Security companies and institutes have a hard time doing their research nowadays. A lawsuit could be filed against them by the “victim” firm or even worse, they could be even criminally indicted if their white-hat hacking violates the Computer Fraud and Abuse Act. However, the biggest threat to researchers are subpoenas, which could be filed against them by law enforcement authorities.
Subpoenas could be used by authorities against security researchers to obtain the data of a research (that is usually in the works) and use it for criminal investigation purposes.
In the recent case of Brian Farrell, an alleged staff member of the now defunct Silk Road 2 marketplace, it was confirmed that the FBI was able to bypass the security of the Tor Network and acquire the IP addresses of around 1000 individuals around the world (including Farrell’s). The alleged Silk Road 2 staff member’s IP address was obtained through a subpoena, which forced Carnegie Mellon University (CMU) to give out all the information of their research of the Tor Network to the law enforcement authorities.
The CMU case should serve as a warning sign to security researchers: federal agencies can easily force firms to provide them all data of