Access Now: governments vilify and persecute information security researchers
The white hat hackers might be the unsung heroes of cybersecurity. Yet, governments worldwide are still persecuting them for finding and reporting vulnerabilities. The situation in Latin America is particularly harsh.
Various bug bounty programs that major companies run and the ‘Hack the Pentagon’ project have resulted in a more positive perception of independent infosec researchers.
“The US Department of Defence embracing hackers was a major turning point for public perception across government and private industry, and we’ve seen a lot more organizations interested in productively working with hackers. But there are still legal risks,” Katie Moussouris, a hacker and a pioneer in vulnerability disclosure, once told CyberNews.
She worked with the US Department of Defense on the government’s first bug bounty program ‘Hack the Pentagon.’
“The attitudes have changed, but there’s still a lot of room for interpretation on what’s allowed in bug bounties and what’s acceptable in security research.”
The situation in Latin America is much more gloomy. Access Now, a non-profit with a mission to defend and extend the digital civil rights of people around the world, claims that the persecution of digital security researchers and trainees is a serious global issue.
Their work identifying and reporting on vulnerabilities or weaknesses in digital infrastructures, such as the internet, software code, and information systems, benefits all of us by making these systems more secure.
“Despite the clear value of their work, governments worldwide have not only vilified information security researchers, but they have also persecuted them for finding and reporting on vulnerabilities,” Access Now claims.
The non-profit recently published a report, The persecution of the information security community in Latin America, which shines a light on the hostile environment for security research in Argentina, Colombia, Ecuador, and Mexico.
“Digital security researchers are still risking their reputations and opening themselves up to the possibility of being involved in legal proceedings to report on the vulnerabilities they find,” Access Now claims.
Persecution has a chilling effect
“There seems to be a common factor between authorities that a priori criminalize infosec researchers: the lack of technical expertise to understand what they actually do, confounding them with malicious hackers, while in fact, they look for vulnerabilities in digital systems, often helping to guard human rights,” Access Now researchers told CyberNews via email.
Besides that, some laws used to criminalize the infosec community contain broad concepts that depend on interpretation (like what is illegitimate), which recurrently affect digital security researchers.
Many of the laws described in the report contain, according to the researchers, ill-defined terms and phrases, such as “unauthorized” and “illegitimate” access, and “alteration” or “modification” to the functioning mechanism, that fail to consider the intent of the actor adequately and whether the Access resulted in some damage or harm.
“Although many criminal offenses do not incorporate intent, this element might also be complicated for security researchers to demonstrate. They often do not have a real purpose while investigating; accessing a system could lead them to discover new networks, access one institution or the other, and identify new infrastructures,” the report reads.
The examples of persecuted infosec workers discourage other researchers from investigations and therefore slow down the development of cybersecurity practices and tools.
“Persecution produces a chilling effect in affected communities. If state actors don’t follow the recommendations set in the report, it’s likely that it will result in self-censorship and dissuade researchers to continue doing their work and ultimately endangering an activity that is valuable to the whole of society,” Access Now told CyberNews.
Intimidation and invasions of privacy
The report details the most recent examples of researchers being persecuted, criminally or otherwise, in Latin America. Mentioned cases illustrate how independent infosec workers risk their reputations for reporting vulnerabilities and how they are envisioned as criminal hackers just for their extensive technical expertise.
In Argentina, Javier Smaldone was subjected to intimidation and invasions of privacy. Smaldone has performed security research on Argentina’s use of e-voting machines and maintains a personal blog critical of the government’s cybersecurity practices.
In October 2019, Argentinian police detained Smaldone for questioning under suspicion of hacking and leaking data from government systems. Authorities also raided Smaldone’s home, seizing and searching his various phones, computers, and pen drives. The researcher later learned that the main “evidence” the police used to obtain a warrant was his Tweets discussing and analyzing the data leaks.
“While Smaldone was never formally charged under the criminal code, his case exemplifies how someone with technical knowledge of IT systems and who is associated with the infosec community can be persecuted without just cause,” the report reads.
Even though Smaldone continues his work as a programmer and a sysadmin, he did share in his blog that he is worried about what could happen to him and other infosec researchers in Argentina in the future.
In Colombia, the researchers claimed, the means to report vulnerabilities, security flaws, and data breaches to the government are scarce or nonexistent. Individuals who find vulnerabilities face the fear of hostile reaction or legal action, legal barriers or lack of a legal framework that protects them, and lack of themes to communicate with the government.
In Ecuador, multiple laws could be used to punish digital security researchers for reporting on vulnerabilities, including the criminal code. Researchers can also be found guilty of violating the intellectual property law if the disclosure they make infringes copyrighted code or other copyrighted materials.
Mexico has substantial criminal legislation that could be employed to punish information security researchers. It also has other laws in areas like intellectual property that could impose fines and other administrative sanctions.
The Access Now report analyzes in detail the mentioned laws. If you want to learn more about it, dig in.
The researchers have also come up with proposals on building an environment where infosec workers could carry out their activity without fear of being criminally prosecuted. They recommend legislators amend existing laws that could be used to punish digital security researchers to define activities that constitute “illegitimate” or “unauthorized access” to a computer system. They also suggest incorporating a good faith approach to vulnerability disclosures, among other things.
More from CyberNews:
Subscribe to our newsletter