Security companies and institutes have a hard time doing their research nowadays. A lawsuit could be filed against them by the “victim” firm or even worse, they could be even criminally indicted if their white-hat hacking violates the Computer Fraud and Abuse Act. However, the biggest threat to researchers are subpoenas, which could be filed against them by law enforcement authorities.
Subpoenas could be used by authorities against security researchers to obtain the data of a research (that is usually in the works) and use it for criminal investigation purposes.
In the recent case of Brian Farrell, an alleged staff member of the now defunct Silk Road 2 marketplace, it was confirmed that the FBI was able to bypass the security of the Tor Network and acquire the IP addresses of around 1000 individuals around the world (including Farrell’s). The alleged Silk Road 2 staff member’s IP address was obtained through a subpoena, which forced Carnegie Mellon University (CMU) to give out all the information of their research of the Tor Network to the law enforcement authorities.
The CMU case should serve as a warning sign to security researchers: federal agencies can easily force firms to provide them all data of their research. Normally, researchers, such as CMU, would inform the community or the researched company of their security flaws so they can fix it in time, however, if a government agency abuses the researcher company, just the opposite could happen. Matt Blaze, a computer scientist at the University of Pennsylvania, made this statement about subpoenas:
“When you do experiments on a live network and keep the data, that data is a record that can be subpoenaed. As academics, we’re not used to thinking about that. But it can happen, and it did happen.”
According to Tor Ekeland, a computer-security focused defense lawyer, subpoenas could create a “chilling effect” that could limit researchers behavior because of fear. He said these:
“If there’s a criminal investigation, yes, the FBI or the SEC or the DEA can issue an administrative subpoena for your data. If you’re a researcher, you need to think: Am I going to get subpoenaed here? Should I be gathering this information and risking putting it into the wild?”
“It seems like they’re trying to subpoena surveillance techniques. They’re trying to acquire intel gathering methods under the pretext of an individual criminal investigation.”