Industry Observations

Web Attack Legality

Very regularly, when I talk to people in the security space and in the peripherals, I get the impression that there is a huge disconnect about the legality of web application attacks. There is a large disparity between what is legal/illegal and what has been successfully prosecuted. And there is an even bigger difference between what has been litigated and what is litigated in proportion to how often some types of crime occur.

So a while back I started a spreadsheet to enumerate the most common web application attacks or methods of impacting web applications. I tried to group them by category, and then give both legal precedent if any and a personal (not legal) opinion of the status of each of these forms of attack.

There are many challenges. First, electronic crimes are often both federal and states crimes. Accordingly, in addition to federal cybercrime statutes, there is a patchwork of state laws also establishing electronic crimes. (See, for example, this article summarizing Vermont’s Computer Crime Statute). Yet another challenge is that there are probably many cybercrimes and torts that are rarely enforced (or not enforced at all) due to the difficulty of finding the wrongdoer or jurisdictional problem (e.g., wrongdoers are outside the United States). Lastly, there is the difference between criminal and civil liability. Criminal offenses are prosecuted. Torts (wrongful acts or infringements of another’s rights) are litigated. While both could end up costing you lots of money, only criminal offenses land you in prison.

Hopefully this should clear up a lot of the confusion about what is and isn’t legal, but more importantly about how effective the laws really are. Apply this against how often you are seeing an attack and you should get a good idea of how useful our existing laws are for the current set of attacks you are seeing. Please download the web application attack legality spreadsheet here.

Normal disclaimers apply – I’m not a lawyer, and this isn’t legal advice, just my own, and just because something hasn’t been litigated doesn’t mean it’s not illegal and/or won’t open you up to fines. I also easily could have missed some case law in my research, or something could get litigated immediately after I write it. If you use any of these attack techniques, your crime may may turn into the legal precedent that this spreadsheet was lacking. People can sue you for just about anything, and I only gloss over civil cases in this document. Also, as a cautionary note, this was written almost entirely from the perspective of the United States, and local/international law may differ.

That said, I hope people get some use from it. More importantly I hope we will continue thinking about what is and isn’t effective, which laws work and which don’t, and which crimes are extremely difficult to prosecute.

  • http://www.contrastsecurity.com Jeff Williams

    I enjoyed this. Since there’s so little case law I think you’re going to end up with a non-technical judge/jury deciding things. IMO the outcome isn’t likely to depend on the technical attack vector. Instead, the court will probably “balance the equities” and take into account whether you were attempting to do evil, who got hurt, fairness, and whatever else they can make up. On the plus side, if you’re a legit security researcher, then your desire to do good helps you in court. But if you exploit a vulnerability you find and cause harm, that could hurt you. As far as what constitutes an attack… to me it’s basically anything that an ordinary user wouldn’t do while using a website — the Cuthbert contingency 🙂

  • Pingback: The Law and Web Application Attacks | My reading()