oct
24
2012

The growing trade in software security exploits: free speech or cyber-weapons in need of regulation?

Christopher Soghoian, Principal Technologist & Senior Policy Analyst, American Civil Liberties Union

Wednesday, October 24, 12:00pm
Harvard Law School, Wasserstein Hall, Room 2012
RSVP required for those attending in person via the form below
This event is co-sponsored by the HLS Journal of Law and Technology

Over the past year, the public has started to learn about the shadowy trade in software security exploits. Rather than disclosing these flaws to software vendors like Google and Microsoft who will then fix them, security researchers can now sell them for six figures to governments who then use them for interception, espionage and cyber war.

These flaws are only useful for their intended purpose if software vendors remain in the dark about them, and if fixes never reach the general public. As such, the very existence of government stockpiles of software security flaws, whether for law enforcement, espionage or military operations means that government agencies are exposing consumers, businesses and other government agencies to exploitable security flaws which could otherwise be fixed.

What should be done, if anything, about this part of the security industry? Are researchers who sell exploits simply engaging in legitimate free speech that should be protected? Or, are they engaging in the sale of digital arms in a global market that should be regulated?

About Chris

Chris Sogohian is the Principal Technologist and a Senior Policy Analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union. He is also a Visiting Fellow at Yale Law School's Information Society Project. He is based in Washington, D.C.

Soghoian completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers. In order to gather data, he has made extensive use of the Freedom of Information Act, sued the Department of Justice pro se, and used several other investigative research methods. His research has appeared in publications including the Berkeley Technology Law Journal and been cited by several federal courts, including the 9th Circuit Court of Appeals.

Between 2009 and 2010, he was the first ever in-house technologist at the Federal Trade Commission (FTC)'s Division of Privacy and Identity Protection, where he worked on investigations of Facebook, Twitter, MySpace and Netflix. Prior to joining the FTC, he co-created the Do Not Track privacy anti-tracking mechanism now adopted by all of the major web browsers.

---

Chris is a former fellow here at the Berkman Center.  Curious about our fellowship program?  We're currently accepting applications for the 2013-2014 year.  Learn more here.