"Chipmaker Sues To Silence Security Researchers,"

in the Netherlands. For my thoughts on the First Amendment and speech that reveals security breaches, see my Crime-Facilitating Speech (Stanford Law Review, 2005), though of course the legal analysis would apply only to U.S. lawsuits.

Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:

From The Industry Standard, apropos the story noted here July 11:

A Dutch court has denied a request from chipmaker NXP to prevent the publication of a scientific study of the security of the firm's Mifare Classic RFID technology....

The court ruled that freedom of speech outweighs NXP's commercial interests.... The judge ruled that limitations to the freedom of speech are allowed only if there is urgent and obvious threat to society. "This requires a balancing of interests," the court stated in a press release. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."

The chipmaker has put out a paper supporting its position; an excerpt:
NXP welcomes any feedback about any privacy and security concerns related to its chips. NXP does have no concerns about so called "ethical hackers", who investigate our products and share with us their findings. This allows for assessment and correction of any security situation of our chips and the products and systems using our chips....

NXP has, however, concerns about unverified public communications regarding security and privacy of automated systems and its constituent components, and the potential harm to society as a result. This blurs public debate, harms public interests and often builds opinions on false grounds.

Anyone intending to publish any such information should in our view first verify:

1. whether the facts are accurate;
2. how the facts impact on the security or privacy of the system (in which our products are just an element) as a whole (and not just one element thereof);
3. the potentially harmful consequences to society of such information becoming publicly known.
4. the legality of their acts.

Legal concerns

Persons involved in hacking, breaking (or attempting to break) into automated systems or falsifying components of such systems should realize that:

* unauthorized possession of secret algorithms or ways to obtain secret keys can be a criminal offense;
* publishing an algorithm and secret keys used in an automated system is a criminal offense;
* publishing a secret algorithm or secret keys (or ways to obtain those) qualifies as a tort, resulting in liability for such person (and often its employer) for all resulting costs and damages.

The Standard article reports, by the way, that "The researchers with the University of Nijmegen had countered that they have allowed ample time for NXP to repair the issues. Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007.... Nohl furthermore charges that NXP has wrongly trivialized the issues and recommends that the firm shifts focus to mitigating the problems instead of fighting security researchers."

Thanks to Martin Holterman for the pointer.

Related Posts (on one page):

  1. Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:
  2. "Chipmaker Sues To Silence Security Researchers,"