Wednesday, February 27, 2008
Full Disclosure and the Law - a European Survey
Full disclosure - the practice of making security vulnerabilities public - is an area of uncertain legality. The companies whose products are shown to be insecure would like to suppress this information. In addition, new laws criminalising so-called hacking tools have caused security researchers to worry that simply possessing the tools of their trade or publishing their research may expose them to criminal liability. Legal certainty isn't helped by the fact that the laws on this point differ greatly from jurisdiction to jurisdiction. Federico Biancuzzi has now produced a very helpful survey of European laws in this area by interviewing lawyers (including myself) from twelve EU countries on their national laws. Most seem to agree that the law is unsettled. But some common themes do emerge. In particular, full disclosure is not being regulated by any specific law - instead, the consequences of full disclosure tend to be considered in a rather ad hoc way under a variety of different legal regimes. In addition, civil liability (imposed by general copyright law or by specific contractual or licensing restrictions) appears to be just as much a deterrent to research and publication as newer laws criminalising hacking tools.