The primary legal obstacles to conducting cybersecurity are not outright prohibitions but rather the difficulty of determining which of a large set of complex statutes might regulate a given research project. Privacy, computer abuse, tort, and contract law are all potentially applicable. Moreover, even when the law permits a research activity, researchers may wonder whether it is ethically permissible. This paper seeks to clarify these issues by explaining the areas of law that are most generally applicable to cybersecurity researchers and offering guidelines for evaluating ethical issues that arise in this area of research.
Aaron J. Burstein