EFF looks to protect developers from legal threats

The Electronic Frontier Foundation has launched the Coders' Rights Project at the annual Black Hat conference in Las Vegas, aiming to give protection to those developers who may be hindered in their research by threats of legal action.

Most of the group's work seems focused on protecting researchers' rights to reverse engineer software to see how it operates, as well as continuing to allow security researchers to publicize vulnerabilities in today's software.

The EFF claims that legal threats to those working in both areas are hindering legitimate security and encryption research. It blames abuse of the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act for these threats by companies.

Under the Coders' Rights Project, work to continue limiting the use of either law would be pursued, and it will publish a best practices document on the project's Web site to guide developers in how to reduce their legal risks when working in either area.

"Those of us doing research on computer security and privacy need to be able to discuss and publish our work without fear of legal threats," EFF Board Member and security researcher Edward Felten said.

For example, under the reverse engineering FAQ, the group advises that disclosing information about non-disclosure agreements concerning contractual code is the most legally risky, as well as bypassing protection measures that protect the code, or copy it into another program.

In the vulnerability reporting FAQ, the EFF suggests that researchers do not make reports detailed, or include proof-of-concept code. It also reminds those working in the field that there are no "whistleblower" protections for those who discover flaws.

Officials hope that the Coders' Rights Project will eventually be able to make the definitions of what constitutes a computer crime more narrow, and limit the power of EULAs to allow for reverse engineering and a consumers "right to tinker."