Abstract
Adversarial Machine Learning is booming with ML researchers increasinglytargeting commercial ML systems such as those used in Facebook, Tesla,Microsoft, IBM, Google to demonstrate vulnerabilities. In this paper, we ask,"What are the potential legal risks to adversarial ML researchers when theyattack ML systems?" Studying or testing the security of any operational systempotentially runs afoul the Computer Fraud and Abuse Act (CFAA), the primaryUnited States federal statute that creates liability for hacking. We claim thatAdversarial ML research is likely no different. Our analysis show that becausethere is a split in how CFAA is interpreted, aspects of adversarial ML attacks,such as model inversion, membership inference, model stealing, reprogrammingthe ML system and poisoning attacks, may be sanctioned in some jurisdictionsand not penalized in others. We conclude with an analysis predicting how the USSupreme Court may resolve some present inconsistencies in the CFAA'sapplication in Van Buren v. United States, an appeal expected to be decided in2021. We argue that the court is likely to adopt a narrow construction of theCFAA, and that this will actually lead to better adversarial ML securityoutcomes in the long term.