In an article published on Slate, entitled “Code Is Law,” Citizen Lab Research Fellow Jon Penney discussed how US laws, such as the Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act (DMCA), are determining the ethics of computer code.
As an example, Jon Penney mentioned an incident which occurred in July 2014 when “researchers from Carnegie Mellon University (CMU)—who work “closely with the (US) Department of Homeland Security”—were scheduled to give a talk at the Black Hat USA information security conference on a simple method to “de-anonymize” Tor users.” Researchers in the security community were skeptical of the topic, as Tor was “a respected and widely used tool for online anonymity, employed by activists, dissidents, journalists, and yes, criminals too, to cloak their activities from the prying eyes of state authorities at home and abroad; even Edward Snowden trusted its protection.” Therefore, the idea that CMU researchers had found “an undisclosed vulnerability that could be exploited to cheaply and easily unveil the identity of Tor users” was difficult to believe.
Jon Penney explained that the talk was then pulled from the conference program at the last minute, with the CMU researchers, as reported in the Washington Post, claiming the materials they planned to present had “not yet been approved by CMU/SEI for public release.” The cancellation notice sent to the Black Hat USA conference came from CMU’s legal counsel. Penney outlined that many speculated reasons for the cancellation, with “some suggesting a possible national security letter from a federal agency, while others argued CMU lawyers, likely concerned by the legality of some aspects of the research, killed the talk to avoid potential liabilities.”
This incident raised “important ethical questions about the CMU research,” Jon Penney said. For example, had users’ privacy been violated or laws broken? And were identities of Tor users harvested without their consent, and therefore constituted as a serious ethical breach? None of these questions have been fully debated or answered and may not ever be. The implication of the talk’s cancellation is that an event that was hoped to be a much needed infosec community debate about research ethics and the security and dignity of users, was eventually cut off by lawyers and legal concerns.