Posted: May 24, 2024
In the digital age, understanding cybersecurity law is crucial for law students aspiring to navigate the complex landscape of legal issues surrounding technology. One of the most effective ways to grasp the intricacies of cybersecurity law is through hands-on learning. A website I developed in conjunction with Nate Vogel and Jonathan Pyle, introduces a unique educational approach where law students, under the guidance of their professor, engage in a controlled exploration of a website with multiple security vulnerabilities. This practical exercise will help students identify and understand the legal boundaries of hacking and cybersecurity.
The website used for this exercise is a specially designed platform with intentional security flaws. It is important to note that this environment is legal and controlled, created specifically for educational purposes. The vulnerabilities range from hidden information in the HTML to more complex exploits like JavaScript Injection, and bypassing paywalls. The website has several subsites that replicate types of legal websites like a faux case look up site that a Court might host and an attorney blog site. The vulnerabilities in the website are based on real world cybersecurity legal cases. This allows the students to read the actual cases and then recreate the hackers actions and determine if they agree with the application of the law.
The class analyzes a number of questions that have become increasingly more relevant. For instance when does web scraping become "hacking"? Is bypassing a paywall to read an article "hacking"? Does it matter how you bypass the paywall? While the class looks at the most common "hacking" statutes like the Computer Fraud and Abuse Act (CFAA) it also looks at other less obvious tools that have been used to stop "hackers" like the Digital Millennium Copyright Act (DMCA). Throughout the class there is a mix of both analysis of case law as well as practical technical hacking exercises to explore exactly what the "hacker" was actually doing.
While the website contains too many exploits to host publicly, the code is public and anyone can spin up a walled off version of the website for their specific class. The GitHub repository is https://github.com/MatthewExpungement/hacking4lawyers. Please consider contributing if you have any ideas.