When Anti-Fraud Laws Become a Barrier to Computer Science Research

Computer science research sometimes brushes with the law, from red-team exercises that probe the boundaries of authentication mechanisms, to AI research processing copyrighted material, to platform research measuring the behavior of algorithms and users. U.S.-based computer security research is no stranger to the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) in a relationship that is still evolving through case law, research practices, changing policies, and legislation. Amid the landscape computer scientists, lawyers, and policymakers have learned to navigate, anti-fraud laws are a surprisingly under-examined challenge for computer science research. Fraud brings separate issues that are not addressed by the methods for navigating CFAA, DMCA, and Terms of Service that are more familiar in the computer security literature. Although anti-fraud laws have been discussed to a limited extent in older research on phishing attacks, modern computer science researchers are left with little guidance when it comes to navigating issues of deception outside the context of pure laboratory research. In this paper, we analyze and taxonomize the anti-fraud and deception issues that arise in several areas of computer science research. We find that, despite the lack of attention to these issues in the legal and computer science literature, issues of misrepresented identity or false information that could implicate anti-fraud laws are actually relevant to many methodologies used in computer science research, including penetration testing, web scraping, user studies, sock puppets, social engineering, auditing AI or socio-technical systems, and attacks on artificial intelligence. We especially highlight the importance of anti-fraud laws in two research fields of great policy importance: attacking or auditing AI systems, and research involving legal identification.