DerbyCon Security vendors are inserting language into their products’ terms and conditions that attempt to silence critics, folks attending this year’s DerbyCon conference were told on Friday.
More and more infosec software makers now include legal language in their T&Cs insisting that their products cannot be tested for usefulness if the results are going to be published. Effectively, the developers are trying to ban negative reviews from emerging online. Some publishers even specify a fine – up to $25,000 in some cases – if someone speaks out in public about a product’s failings and weaknesses.
“We have a lot of vendors acting like bullies,” said John Strand, founder of Black Hills Information Security, during his DerbyCon keynote. “Researchers are terrified that they are going to get sued. As a result most of the analysis of products you see is either from the vendor or vendor-approved.”
The classic case of this came earlier this year, when CrowdStrike went to court to prevent software scrutineers NSS Labs from publishing a review of the security biz’s Falcon endpoint protection system. The case provides much hope for hackers and testers, Strand said.
Ultimately, the Delaware district judge overseeing CrowdStrike’s lawsuit ruled against [PDF] the Falcon slinger on a number of grounds. Most important for the hacking community is that the security shop’s terms and conditions banning criticism were made illegal nearly a year before.
In 2016, US Congress passed the Consumer Review Fairness Act after it was introduced by Representative Leonard Lance (R-NJ). The text of the legislation explicitly bans gagging orders for product reviewers and testers, or imposing fines for comments because such opinion is in the public interest.
The bill was introduced after businesses began suing people who left bad reviews online, and it has been enormously helpful for those interested in information security. It provides solid legal protection for those who test products and find them wanting.
There is a potential loophole for biz bullies: the Electronic Frontier Foundation warns that some outfits are trying to use the the Digital Millennium Copyright Act to silence such reviews, but so far the courts have sided with consumers and testers.