This year, the EFF also sent a number of lawyers, technicians and activists to the Summer Security Conferences in Las Vegas to promote support for the security research community. While we were at DEF CON 32, security researcher Dennis Giese received a cease and desist letter on a Thursday afternoon for his talk scheduled just hours later for Friday morning. EFF lawyers met with Dennis almost immediately, and on Sunday Dennis was able to give his talk. Here’s what happened, and Why the fight for programmers’ rights is important.

Throughout the year, we receive numerous requests from security researchers who wish to report vulnerabilities or present technical exploits and understand the legal risks involved. This is where the EFF Coders’ Rights Project comes in, designed to help coders, tinkerers, and innovators who wish to responsibly research technologies and report on their findings. Our Coders Rights lawyers advise many of those who contact us on everything from mitigating legal risks in their talks to reporting vulnerabilities found to responding to legal threats. The number of requests often increases in the months leading up to “hacker summer camp,” but we usually have at least a couple of weeks to help and advise the researcher.

In this case, however, we had to complete our work within a very tight time frame.

Dennis is a prolific researcher who has presented his work at conferences around the world. At DEF CON, one of the talks he planned with a co-presenter was about digital locks, including vendor Digilock. In the months leading up to the presentation, Dennis shared his findings with Digilock and attempted to discuss potential remedies. Digilock expressed interest in these discussions, so it was a surprise when the company sent him a cease-and-desist letter on the eve of the presentation, making a number of unsubstantiated legal claims.

Because we had attorneys on site at DEF CON, Dennis was able to contact EFF shortly after receiving the cease and desist letter, and we, along with former EFF attorney and current EFF special counsel Kurt Opsahl, agreed to represent him in his response to Digilock. Over the course of 48 hours, we were able to meet with Digilock’s attorneys and ultimately facilitate a productive conversation between Dennis and the company’s CEO.

Security researchers who act in good faith increase security for all of us.

To Digilock’s credit, the company agreed to withdraw the cease-and-desist letter and also provided Dennis with useful information about its plans to remediate the vulnerabilities discussed in his investigation.

With this additional information, Dennis was able to give the talk on Sunday, the last day of DEF CON.

We’re proud to have been able to help Dennis navigate the frightening situation of receiving last-minute legal threats, and we’re pleased he was ultimately able to give his talk. Security researchers like Dennis, acting in good faith, increase security for all of us who use digital devices. By identifying and disclosing vulnerabilities, hackers can improve security for every user who relies on information systems in their daily lives and at work. If we don’t know about security vulnerabilities, we won’t be able to fix them and build better computer systems in the future. Not only was Dennis’ research legal, it also highlighted real-world problems that the companies involved must address.

Just as important as discovering security vulnerabilities is reporting the findings so that users can protect themselves, vendors can avoid future vulnerabilities, and other security researchers can build on this information. By publicly declaring these types of attacks and suggesting mitigations, other companies that make similar devices can also benefit from fixing these vulnerabilities. By discovering and reporting their findings, security researchers like Dennis are helping to build a safer future for all of us.

But this incident reminds us that even good-faith hackers often face legal challenges designed to prevent them from publicly sharing the legitimate fruits of their labor. The Coders’ Rights Project is part of our longstanding work to protect researchers through legal advocacy, education, amicus curiae briefs, and community outreach. By doing so, we hope to encourage innovation and protect the rights of curious tinkerers and hackers everywhere.

We must continue to fight for the right to share this research that leads to greater security for all of us. If you are a security researcher who needs legal advice or has concerns before giving a talk, do not hesitate to Contact usIf you would like to further support this work, please consider donating to the EFF.