[Infowarrior] - The Laws of Full Disclosure

[Richard Forno]

 The Laws of Full Disclosure
Federico Biancuzzi,

http://www.securityfocus.com/columnists/466?ref=rss

Full disclosure has a long tradition in the security community worldwide,
yet different European countries have different views on the legality of
vulnerability research. SecurityFocus contributor Federico Biancuzzi
investigates the subject of full disclosure and the law by interviewing
lawyers from twelve EU countries: Belgium, Denmark, Finland, France,
Germany,Greece, Hungary, Ireland, Italy, Poland, Romania, and the UK.

SecurityFocus: What does the current law of your country say about
disclosure of security vulnerabilities in software?

(Belgium) Jos Dumortier: There is no specific legal provision in Belgium
about disclosure of security vulnerabilities in software. In some cases
however, such a disclosure can be considered a criminal act. I am mainly
referring to two cases. The first is the crime of "illegal intrusion in
information systems" (sometimes called "hacking"). The qualification of this
criminal act not only includes the intrusion itself but also "intentionally
distributing instruments or data which are mainly conceived to carry out an
intrusion".

The second is the crime of "illegal circumvention". This is a rule which has
its origin in the European Copyright Directive. Besides the act of
circumventing digital rights management software itself, the provision also
prohibits the act of intentionally distributing information which enables
someone (else) to circumvent DRM systems.

On the other hand, someone who discloses vulnerabilities in software can
also be held liable -- if this disclosure causes harm, for instance, to the
software vendor. But such liability presumes that the disclosing person has
(caused harm) by disclosing the weakness. (Such harm) has to be proven by
the other party. Of course, an employee can be held contractually liable for
a disclosure if this disclosure has been prohibited by his employment
contract. Same with someone who signed an NDA, etc.

(Denmark) Martin von Haller Groenbaek: First off; if you have
inside-knowledge regarding such vulnerabilities, e.g. because you work at
the software-company making the flawed software, you are not to tell anyone
of the vulnerabilities since such vulnerabilities would be considered trade
secrets -- and disclosure of trade secrets is punishable with up to one and
half years of imprisonment -- and in severe cases with up to 6 years of
imprisonment. However, if the vulnerability is not considered a trade
secret, e.g. where a user of the software has found the vulnerability, the
situation is somewhat different.

If the vulnerability is revealed in a very concrete situation, e.g. if you
tell exactly how to use a vulnerability in Internet-banking software -- the
person revealing the vulnerability runs the risk of being punished for
assisting in a crime -- if the vulnerability is used to commit a crime
afterwards. If the disclosure of the vulnerability is less concrete --
disclosure would usually not be punishable by law.

If the disclosure is made by a competitor this would however likely be in
conflict with the Danish marketing practices act, and the company disclosing
the vulnerability could be fined.

To my knowledge, we only have a single case in Danish law regarding
disclosure of vulnerabilities. In the so-called Valus case, a person
disclosed in the Computerworld.dk forums that by entering a specific link in
your browser you could make the Valus Internet service crash. Valus is an
online payment service. He also posted the link itself, but also noted that
the link should not be clicked. The person disclosing the vulnerability was
acquitted, because it was clear that his disclosure was part of a debate,
and he had not intended to crash the Web service. However the persons who
actually clicked the link where fined.

(Finland) Ville Oksanen: Finland has currently an extensive set of different
crimes pertaining to information technology. The latest additions were made
because of the CoE (Council of Europe) cybercrime treaty. However, regarding
to full disclosure, there is no explicit provisions on the matter on the
law. Finnish Criminal law 34:9aß "Causing danger to computing" may be
applicable due to its very widely scope -- the chapter covers both offering
code and offering advices, which could be used to disrupt networks or
software. However, there is one additional element -- intent. The act is
only criminal if the goal of act is to cause harm or damage.

However, the preparation material, which is not binding for courts (but a
strong recommendation), of that chapter actually takes a position that
publishing a bug is normally OK, even for pressuring a vendor, but that
creating code that demonstrates how to use it is not, unless it is produced
to be sent to organization like CERT. This seems to imply that full
disclosure could be criminal. So far there has not been any court cases
relating the matter.

(France) Eric Barbry: Actually, in my opinion, there is no specific text on
this question in French law. However, this question could be solved in
regard of other regulations, especially criminal law. The French penal code
punishes fraudulent access or remain within all or part of an automated data
processing system. Moreover, the article 323-3-1 of the criminal code
stipulates: "Person who, without lawful authority, imports, possesses,
offers, transfers or makes available any equipment, instrument, computer
program or information created or specially adapted to commit one or more of
the offenses prohibited by articles 323-1 to 323-3, is punished by the
penalties prescribed for the offense itself, or the one that carries the
heaviest penalty".

Therefore, It seems possible to punish the disclosure of security
vulnerabilities in software, on the basis of theses articles if unlawful
access has been committed or if the disclosure has been realized in the
condition of the article 323-3-1. The risk of prosecution depends on the
particulars of the security of the information system which is accessed.

Thus, in a decision of October 2002 [Cour d'Appel de Paris, Tati / Kitetoa,
30 octobre 2002], the Court of appeal of Paris (charged) a journalist who
had accessed the information system of Tati. The objective of this
journalist was to reveal security vulnerabilities on his website, Kitetoa.
The Court did not consider the objective of (gathering) the information to
(trump) the offense of intrusion on the information system. However, the
Court did consider that the information system was "insufficiently secured"
and that the offense of intrusion couldn't be committed on an
"insufficiently secured" system.

The other criminal basis to punish disclosure of security vulnerabilities in
software is counterfeiting regulations. In a decision of February 2006 [Cour
d'appel de Paris 13Ëme chambre, section A. ArrÍt du 21 fÈvrier 2006.
Guillaume T. (dit Guillermito) / Eyal D., Tegam International], the Paris
Court of Appeals convicted Mr G. for counterfeit ing the Viguard Software.
Mr G was interested in software vulnerabilities, and he disclosed on
internet vulnerabilities of the Viguard software. The problem is that Mr G
wasn't (the owner) of a license on the software and that he copied and
disassembled certain elements of the software to publish them on Internet.

In the other cases, It will be more difficult to punish a disclosure,
excepted if this disclosure is a violation of business secrets or an act of
unfair competition.

(Germany) Marco Gercke: Marco gave a detailed interview to SecurityFocus and
talked about vulnerability disclosure.

(Greece) Irini Vassilaki: Greek law does not explicitly prohibit the
disclosure of vulnerabilities in software. The only provision that could
cover this issue is Art. 370C par. 2 of the Greek criminal code that
punishes hacking. This normally punishes the access to data that are stored
in a computer system or are transported via telecommunications networks. The
act must be committed "without right". This is especially the case when the
access takes place through the violation of security measures, which have be
taken by the owner or other right holder of the system.

There is no case law according the interpretation of Art. 370C par. 2 GrCC.
According the legal literature "without right" is every activity that takes
place without the authorization of the right holder of the system.
Therefore, any interference with the software that could (result in) the
disclosure of vulnerabilities and occurs beyond such authorization takes
place "without right".

For the prosecution of this offense, a complaint is required. I cannot
imagine, however, that the disclosure of the vulnerabilities of software
will be reported to the police by the right holder. This would have as
result that the "weak parts" of the software would be public and this would
have negative consequences for the right holder.

(Hungary) Ferenc Suba: Before you disclose a security vulnerability in
software, you should ask yourself a couple of questions to clarify the legal
consequences of your action in Hungary. First you should validate, whether
the information you give to the public is correct. If you publish incorrect
vulnerability information, you may be liable for damages according to civil
law, because you have damaged the reputation of the software producer.

Having checked that, you should pose the question whether the disclosure
hurts the rights or legitimate interests of the software producer, any other
third person or the public order. Concentrating on the software producer,
you will not infringe any portion of this copyright or patent rights -- in
case of computer implemented inventions -- if you limit the disclosure to
the vulnerability itself and you do not extend the publication to the parts
of the software that are protected by the Copyright Act, the Patent Act or
even the Penal Code.

If you look at third parties and public order, it is always important to
show that you are acting in good faith, i.e. you are not disclosing the
vulnerability to enable others to commit a crime against information
systems, since it would fall under a crime regulated in the Penal Code. This
can be done by attaching a patch information to the vulnerability.

Having paid attention to the above, you can be sure that the disclosure will
be a legal one and in conformity with the relevant provisions of civil and
penal laws of Hungary. Moreover, the legal disclosure of security
vulnerabilities in softwares can be seen as an action that supports the
fulfillment of regulatory requirements laid down in the Data Protection Act
(in respect to data protection), the Act on Credit Institutions (in respect
to the protection of their information systems), the Act on Electronic
Communications (in respect to the protection of the electronic communication
and information systems), and the Government Decree on the National Security
Supervisory Authority (in respect to the electronic security of the
institutions falling under the scope the authority).

(Ireland) TJ McIntyre: We have no law in this area as of yet. It is possible
that possession of hacking tools or a crack or exploit code might amount to
the offense of possession of an item with intent to damage property (note
that property includes data). It is also possible that the method used to
discover a vulnerability might itself amount to a crime under s.5 CDA 1991
or s.9 Criminal Justice (Theft and Fraud Offences) Act 2001. There may also
be contractual or licence provisions which restrict a user's ability to
disclose vulnerabilities. Otherwise though this area is a blank slate.

(Italy) Gabriele Faggioli: No legal measure exists in our ordinance that
specifically refers to vulnerabilities and/or exploits. However, some norms
do exist that abstractly can be considered applicable to research and the
publication of vulnerability and/or exploits. First of all, it is important
to consider that research into vulnerabilities related to operating systems
and applications is not always be considered a legal activity. With
reference to proprietary software -- with closed-source code -- precise
norms are defined by the law on copyrights (Law n. 633 of 22nd April 1941
and subsequent modifications). On the one hand, (the laws) allow the
legitimate owner of a copy to observe, study or subject operation of the
program to a test, with the objective of establishing the ideas and
principles upon which each element of the program is based -- if such
activities are performed during the loading, visualization, execution,
transmission or storage operations of the program. On the other hand, the
possibility of performing de-compilation operations are limited to special
cases, such as the achievement of inter-operability with other programs.

Implemented in accordance with the law on copyrights, research and the
subsequent publication of vulnerabilities related to a software is not
illegal as long as some specific details are adopted. In particular, the
person that discovers the vulnerabilities should inform the manufacturer of
the program that the vulnerability refers to, in advance in order to allow
him to create a "patch" before any possible publication. In the absence of
this prior transmission of information, the individual that has disseminated
the vulnerability may be called upon to compensate, on a civil level,
damages caused by third parties due to the effect of its publication. This
behavior may be considered contrary to the principle of good faith, as such
damages, even if they are involuntary, generated indirectly by the integral
publication of vulnerabilities, could have been avoided or limited through a
much more diligent behavior by the person in charge of their diffusion.

Another topic applies to research of vulnerability that refers to specific
information technology systems implemented by third parties -- for example
by a company. These research activities may integrate the abusive computer
access crime regulated by article 615/ter of the penal code if used, for
example, through penetration tests not authorized by the company. The norm
indicated, in reality, specifically punishes the behavior of anybody that
illegally enters a computer system protected by safety measures or remains
in the system against the specific desire of whoever has the right to
exclude him, and the crime can be punishable as a pure attempt. The
subsequent publication of vulnerabilities may, in this case, have an
independent penal importance. Article 615/quarter of the penal code
("Abusive detention and diffusion of access codes to computer or remote
systems") considers it a crime for an individual who, with the objective of
creating profit for himself or for others or creating damages to others,
illegally obtains, reproduces, diffuses, communicates or delivers codes,
passwords or other suitable means for access to a computer or remote system,
protected by safety means, or provides indications or instructions suitable
for the aforementioned purposes.

With reference to the publication of exploits (or programs/codes created to
take advantage of a previously identified vulnerability), article 615 of the
penal code may be used as it punishes the diffusion, communication or
delivery of programs whose objective or whose effects include damage to a
computer or remote system or alteration of its operation. This norm,
traditionally associated with the diffusion of computer viruses, may be
applied to the publication of exploits that may result in alterations to the
computer system whose vulnerabilities are exploited.

Despite the aforementioned norms examined, considered to be abstractly
applicable to the publication of vulnerability and exploit, no ruling has
yet been issued by Italian judges on a concrete case. At the same time, no
intervention has been planned by our legislators in order to regulate this
topic.

(Poland) Tomasz Rychlicki: Polish Law of February 4, 1994, on Copyright and
Neighboring Rights (in Polish: ustawa o prawie autorskim i prawach
pokrewnych) allows -- unless otherwise provided in the contract -- for acts
such as reproducing the program in its entirety or in part, either
permanently or provisionally, where the loading, display, running,
transmission or storage of a computer program calls for such reproduction,
if they are necessary for the lawful acquirer to be able to make use of the
program according to its intended purpose, including the correction of
errors (article 74, sec. 4(1) and article 75, sec. 1).

The following acts shall not require authorization: analysis and study of
and experimentation with the operation of the computer program by the lawful
acquirer in order to ascertain its underlying ideas and principles, if the
person concerned performs the above acts at the time of the operations
associated with the loading, display, running, transmission or storage of
the computer program (article 75, sec. 2(2)).

As you can see there isn't any prohibition on publishing your discoveries in
copyright law, but we also have the Polish Penal Code (in Polish: Kodeks
Karny) and the highly criticized Doctrine Article 269b, which prohibits
creating, acquiring, selling or making available to other persons devices,
computer software, passwords, codes or other data which allows access to
information stored in computer system or network.

Article 269b of the Polish Penal Code penalizes an act of a person who
produces, acquires, sells or makes accessible for other persons devices or
computer programs and also computer's passwords, access codes or other data,
that enable access to information stored in computer system or
telecommunication network. Such person can be sentenced up to 3 years of
imprisonment. Hacking is not defined in the Polish Penal Code.

However article 269b contains undefined term such as "other data" which is
contradictory to one of the main criminal law principles -- "in dubio pro
reo" -- all doubts should be decided in a favor of defendant.

What is more important, Article 269b of the PPC is an example of an
incorrect implementation of the Council of Europe Convention on Cybercrime
(article 6 sec. 2) which clearly allows production, sale, procurement for
use, import, distribution or otherwise making available or possession of
devices computer programs computer passwords, access codes, or similar data
that are use not for the purpose of committing an offense established by the
Convention. For example: for the authorized testing or protection of a
computer system.

There is no definition of "authorized testing" but it may be presumed that
every legitimate user of computer program is entitled to such actions. In
European Union countries this presumption is supported by provision included
in the Council Directive 91/250/EEC of 14 May 1991 on the legal protection
of computer programs.

So, as you can see, you can publish any kind of vulnerability in Poland and
Europe (and in any country which is a party of CoE CoC). There is also
another very important issue with the national legislation as regards to the
Council of Europe Convention on Cybercrime, which 21 countries signed
including the U.S.A.

When the national legislation which implements the CoC is improperly
implemented and a person is charged based on those national regulation's
provisions he/she has always the right to challenge it before the European
Court of Human Rights. The court will always follow the Convention's text.

(Romania) Bogdan Manolea: The Romanian cybercrime law does not rule
specifically on the disclosure of security vulnerabilities in software. From
a theoretical point of view this might be considered, depending on the
circumstances of the case of course, as an "aiding and abetting" of the
crime of illegal access to a computer system (see art. 42, especially point
b) and could be prosecuted in a penal case.

If the disclosure is directly linked also with an unauthorized entry in a
computer system by the same person, then this is a crime according with art.
42, Law 161/2003. There are no court rulings that I know on this matter and
I don't know of any resource on the Internet especially in this topic (in
Romanian or about Romania).

Writing an exploit is a crime under article 46, but only if it can be used
in (only) an illegal way... If we have an exploit that can be used in a
legal way, then there is no punishment for producing or sharing it.

    Article 46

    (1) The following are considered criminal offenses and punished with
imprisonment from 1 to 6 years.

       1. the production, sale, import, distribution or making available, in
any other form, without right, of a device or a computer program designed or
adapted for the purpose of committing one of the offenses established in
accordance with arts. 42-45;
       2. the production, sale, import, distribution or making available, in
any other form, without right, of a password, access code or other such
computer data allowing total or partial access to a computer system for the
purpose of one of the offenses established in accordance with arts.42-45;

    (2) The possession, without right, of a device, computer program,
password, access code or computer data referred to at paragraph (1) for the
purpose of one of the offenses established in accordance with arts.42-45 is
also punished similarly.

Anyway, this is a theoretical discussion -- in practice the Romanian
cybercrime police are so busy with the phising cases, they won't have time
for such a minor crime.

(UK) Peter Sommer: There is no specific provision in English Law, but if the
discloser is in a contractual relationship with the supplier, the contract
may seek to ban reverse engineering or impose a duty of confidentiality. In
those circumstances the supplier could resort to civil proceedings.

The only obvious criminal route might be via "incitement" -- that is that by
publicizing the breach others were being encouraged to take advantage. But
the prosecutor would need to demonstrate "intent"; and the discoverer of the
flaw could almost certainly say that the intent was to make the product
secure, not to take advantage. I think that UK authorities would be
reluctant to prosecute in these circumstances.

On the whole, if a flaw is discovered in your product, you would do better
to rectify it, rather than going to the law. There is perhaps one further
aspect of the law to consider: the means by which the security flaw was
uncovered. The Council of Europe Cybercrime Treaty (to which the USA is a
signatory),includes provisions against the use of "anti-hacking" tools. If
you have uncovered a flaw using certain techniques and that publicize the
results you may, in certain circumstances, be admitting to breaking the law!

Privacy Statement
Copyright 2006, SecurityFocus