Freedom to Hack

66 Pages Posted: 14 Sep 2017 Last revised: 8 Jun 2019

See all articles by Ido Kilovaty

Ido Kilovaty

University of Tulsa College of Law; Yale University - Law School

Date Written: September 14, 2017

Abstract

The proliferation of Internet-connected smart devices (the “Internet of Things”) has become a major threat to privacy, user security, Internet security, and even national security. These threats are manifestations of externalities primarily resulting from a market failure in the Internet of Things industry, in which vendors do not have an incentive to implement reasonable security in the software embedded in devices they produce, thus creating cheap and unsecure devices. This Article argues that law and policy have a central role to play in making this digital ecosystem more secure – not only through direct regulation of this industry, but primarily through allowing individual security researchers to hack for security – or “ethical hacking.” At present, laws that prohibit hacking, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, are adopting a strict liability approach to hacking, which criminalizes almost any form of hacking, regardless of motivation or potential benefits. This Article rejects this outdated approach in the wake of ubiquitous cyber-attacks, imperfect software, and the emerging Internet of Things ecosystem.

This Article argues that law and regulatory agencies should accommodate hacking for security purposes to allow security researchers to discover possible vulnerabilities while shielding them from copyright infringement or criminal liabilities. While security research into software and hardware is desirable, the law by and large restricts such research. This results in a reality of highly unsecure Internet-of-Things devices and could potentially lead to serious harms to security and privacy. Such a legal accommodation should be supported by other legal adaptations, mainly involving regulatory oversight and enforcement, consistent rules for vulnerability disclosure, and clear distinctions between ethical and malicious hackers.

Keywords: cybersecurity, cyber crime, computer crime, DMCA, CFAA, law and technology, ethical hacking, hacking

Suggested Citation

Kilovaty, Ido, Freedom to Hack (September 14, 2017). Ohio State Law Journal, 2019. Available at SSRN: https://ssrn.com/abstract=3035518 or http://dx.doi.org/10.2139/ssrn.3035518

Ido Kilovaty (Contact Author)

University of Tulsa College of Law ( email )

3120 E. Fourth Place
Tulsa, OK 74104
United States

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
348
Abstract Views
2,276
rank
85,072
PlumX Metrics