Freedom to Hack

66 Pages Posted: 14 Sep 2017 Last revised: 8 Jun 2019

See all articles by Ido Kilovaty

Ido Kilovaty

University of Arkansas - School of Law; Yale University - Law School

Date Written: September 14, 2017


The proliferation of Internet-connected smart devices (the “Internet of Things”) has become a major threat to privacy, user security, Internet security, and even national security. These threats are manifestations of externalities primarily resulting from a market failure in the Internet of Things industry, in which vendors do not have an incentive to implement reasonable security in the software embedded in devices they produce, thus creating cheap and unsecure devices. This Article argues that law and policy have a central role to play in making this digital ecosystem more secure – not only through direct regulation of this industry, but primarily through allowing individual security researchers to hack for security – or “ethical hacking.” At present, laws that prohibit hacking, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, are adopting a strict liability approach to hacking, which criminalizes almost any form of hacking, regardless of motivation or potential benefits. This Article rejects this outdated approach in the wake of ubiquitous cyber-attacks, imperfect software, and the emerging Internet of Things ecosystem.

This Article argues that law and regulatory agencies should accommodate hacking for security purposes to allow security researchers to discover possible vulnerabilities while shielding them from copyright infringement or criminal liabilities. While security research into software and hardware is desirable, the law by and large restricts such research. This results in a reality of highly unsecure Internet-of-Things devices and could potentially lead to serious harms to security and privacy. Such a legal accommodation should be supported by other legal adaptations, mainly involving regulatory oversight and enforcement, consistent rules for vulnerability disclosure, and clear distinctions between ethical and malicious hackers.

Keywords: cybersecurity, cyber crime, computer crime, DMCA, CFAA, law and technology, ethical hacking, hacking

Suggested Citation

Kilovaty, Ido, Freedom to Hack (September 14, 2017). Ohio State Law Journal, 2019, Available at SSRN: or

Ido Kilovaty (Contact Author)

University of Arkansas - School of Law ( email )

260 Waterman Hall
Fayetteville, AR 72701
United States

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics