By Jennifer Granick
Nov. 23, 2005
Last week Black Hat, the Vegas security conference that was at the
center of the Ciscogate controversy last summer, was purchased by CMP
Media. The sale has the internet hens clucking about whether ownership
by a larger, wealthier corporation will protect Black Hat from future
legal challenges, or make it more susceptible to pressure from
companies wanting to control vulnerability disclosures.
The more worrisome question is why Black Hat and other purveyors of
security information must worry so much about what they disclose. For
better or worse, the settlement I negotiated with Cisco in its case
against researcher Michael Lynn kept some important legal issues from
reaching a courtroom, and these unsettled questions cast a long shadow
over security research today.
As a brief background, Michael, my client, worked for ISS, a company
that provides security products and services. While there, Michael's
job was to study Cisco products, to figure out how they worked and to
analyze them for security flaws. Cisco did not give ISS or its
employees Cisco source code and ISS had no nondisclosure agreement, or
NDA, with Cisco. Michael had the typical NDA with ISS that he would
not reveal confidential information obtained during the course of his
When Michael discovered the now-famous Cisco flaw, ISS initially was
pleased to have Michael tout the success at Black Hat. Michael's
presentation demonstrated for the first time that it was possible to
execute remote code on Cisco routers, and encouraged systems
administrators running vulnerable versions to upgrade fast.
But in the weeks leading up to the conference, Cisco and ISS butted
heads over what information Michael would reveal about the router
code. The day before the conference, Cisco and ISS cut a deal and
informed Black Hat that it had to cut Michael's presentation out of
the conference materials. Michael, concerned that important
information was being suppressed, gave an edited version of his talk
anyway, and by that afternoon, Cisco and ISS had jointly filed a
federal lawsuit against Michael and Black Hat.
Among other claims, the lawsuit alleged that Michael and Black Hat
misappropriated trade secrets by revealing Cisco code in his
In California, where Cisco is located and the lawsuit was filed,
misappropriation means "acquisition by improper means, or disclosure
without consent by a person who used improper means to acquire the
knowledge." Improper means "includes theft, bribery,
misrepresentation, breach or inducement of a breach of a duty to
maintain secrecy, or espionage through electronic or other means."
Importantly, "Reverse engineering or independent derivation alone
shall not be considered improper means" under the law.
Michael didn't steal anything, and he never had access to confidential
Cisco source code. He took the binary distributed with every Cisco
router, decompiled it into machine code and used some pointers to the
machine code to illustrate the claims made in his presentation.
Machine code is probably copyright-protected, but copyright's fair-use
doctrine allows some copying for the purpose of critique and study.
California law makes it clear that people are allowed to study
products on the market, and that a trade secret loses its special
status when a company sells it to the public. When a company
distributes confidential information to insiders, it can assure that
that information remains protected by requiring the employee or
contractor to sign an NDA.
Since Michael was not under an NDA with Cisco, he and Black Hat should
have been in the clear. (At some point, Cisco and ISS lawyers claimed
that Michael's NDA with ISS prevented him from reporting information
he learned on the job about Cisco products, but arguing that Cisco
flaws are ISS confidential information is a real stretch.)
But what about the Cisco End User License Agreement that ships with
the router code? That's where things get interesting, and troubling
for Black Hat's future.
Almost every piece of software today comes with a click-through EULA
that purports to regulate how customers can use the product, including
a limitation on reverse engineering. Companies have argued that the
EULA has the exact same effect as an NDA -- essentially letting every
single customer in on a "secret" that they're legally obliged to
If courts adopt this view, instead of keeping insiders loyal,
trade-secret law can help companies force the public not to discuss
And if EULAs do confer trade-secret protection, that might mean
magazines, newspapers and conferences have a duty to screen
information to make sure it wasn't obtained by prohibited reverse
In a variety of cases, courts have held that the press has a right to
disseminate information of a public concern even if it was illegally
obtained. In the Pentagon Papers case, The New York Times battled the
Nixon White House over its right to publish a secret Department of
Defense report on U.S. involvement in Vietnam that had been leaked by
DOD employee Daniel Ellsberg. The Times won and the documents were
published, calling the government version of the nation's decision to
go to war into question.
In Barnicki v. Vopper, the Supreme Court said that a radio station
could not be sued for playing a tape of an illegally intercepted
telephone call between two union leaders involved in a matter of
public interest, even though it knew that the person who recorded the
call did so illegally, in violation of the Wiretap Act.
Those are good decisions. But one of the only cases that addressed the
issue of trade-secret publishers went the other way.
In a lawsuit filed by the DVD Copy Control Association against a
California man who posted the DeCSS DVD-decryption code on his
website, the California Supreme Court held that the First Amendment
doesn't mean courts can't stop people from publishing trade secrets
when the publisher knows or has reason to know that the information
was acquired by improper means.
That case is different from the Pentagon Papers case and Barnicki
because the court found that DeCSS wasn't a matter of public interest.
Of course, most security vulnerabilities are, especially those that
affect the machines that form the backbone of the internet.
Today, it's unclear how a court would rule in a trade-secret case
where Cisco sued ISS for violating the prohibition against reverse
The rule should be that EULAs don't make published information secret,
under any circumstance. The contrary would be dangerous for Black Hat,
Michael, future bug finders and computer security.
And while trade-secret law can prohibit accomplices and
co-conspirators from publishing stolen data, reporters who merely know
that information was improperly obtained should have a free-speech
right to publish -- especially if the information reaches a matter of
public interest, like the safety and security of the foundation of the
- - -
Jennifer Granick is executive director of the Stanford Law School
Center for Internet and Society, and teaches the Cyberlaw Clinic.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.