Freedom to Hack

Abstract

The proliferation of Internet-connected smart devices (the “Internet of Things”) has become a major threat to privacy, user security, Internet security, and even national security. These threats are manifestations of externalities primarily resulting from a market failure in the Internet of Things industry, in which vendors do not have an incentive to implement reasonable security in the software embedded in devices they produce, thus creating cheap and unsecure devices. This Article argues that law and policy have a central role to play in making this digital ecosystem more secure – not only through direct regulation of this industry, but primarily through allowing individual security researchers to hack for security – or “ethical hacking.” At present, laws that prohibit hacking, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, are adopting a strict liability approach to hacking, which criminalizes almost any form of hacking, regardless of motivation or potential benefits. This Article rejects this outdated approach in the wake of ubiquitous cyber-attacks, imperfect software, and the emerging Internet of Things ecosystem. This Article argues that law and regulatory agencies should accommodate hacking for security purposes to allow security researchers to discover possible vulnerabilities while shielding them from copyright infringement or criminal liabilities. While security research into software and hardware is desirable, the law by and large restricts such research. This results in a reality of highly unsecure Internet-of-Things devices and could potentially lead to serious harms to security and privacy. Such a legal accommodation should be supported by other legal adaptations, mainly involving regulatory oversight and enforcement, consistent rules for vulnerability disclosure, and clear distinctions between ethical and malicious hackers.