Coming in from the Cold: A Safe Harbor from the CFAA and DMCA §1201

Authored by Daniel Etcovitch and Thyla van der Merwe

The Assembly program is pleased to announce a new publication, titled Coming in from the Cold: A Safe Harbor from the CFAA and DMCA §1201, written by Harvard Law School student Daniel Etcovitch and 2017 Assembly cohort member Thyla van der Merwe.  

The paper proposes a statutory safe harbor from the Computer Fraud and Abuse Act and section 1201 of the Digital Millennium Copyright Act for security research activities using a constructed communication protocol based on a responsible disclosure model. The authors explore how such a safe harbor could provide security researchers a greater degree of control over the vulnerability research publication timeline and guarantee researchers safety from legal consequence if they complied with the proposed safe harbor process. ​

The collaboration between Daniel and Thyla was born out of the 2017 Assembly program and the Internet & Society class co-taught by Harvard Law School Professor Jonathan Zittrain and MIT Media Lab Director Joi Ito, where they first met.  As the authors describe it, they “found a common interest in legal barriers to security” during the Internet & Society course and together “began to engage with the reality that some security researchers – particularly academics – were concerned about potential legal liability under computer crime laws.” 

Abstract
In our paper, we propose a statutory safe harbor from the CFAA and DMCA §1201 for security research activities. Based on a responsible disclosure model in which a researcher and vendor engage in a carefully constructed communication process and vulnerability classification system, our solution would enable security researchers to have a greater degree of control over the vulnerability research publication timeline, allowing for publication regardless of whether or not the vendor in question has effectuated a patch. Any researcher would be guaranteed safety from legal consequences if they comply with the proposed safe harbor process. 

About the Berkman Klein Assembly 
Assembly, at the Berkman Klein Center & MIT Media Lab, gathers developers, managers, and tech industry professionals for a rigorous spring term course on internet policy and a twelve-week collaborative development period to explore hard problems with running code. Each Assembly cohort comes together around a defined challenge. In 2017, the Assembly cohort focused on digital security. In 2018, the program focused on the ethics and governance of artificial intelligence. For more information, visit the program website, http://bkmla.org.