Undetected - a web security podcast

05 Cecilia Wik - A Lawyer's Take on Hacking

Episode Summary

Is hacking illegal? This is a question host Laura Kankaala gets asked a lot. In this episode, she is joined by Cecilia Wik, General Counsel at Detectify, to discuss the intricacies of law in the US and Europe, wire fraud and computer crime. They walk through some famous cases of high-profiled hacks and the punishments received. Note that the topics discussed should not be taken as official legal advice, rather these tips will shed some light on how to stay on the right path when doing security research.

Episode Notes

Computer Fraud and Abuse Act:
https://www.justice.gov/jm/jm-9-48000-computer-fraud

Kevin Mitnick
https://en.wikipedia.org/wiki/Kevin_Mitnick
https://www.mitnicksecurity.com/about-kevin-mitnick-mitnick-security

Aaron Swartz
https://en.wikipedia.org/wiki/Aaron_Swartz

Episode Transcription

Laura:

Welcome to Undetected. In this podcast, we dive deep into the world of web security. My name is Laura, and I'm a security researcher myself, and I'm on a mission to make the Internet a tiny bit better place.

 

Laura:

This podcast is brought to you by Detectify.

 

Laura:

Is hacking illegal? The word hacker has traditionally been linked with a lot of negative things and attributed to, for example, criminal activities. But coming to this day, hackers have become one of the most important things when it comes to improving information security. And today I have the pleasure of talking with Detectify's General Counsel, Cecilia Wik, and discuss what is legal, what is illegal, and go back to some famous cases in the past and see what kind of offenses they were, and how to do hacking and how to do hacking legally.

 

Laura:

So, welcome, Cecilia.

 

Cecilia:

Thank you, Laura. I'm happy to be here and discuss about this very interesting topic.

 

Laura:

Thank you. And I'm very happy to have you here today. And, you work as a General Counsel at Detectify, can you tell me what does that mean?

 

Cecilia:

Yeah, sure. So a general counsel is the legal counsel responsible for the legal matters at the company. And currently, I'm still the only legal counsel here at the Detectify, meaning that I'm overseeing all different kinds of matters when it comes to, for example, employment law and matters relating to our software service, so a broad, broad spectrum of stuff.

 

Laura:

Okay, so that sounds very interesting, but what do you need to study to become a legal counsel or general counsel?

 

Cecilia:

Well, you have to study law. It varies a bit from country to country, but at least in Finland and Nordic countries, you would study law for about five years. In Finland, it's a very solid five year education where you get to study all different kinds of laws, everything from environmental law to accounting to human rights. I wouldn't say it was very advanced when it comes to IT and technology law. There are, of course, other universities where you can dive into these in more detail, but a very broad education. And what I specifically took with me from my studies was participating in human rights mood courts.

 

Cecilia:

It was a competition between other Nordic countries and students from there, where we kind of simulated a case the European Human Rights Convention. And the case that we worked with was a made up case about freedom of speech and the protection of sources. In that case, it was a journalistic source. But that's then something that led me into studying even more human rights and international law, and international arbitration as well. But those were things that I felt passionate about and felt that the underlying principles was a driving force. It can be seen as something very far away from the world of IT and technology law, but actually those principles are something that's underlying in many cases that have surfaced in the last decades. So I think that's an interesting addition, and kind of giving an interesting depth to what I'm doing right now.

 

Laura:

Yeah, definitely. And I do think that freedom of speech and human rights have traditionally been linked quite a lot, or quite heavily with, for example, information security when it comes to, let's say, privacy or the rights, in our case for example, the rights of security researchers and so on. So I do feel that there is some commonalities between the two and that Infosec is not without these things. And you seem to have a very nice front seat view into the realm of web security, and not only web security, but the law part of it and the legal aspects of it, so I think you have a very interesting mix of knowledge when it comes to not only security, but the laws regarding around it. But I just want to know, how do you find the world of information security or web security, from your perspective? Is it interesting, is it intriguing, or how do you find it?

 

Cecilia:

Yeah, I definitely find it very interesting, and I've seen to two different sides of the coin, I would say, being a lawyer at an enormous organization and working a lot with compliance and information security checklists, and now working at Detectify, where everyone is really knowledgeable about information security and about the technicalities behind it. I wouldn't say I'm the best in that part of the knowledge, but then connecting the legal aspects to it is what I find very interesting, and understanding that it's not always only about compliance and ticking checklists, boxes, but it's actually about how do people in the company really understand information security, and how can you use it and what is it in practice, and not only taking the compliance boxes, but really going deeper into it and really raising awareness and educating people. That's where it becomes tricky.

 

Laura:

Yeah, and personally, I'm doing very hands on security research and working with security, I'm familiar with the technology and I'm familiar with the baseline knowledge of how to do things legally and how to operate in the space that I don't get into trouble. For example, I need to own the things that I hack or that I need to set up my own things or I need to have explicit permission that I can hack that system. But I would like to have your thoughts on how is the law that much different of the world of IT? And I feel that IT moves so fast. There's new technologies coming all the time and new machine learning algorithms and new security research and new ways of doing things, but I feel that sometimes it's very hard to figure out what is legal and what is not, also because it seems like there is not necessarily laws put around certain things, or put in place around certain things.

 

Cecilia:

Yeah, that's a very good and topical question. It's, of course, something that's been discussed always, as society moves faster than then the law does. And that's especially true in the world of IT and the world of tech. Legislation takes a long time to implement. And the problem is also that there are often political and commercial reasons behind laws being implemented or not being implemented or not being amended, even if the society moves forward. And that of course, it can lead to legal loopholes, it can lead to misinterpretations, or interpretations that are not current with the society as it is today.

 

Cecilia:

And another example of how technology and law don't always move in parallel is, you mentioned machine learning, and the world of AI, as we all know, is moving fast forward and the law doesn't really manage to keep up in the pace from the viewpoint of, for example, copyright law. It's debated what happens when an AI tool, for example, creates, let's say a software or creates an artistic work, it could be a painting or it could be a piece of music. And actually, at least in Sweden, the copyright law requires that the piece of art is original, and that includes a human touch, that includes that it's actually a person affecting the work in a sense of applying intelligence or applying creativity or applying sort of a piece of personality in it. And you can't really apply that to AI. And at least at the moment, that's how it's interpreted, that unless the AI can be proven to have a human touch, the work that's created through that AI tool can't enjoy copyright protection. So there are situations, like these, that can't be and haven't been covered in the law because it takes years to implement a new law or changes.

 

Laura:

Yeah, definitely. And that thing about the machine learning and AI reminded me of a discussion I had with a couple of my friends, and it was about this website called this person doesn't exist. And it basically generates machine learning generated faces of people that do not exist. And I was thinking that are those copyrighted? Can I use this picture somewhere? I was planning on using it somewhere, but we didn't really arrive at any kind of consensus, because well, I wasn't talking with friends with any legal background, but that's a very interesting thing. And also, going back to what you said about the innovations and how rapidly the world is changing. I think it also makes sense that the world of law on the other hand is not changing that rapidly, because I think, just speculating in my head, but we could end up in a very interesting situation if laws moved just as fast as these technologies, we could have a lot of ad hoc things prepared, and maybe it wouldn't then serve its purpose.

 

Cecilia:

Yeah, definitely. And of course, there are cases like, for example, during pandemics or crises, then governments can enact emergency laws in a couple of weeks. But generally, there aren't resources to do that in terms of fast moving technology, if it's not, in a sense, urgent for national health or security. So yeah, but it's true. It needs a lot of preparation and it needs time. And also, I think it would be a good thing to include the technology community and the IT community, of course, when preparing and making amendments to existing laws, and that also requires a lot of time to engage different stakeholders as well.

 

Laura:

Yeah. What kind of process is that typically? Are you familiar with the process of, let's say that there is a amendment to a law or a new law altogether, what are the brief steps that are taken? Is there first the initial law that is presented and some reviews, or how does it go?

 

Cecilia:

Yeah, so normally there would be preparation works, and that would generally be a type of working group for a new implementation or for a new proposal of amendment to the law, and that would be a working group then contacting other interest groups and experts in the area. And then when there's a final draft, then that would of course need to be presented in the Parliament and then approved. And then there might at that point still be the changes that have to be included in the amendments and so on. So it's a long process before a legislation actually is approved, and then it has to be implemented, and then you need to allow a certain amount of time before it's implemented for, of course, people and entities getting ready for it. And then we have huge machineries as the EU, that then harmonized laws and need to include even more stakeholders in the legislation process.

 

Laura:

Okay, that doesn't sound like something that can be done overnight.

 

Cecilia:

Definitely, yeah. It will take years.

 

Laura:

Yeah, yeah. And I think that makes sense that this... As I said, it would be scary also if outside of emergency law, if new laws were applied all the time. What I mean all the time, that there would be overnight laws, but that's just my opinion on that thing without having any legal background. But the thing is about hacking, and now I'm talking about illegal hacking, is that it has been around for ages. So it's not a new crime. It's not something that started just five years ago, it's been going on ever since there were computers. And even before computers, there were people trying to hack signals and so on.

 

Laura:

But I would like to go through a couple of example cases and have you basically explain to me, what do some of these things mean legally. For example, there have been these quite famous cases in the past, and these cases are based in the US, so naturally, the laws applied will be US based laws and not Nordic or EU laws in this case and... Or if it's different, then please do tell me so, but can you explain to me what does the Wire Fraud Act mean?

 

Cecilia:

Yeah, very interesting case, and a lot of different accounts he could have or was held accountable of. But the Wire Fraud Act is, and wire fraud, well, that's a crime where a fraudster intends or actually gets money or property through giving false representations or false promises. And generally then this happens through electronic communication or for example, telephone. It could even happen analogically. This normally includes phishing or social engineering as well.

 

Cecilia:

A classic case or a classic example is the Nigerian Prince Scam. It's based on the advanced fee scam, which actually originates already from the 18th century called the "Spanish Prisoner," where the fraudster contacts the victims telling them that they, through charisma and through creating a confident relationship, gets them to support in the bailout of a Spanish prisoner that allegedly has a big inheritance or a property somewhere, and that upon his release, the victims will then get an even bigger reward. And this is the similar principle that's, for example, then used in a Nigerian Prince Scam, where you are promised a bigger reward if giving a smaller sum of money. And in this Nigerian prince scam case, which is one of the examples of wire fraud, there are many different ways to scam people. It was actually, I think, it was a guy in Louisiana that was behind it all. But that's just one example, and basically it's a way to receive money or property by scamming people.

 

Laura:

Yeah. Okay, that's interesting because if I think of wire fraud, I will think of something completely different. I will think of something, I don't know. For some reason I had a notion in my head that it would be something different, but it's interesting. This basically then covers, as you said, phishing and that history of, for example, these scams. It's fun how they are, throughout the history, there. Methods are somewhat the same, but only the... Sorry, the methods change but basically the aim is the same and the means are the same.

 

Cecilia:

Just to kind of point out that that could be sort of something where legislation could come into play, like would the definition actually cover these new types of doing that, like electronic communication? Sometimes the definition in legislation is very narrow and it wouldn't cover, and then that would create a legal loophole. But if you manage to define the terms in the legislation broad enough, then that would cover, also, new types of doing that even if the principle behind it is the same.

 

Laura:

Yeah. So I suppose this Wire Fraud Act in US, it covers then basically anything done over computers or phone calls, or do you know if it's limited to some specific means?

 

Cecilia:

It covers, yeah, electronic communication and telephone. So that could be, you could get someone to wire money to you, but it also covers analogical, so I would guess mail, traditional mail, which would be covered as well.

 

Laura:

Yeah. Yeah, that's very interesting. And I just want to point out in this Mitnick case by saying that he ended up serving five years in prison after being charged with the wire fraud cases, and also the other things that I listed out. And he spent four and a half years in pre-trial and eight months in solitary confinement, which is interesting, I think, that they put him in solitary confinement. But the law enforcement officials convinced the judge that he had the ability to start a nuclear war by whistling into a payphone. So I think they were called quite scared of him as well, and after this chase that they've had for him over the years, I think he had gotten quite a reputation for himself as well.

 

Laura:

But nowadays, Mitnick is a security professional and a security consultant. So, he is working towards making the world a more secure place. And you could for example, do these things for living. So you could break things for a living and it could be actually a career, but I wanted to talk about Aaron Swartz.

 

Laura:

And he was a very active person in the Internet. He was one of the creators of web feed format RSS, used for example, for podcasts and for spreading news and stuff to other websites, and markdown publishing format and organization, Creative Commons, so for publishing and licensing rights and so on. And then he was also a co-founder of the social news website, Reddit. So he was a very active figure and very notable figure when it comes to developing Internet and developing tools on the Internet, but he got into trouble when he was basically exfiltrating data from MIT, or Massachusetts Institute of Technology servers, and he was copying academic papers and breaking into the server rooms and using his laptop or a laptop to copy PDFs and academic journals and materials and then spreading them, apparently, online. And then he was charged with something called Computer Fraud and Abuse Act. And the case never really went through because he then ended up taking his life before this case was actually settled, and I think this is a very, it's a sad case.

 

Cecilia:

Definitely, Aaron Swartz case is of course, a sad case, and also a case where a lot of criticism towards the Computer Fraud and Abuse Act kind of culminates. But just to go a few steps back. It's a US federal law, and it's implemented in 1986. It has gone through certain amendments, but a lot of amendments that the community's trying to push through haven't been taken in the law since, I think last amendments were sometime in 2008.

 

Cecilia:

And it basically covers the different types of illegal hacking that you can carry out, it covers unauthorized access to computers or exceeding authorized access. It covers computer fraud, it covers recklessly or intentionally damaging computers, it covers obtaining national security information and so on. And the fines and the imprisonment, so the consequences of these crimes can go up to 20 years imprisonment, which is actually also the case for wire fraud. So quite heavy imprisonment sentences.

 

Cecilia:

And what's particular about the Computer Fraud and Abuse Act is that it has both a criminal and a civil side. So basically, private companies can actually claim civil damages under the Computer Fraud and Abuse Act, which gives private corporations a lot of power. And there's, of course, a lot of lobbying opposing the amendment attempts, and it's been criticized along the years for being quite ambiguously written and allowing for very broad interpretations of the types of alleged crimes that you can carry out under the law. And so far, no notable amendments have made have been made.

 

Cecilia:

And mentioning the Aaron Swartz case is a good example in connection of the law, because when that case surfaced, the criticism towards the act culminated and there was even a proposal of Aaron's Law, I think it was called, which the intention behind that was to make amendments to the law not to, for example, make breaches of private companies' terms and conditions being considered as unauthorized accesses, for example.

 

Cecilia:

And there have been various civil and criminal cases where this type of question has been tried, but there isn't really any consensus yet on what would be considered, for example, unauthorized access. Is it enough that a company writes terms and conditions, saying what you can and what you can't do, and if you break them, could you be civilly liable or even criminally liable? But there are some cases ongoing and the situation is sort of evolving all the time.

 

Cecilia:

And it's also good to understand that the civil and the criminal cases and charges can look different in terms of how the proceeding actually goes in court. Is there a jury or not a jury? This is normally the case in criminal cases, but not in civil cases. And what's the level and what's the standard of proof that you need to show, which also differs between criminal and civil cases. But the important point is that private entities can claim damages under this act,

 

Laura:

Really quickly a question. What is difference within a civil and criminal, what was it the word that you used, civil and criminal...

 

Cecilia:

Yeah, so a criminal offense is an offense that's towards the government or towards those society or towards other people's security, for example, at large. And civil cases would traditionally be breaching a contract or damaging a civil or a private party in some way. The difference is of course in the consequences, so breaching civil during a civil misconduct would not put you in jail, but could lead to you having to pay damages to a private entity, but then criminal offenses can lead to fines or imprisonment.

 

Laura:

Okay. Yeah, and-

 

Cecilia:

And there is also... In a criminal case, you would need to be beyond reasonable doubt that you are actually a criminal and have committed a crime. But then in civil case, you kind of have to prove and show that it's more likely that it happened than it didn't, so there's a difference in evidence as well.

 

Laura:

Okay, that's interesting. And, at least to my ear, it sounds that, for example, this Computer Fraud and Abuse Act was maybe intentionally made broad so they could cover future cases, and then maybe at some point it fell short because then it kind of let this loophole to happen. But I don't know if that's how you see it, but I feel that if it can be used very widely and, for example, terms and conditions and all these things can be linked to it and then unauthorized access is very hard to define under that, then it's very interesting, in my opinion, to use that, I mean for legal proceedings.

 

Cecilia:

Yeah. And traditionally, prosecutors have interpreted it very widely, but then of course, it's a question of how do the judges and how do the courts interpret, and how do they actually decide, and that is what is interesting in the US, which is a common law jurisdiction, where case law is sort of the preceding source.

 

Laura:

What is case law?

 

Cecilia:

So basically, you can have a civil law or common law jurisdiction. A common law jurisdiction follows case law in a way that previous court cases and Supreme Court cases have a precedence in a way that they are a source of interpretation, whereas in civil law, in which Sweden and the Nordic countries and most of the European countries follow and traditionally belong to, have preparatory works that is a primary source of information. In case law, of course, kind of directs the way but it isn't as prominent as in common law jurisdictions. And big common law jurisdictions of course, UK and the US.

 

Cecilia:

So in US, the cases that surface are of importance as they can then lead and direct the way of how the law should be interpreted in the future. So, even if the law was originally written sometime in the 80s, there is room for different types of interpretation, as long as there are new cases surfacing, and the Supreme Court taking the stance in how certain clauses should be interpreted and, for example, are the terms and conditions of a private company, can they be considered a blocker and can they be considered something that can lead to unauthorized access if you breach them? It will be interesting to see how it develops.

 

Laura:

Yeah, that's interesting, because we are operating... Well, personally right now, well you're in Stockholm and we are in the Nordics, so is there anything similar to the Computer Fraud and Abuse Act that is enforced in either the Nordics or in the EU level or are somewhere in this region?

 

Cecilia:

Yes. Like Sweden for example, there's the law is also criminalizing data breach. The consequences aren't as tough as in the US in Sweden, I believe the maximum penalty is six years imprisonment. But basically, it's unlawful access or intentionally giving unauthorized access to a computer or to electronic information. So that's could be even reading someone's email, it also covers access, meaning that...

 

Cecilia:

For example, there was a case where a police officer, generally you have access to the internal database and the internal registers, but you have a mandate to do things you are allowed to do and to investigate cases you are working on. And this police officer was then looking into what was in the register about himself, and that would be then trespassing or going over the authorization you have, and for that he was fined, I believe.

 

Cecilia:

But yes, there are similar laws in our countries.

 

Laura:

Yeah, that's interesting. Yeah, and I think it's good to point out here that, as we said before, this is not legal advice in any form or manner, and it's all always important to take into account where you are operating and whose software are you looking at, and in what way. And just going back quickly to the Aaron Swart case, because I forgot to mention that for example, that Aaron Swart arrested in 2011, so that's around the time period that we are talking about when we are talking about this specific use case, not use case, the case of Aaron Swartz, I mean. And he was also then charged with two counts of wire fraud actually, and then 11 violations of Computer Fraud and Abuse Act, and that carried a cumulative maximum penalty of one million in fines and 35 years in prison, and then some other terms as well. So it was quite a heavy penalty that he was potentially facing from that act that he committed.

 

Cecilia:

Yeah, no that's an interesting point. And I read somewhere that there were speculations about being like 35, even up to 50 years. We will, of course, never know, because he was never convicted as he committed suicide in 2013, before the case was ever finalized. But yeah, heavy, heavy imprisonment sentences could have been the consequence. Yeah.

 

Laura:

Yeah, and that's scary. And I think that's why it's a... Even though when we come back to web security and doing bug bounties and operating in this field, I would say it's tiny bit different than the cases that we cover just now, but it's still good to remember that hacking, by default, is illegal unless you actually know what you're doing. For example, or it's your own system, and even in those cases, as we discussed, there can be some kind of niche cases where there could be some... Basically that you could get into some form of trouble for doing any kind of hacking activities.

 

Laura:

So at the top of my head right now is how to make sure that when we do hacking, that it's not going to result in any legal action, or at least minimize the risk of legal action taken against us?

 

Cecilia:

Yeah, that's an important question. And I would say that, roughly, you could divide it into three different categories. You have, for example, responsible disclosure policies and these type of bug bounty programs where you are allowed to do stuff, you are allowed to hack and you're incentivized to do it. In those cases, you have authorization, so you're not doing anything without or authorization, as long as you keep within scope of what you are asked to do.

 

Cecilia:

Then there might be contractual penetration testing services, for example. The contract would outline what you are allowed to do and what's the scope of what you can do and what different methods can you use.

 

Cecilia:

And then there are certain types of research that you can do. For example, like general scraping of public information on different websites without intruding, or without actually doing any hacking. It could be considered illegal, and what's important to remember, at least the first step, is ensuring that you have authorization to do what you are going to do, and that you can do either under contract or under a bug bounty program. And first, you would then have the contract, but then you also have to make sure that you're within scope, so you are doing what you are asked to do and not going further than that and not using methods you aren't allowed or trying to hack systems or sites that aren't included within the scope.

 

Laura:

Yeah. About the contracts or authorization. Is there any best practices when it comes to asking for authorization for doing a, let's say, a penetration test or any kind of security assessment for example?

 

Cecilia:

What best practices? First thing I would say like ask a legal adviser to make sure you're doing the right thing. Another good thing to check of course, is that the person giving you authorization actually has the mandate to do so, that it's for examples someone within the company that can prove that they have the right to sign a contract or to give you the authorization to do a penetration test, for example.

 

Laura:

Oh yeah, that's actually a good thing to point out, that if someone is just asking you to hack into some software or some website, then always make sure that that person is actually someone who can say that you can do that, and not go overboard without making sure that they are who they are, for example.

 

Laura:

And when it comes to bug bounties, and you also mentioned about the scope and going out of scope and stuff. So there's a lot of cases, when you look through the... I don't know if it's terms and conditions or basically the outline for a bug bounty program or security policy, there's typically listed out, like things that please do not do. For example, don't do denial of service attacks, or DDoS attacks, or distributed denial of service attacks. Or don't, if you gain access to some sensitive data, a proof of concept doesn't have to be dumping the whole of the database out there. And then just keep kind of like a... My tip would be to also keep a common sense when you're doing these things, and sometimes the proof of concept doesn't have to go overboard. It can be something very simple and trivial that demonstrates the vulnerability, but doesn't need to actually alter any data, or it doesn't need to access too much data. Sometimes access may be required to some point, but I don't know.

 

Laura:

Also, about the contracts, one more question. Is it better to have... Let's say, if you're a pen tester, does it matter if it's a verbal agreement or does it need to be written or is email okay or enough, how should the contract be delivered?

 

Cecilia:

Yeah, that's also a good question. And for a lawyer, that's sort of a no brainer. Always have stuff in writing if you can, and as far as you can, because if and when ever it becomes a court case, it might be impossible to prove what you have discussed over phone, but if you have it in a contract, preferably in a contract, it might be email, but contract is always better.

 

Laura:

Okay. Yeah, so contract typically, then it would have someone's signature there. An email can be just some random chatter also between people.

 

Cecilia:

Yeah, like informal communication or other stuff.

 

Laura:

Yeah. All right. That's a lot of very interesting information and a lot of interesting insight with Cecilia into a lot of these things. At least I feel a tiny bit smarter right now, and I would like to ask for some... Do you have any, I don't know, like material or books or resources that you would recommend, for example, security researchers like me to go through and see and then to, I don't know, get more information on this topic?

 

Cecilia:

Yeah, I mean, there are of course... You can find a lot of different sources online, and it depends on how willing you are and actually reading the law, that's a good start, and understanding law. I find it interesting to read up a bit on case law and what's been happening, especially in the US, how is the law interpreted and what has happened in previous cases and what has been enough to prove a criminal action. Yeah, otherwise just read on and google around at know your sources, and be critical in what you're reading and the source you're reading, and seek legal advice if you are thinking of getting into any activity you're unsure of.

 

Laura:

Yeah, definitely. It's always better to be safe than sorry in these cases, and make sure that you are staying on the right path. Because just from personal experience, I know that getting into trouble with law can sometimes, for example, hinder your career in Infosec. If you're aspiring to be a security researcher or consultant, then at least as far as I know and the companies I work for, they typically undergo unfortunate amount of background checks, and sometimes these past mistakes can end up hindering your future. So it's really important to try to figure the right thing to go about these things and still not kill your curiosity. Stay curious, but do things the right way because there's, I think, more so than ever, there is resources and possibilities for conducting hacking activities legally and staying on the right path.

 

Laura:

But thank you so much to Cecilia for having this chat with me.

 

Cecilia:

Thank you, Laura.

 

Laura:

Thank you for listening to our episode. You can find Detectify on Twitter @detectify. You can also send us email over at undetected@detectify.com

 

Laura:

Thank you for listening, catch you next time. Bye!