 30 more pages for hackers to read now who here read the background or hacker one four to five different contracts yes thank you thank you now they terms are I mean they apply in addition to the specific to the specific contract and sometimes there are

discrepancies and conflicts a hacker doesn't know how to solve that the only thing that is fault is in the case of disclosure in the case of disclosure the specific contract is specific you know guidance of the program they prevail so this is another issue and you saw there are also some kind of problems in the platform stores as well okay so this is an example from background so their language could be broader than a specific the specific you know company language for example this is regarding who can participate so they say that you know people from any country that is subject to US or other countries sanctions should not be participating but usually it's only us in the

indicator contracts in the back bounty program so this is just an example you can have some kind of discrepancy unclear disclosure I told you that okay Microsoft for example the legal terms are not in the league there is no legal part it's under the FAQ and it says legal notice that that wasn't very clear to me so I don't know how you know security people will face that and I told you about who BER they have a link to here and that you need to all over the place to get a disclosure about the legal terms so you know not sure this is the paradox it's all over the place but we do not only speak about

problems why we want a solution and the good thing is the law and you are able to be a part of this solution so I will suggest a number of small changes that might mitigate this legal risk of thousands of thousands of hackers participating in bug bounties first of all I appreciate what platforms and companies are doing and understanding when I cover their asses a little bit but you can find a common ground okay you can find something which is in between and this is what we've seen the DoD chirps okay and you have a very important wall here you do not need to you know agree to this take it or leave it mentality

okay you can individually unite or through the platform the men to see the language and the platform can communicate this to the companies they can offer a template okay a standard set of terms that are you know kind of representative of the balancing between the hackers and the company's needs first of all eliminate all of this paradoxical you know do not reverse engineering language how can one background I mean do a union that you know move you know with it or high-roller on or what every company that has do not reverse engineer language that subject the hackers in the bug bounty program to to the terms of the EULA they need to delete that and

they can do it now as we speak this is the very easy solution we have the privilege of doing you know we are in the private ordering space you don't need to run to Congress you can you know initiate this change right here you know demanding this kind of change it's just a few clicks away also as I mentioned I I think that the platform should have a role here they should review the terms all programs should include exempting language from or any legal liability an obligation are to execute ensue hackers that follow the guidelines okay we talked about the Tesla the General Motors the DoD examples and as I mentioned how come on in background to demand is from all from

all companies this emergence of super hunters which is reported by background and hacker one it suggested hackers they operate in two to five programs that's it okay they don't have the luxury of you know reading all the programs and making sure the legal terms are sufficient interpret in terms of mitigating the risk so this is something that the platforms should make sure standardisation this is very important okay we could create a situation where across industries and sponsor one language is used and this will also reduce transaction costs okay you will have one language which is agreed and there are not many disparities you know in the end we do see similarities between the terms they all want to

create the situation where they're authorized access to the specific purpose of the you know of the of the program and you know in the scope of the program so this is this is not something very complicated they want they don't want to protect the right piece so we can have one specific set of terms like in Creative Commons like in all per source right like licensing language across platforms across industries and also hackers will not need to know everything and you know and go and read everything because this will reduce the information or burden on hackers

specific authorization for the purposes of the CFAA and the DMCA okay I said it contracts means a lot you know in order to for you to be exempt on the DCN the CFAA we need the contract to give you authorized access so for this for example I suggest some specific language which ala would share with hacker one in background and they can run it through their lawyers okay that will specifically say it is hereby clarified that researchers that follow these garments are granted authorized access for the purposes of the CFAA games here in any applicable to test the talk the system slowly in a matter it is cope defying evening so you can do it within

the scope of the program and as I mentioned this is very powerful I want companies to commit towards their platform they will not prosecute hackers then if something happens the platforms can really protect their crowd okay because they have a contractual obligation right from the company so it's not a one-way street where you know you are computer you agree to do everything and comply with all of us and then the companies can do whatever they want so we add another layer of you know of commitment of legal obligation on it simplify discord disclosure disclose key legal prohibition you know don't use complicated language and you know I can elaborate on that later use like you can

you cannot illustrations and educate your hackers the crowd in the hunters about the legal risks not just you know I've been to although the webinars its lawyers talking with companies what about lawyers talking with hunters you need to educate your crowd and as I mentioned you have an important platform have an important role to play as well okay they should be negotiating with the companies they should change their guidelines to adopt the same exempting language and in the end I wanted to conclude this is just a case study what I want you to take from this it's not this legal bug bounty you know tattoo but this is not very important what is more important that we've been

talking about these issues for years but hackers the individual hacker voice is not hurt you need to unite you need to do collective bargaining you need to take command and own the legal landscape of this community okay hackers platforms and companies they're doing the best they can they need your help so this is just you know don't surrender to this I accept culture this is just one example of how hackers United in one front can advocate for mitigating the risk and ensuring their rights I see a future what do you have a union I know it sounds crazy right unite hacker so you know Def Con didn't really like my submission I ended up I'm coming to sky talks and

you will have a full hour of this if you're if you're still interested but there is a lot of power in voting in your feet this is what we know for consumer law that if you vote in it if consumers vote in their feet and they're not like they're not going with a company that doesn't give them the rights they want then the drafter he changes the terms we call it terms aliens so if you unite if you pay attention to your legal rights they're quite important I mean maybe not as important you know it's the technical stuff but but still you can really get your message out there so I'm gonna finish it up if you have

questions I'm here you're welcome to approach me and I take you for a time and I hope this kind of rough version of my script was okay and that's it [Applause]