When Anti-Fraud Laws Become a Barrier to Computer Science Research

When Anti-Fraud Laws Become a Barrier to Computer Science Research

연구 분야: Strategies

학회: CSLAW '25: Proceedings of the 2025 Symposium on Computer Science and Law

Computer science research sometimes brushes with the law, from red-team exercises that probe the boundaries of authentication mechanisms, to AI research processing copyrighted material, to platform research measuring the behavior of algorithms and users. U.S.-based computer security research is no stranger to the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) in a relationship that is still evolving through case law, research practices, changing policies, and legislation. Amid the landscape computer scientists, lawyers, and policymakers have learned to navigate, anti-fraud laws are a surprisingly under-examined challenge for computer science research. Fraud brings separate issues that are not addressed by the methods for navigating CFAA, DMCA, and Terms of Service that are more familiar in the computer security literature. Although anti-fraud laws have been discussed to a limited extent in older research on phishing attacks, modern computer science researchers are left with little guidance when it comes to navigating issues of deception outside the context of pure laboratory research. In this paper, we analyze and taxonomize the anti-fraud and deception issues that arise in several areas of computer science research. We find that, despite the lack of attention to these issues in the legal and computer science literature, issues of misrepresented identity or false information that could implicate anti-fraud laws are actually relevant to many methodologies used in computer science research, including penetration testing, web scraping, user studies, sock puppets, social engineering, auditing AI or socio-technical systems, and attacks on artificial intelligence. We especially highlight the importance of anti-fraud laws in two particular research fields that are of great policy importance in the current moment: attacking or auditing AI systems, and research involving legal identification. Finally, guided by principles in research ethics, we suggest methods for computer scientists to navigate fraud and identity issues, as well as possible legal paths forward for policymakers to consider.