Quiz — Zero-Day Markets, Export Controls, and Commercial Spyware: The Legal Framework for Offensive Security Commodities

Module: 02b — Zero-Day Markets, Export Controls, and Commercial Spyware: The Legal Framework for Offensive Security Commodities Difficulty: advanced

Questions

Q1. Under current U.S. federal law, which statute directly and explicitly prohibits the sale of a software zero-day vulnerability?

• A) 18 U.S.C. § 1030(a)(6) — trafficking in passwords or similar information
• B) 18 U.S.C. § 2511(1)(b) — manufacturing an interception device
• C) 15 C.F.R. § 774 — the Export Administration Regulations
• D) No federal statute explicitly prohibits the sale of a zero-day vulnerability

Correct answer: D Explanation: There is no federal statute that explicitly prohibits the sale of a software vulnerability. CFAA § 1030(a)(6) covers trafficking in passwords (credentials) and has not been extended by courts to cover vulnerabilities themselves. Legality depends on surrounding facts: who buys, what country they are in, and what the tool does.

Q2. Under the Export Administration Regulations (EAR), what Export Control Classification Number (ECCN) applies to "intrusion software" products themselves?

• A) ECCN 4E001
• B) ECCN 4D001
• C) ECCN 5A001
• D) ECCN 0A919

Correct answer: B Explanation: ECCN 4D001 covers intrusion software products — software specifically designed to avoid detection by monitoring tools or defeat protective countermeasures, and capable of exfiltrating data or executing commands. ECCN 4E001 covers the technology for development or production of that software.

Q3. What is a "deemed export" under the EAR, and why is it relevant to zero-day researchers?

• A) A re-export of a controlled item through a third country to reach a sanctioned end-user
• B) Electronic transmission of controlled technology to a foreign national, even if that person is physically located in the United States
• C) The act of publishing technical details of a vulnerability in an academic paper accessible to foreign nationals
• D) A retroactive export classification applied when an item is later found to have military applications

Correct answer: B Explanation: A deemed export occurs when controlled technology is transmitted electronically to a foreign national — even if that person is sitting next to you in the United States. A researcher who emails a working exploit classified under ECCN 4D001/4E001 to a foreign national potentially violates the EAR without a BIS license, regardless of physical location.

Q4. On what date and basis did BIS add NSO Group and Candiru to the Entity List?

• A) March 15, 2019 — following the first documented Pegasus deployment against a U.S. journalist
• B) November 3, 2021 — based on findings that they supplied spyware to foreign governments that targeted officials, journalists, activists, and embassy workers
• C) January 6, 2022 — following U.S. State Department designation of NSO Group as a national security threat
• D) June 7, 2021 — concurrent with the Colonial Pipeline ransom recovery announcement

Correct answer: B Explanation: BIS added NSO Group Technologies and Candiru to the Entity List on November 3, 2021, alongside Positive Technologies (Russia) and Computer Security Initiative Consultancy (Singapore). The stated basis was that these companies supplied spyware to foreign governments used to maliciously target government officials, journalists, activists, and embassy workers.

Q5. In WhatsApp LLC v. NSO Group, what was the court's ruling on NSO Group's foreign sovereign immunity defense, and what was the significance of the December 2024 summary judgment?

• A) The court granted FSIA immunity because NSO Group was acting as a formally designated agent of the Israeli government; the 2024 ruling was vacated on appeal.
• B) FSIA immunity was rejected because it applies only to foreign states and their instrumentalities — not private companies; the December 2024 summary judgment was the first time a commercial spyware vendor was held liable under CFAA.
• C) The court applied FSIA immunity to NSO Group's government-directed operations but denied immunity for commercial deployments; the 2024 ruling established a damages multiplier for spyware cases.
• D) The Ninth Circuit granted immunity under FSIA, but the Supreme Court reversed in 2024, holding that private spyware vendors are always subject to CFAA liability.

Correct answer: B Explanation: The district court and Ninth Circuit both rejected NSO Group's FSIA defense: FSIA applies to foreign states and their agencies and instrumentalities under defined criteria, which a private Israeli technology company does not satisfy. The U.S. Supreme Court denied certiorari in January 2024. The December 2024 summary judgment — finding NSO's conduct constituted unauthorized access under CFAA and CDAFA — was the first time a commercial spyware vendor was held civilly liable under the CFAA.

Q6. What specific provision of the Federal Wiretap Act (18 U.S.C. § 2511) applies to the manufacture and sale of stalkerware, and what is the maximum sentence?

• A) § 2511(1)(a) — intentional interception of wire communications; up to 10 years
• B) § 2511(1)(b) — manufacturing, assembling, possessing, or selling a device knowing it is primarily useful for surreptitious interception; up to 5 years per count
• C) § 2511(2)(d) — consent exception; stalkerware is legal when one party consents to interception
• D) § 2511(3)(a) — radio communication interception; up to 2 years for consumer devices

Correct answer: B Explanation: Section 2511(1)(b) prohibits manufacturing, assembling, possessing, or selling any device "knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception" of communications. The maximum sentence is five years per count. Stalkerware's icon-hiding and stealth-mode features are the operative "primarily useful" evidence.

Q7. What was the central legal theory in the FTC's 2021 enforcement action against SpyFone (Support King, LLC), and why was no § 2511 criminal violation required?

• A) The FTC relied on COPPA violations because SpyFone's targets included minors; criminal violations were not required because civil penalties are automatic under COPPA.
• B) The FTC used Section 5 of the FTC Act — unfair or deceptive acts or practices — to reach SpyFone's secret surveillance and insecure data storage without needing to prove criminal Wiretap Act violation.
• C) The FTC used HIPAA enforcement authority because SpyFone collected health location data; civil penalties under HIPAA do not require criminal intent.
• D) The FTC relied on the Electronic Funds Transfer Act because SpyFone collected financial account information without authorization.

Correct answer: B Explanation: The FTC used Section 5 of the FTC Act (15 U.S.C. § 45) — unfair or deceptive acts or practices — to bring its first-ever stalkerware enforcement. Critically, the FTC did not need to prove a § 2511 criminal violation; it could act on the basis that secret surveillance is inherently an unfair practice. The FTC also ordered deletion of all collected data.

Q8. What is the NOBUS doctrine, and what event demonstrated its catastrophic failure?

• A) "No Breach Unless Severe" — NSA's risk threshold requiring a CVSS score above 9.0 before retaining a vulnerability; proven wrong by the Heartbleed disclosure
• B) "Nobody But Us" — NSA's assessment that only NSA could realistically exploit a retained vulnerability; proven catastrophically wrong when the Shadow Brokers published NSA's arsenal including EternalBlue, which was weaponized in WannaCry and NotPetya
• C) "Non-Obligatory Bug Upgrade System" — DHS's framework for prioritizing government-retained vulnerabilities; failed during the SolarWinds compromise
• D) "National Operations Baseline for Unified Security" — a CYBERCOM doctrine for offensive operation authorization; invalidated by the 2016 election interference disclosures

Correct answer: B Explanation: NOBUS — "Nobody But Us" — was NSA's internal doctrine justifying vulnerability retention when only NSA, given its unique capabilities, could realistically exploit it. The Shadow Brokers publication (2016-2017) of NSA's exploit arsenal, including EternalBlue (MS17-010), led directly to WannaCry ($4-8B in damages) and NotPetya ($10B in damages), demonstrating the catastrophic downstream consequences of retaining zero-days.

Q9. Under DMCA § 1201, what is the critical limitation of the § 1201(j) security research exemption?

• A) The exemption expires after 90 days unless the researcher submits a report to the Copyright Office.
• B) The exemption applies only to researchers employed by NIST-certified institutions.
• C) The exemption covers the act of circumvention for research purposes but does not extend to the anti-trafficking provision — a researcher who distributes the circumvention tool may still face § 1201 trafficking liability.
• D) The exemption requires the researcher to obtain written authorization from the device manufacturer before any circumvention is attempted.

Correct answer: C Explanation: Section 1201(j) exempts researchers who circumvent TPMs for good-faith security testing — but this exemption applies only to the act of circumvention itself, not to the anti-trafficking provisions under § 1201(a)(2) or § 1201(b)(1). A researcher who builds a circumvention tool for legitimate research and then distributes it may still face trafficking liability even if their own use was exempt.

Q10. What was Harold Martin's sentence in United States v. Harold T. Martin III, and under what statute was he convicted?

• A) 5 years; convicted under the Computer Fraud and Abuse Act for unauthorized retention of NSA hacking tools
• B) 9 years; convicted of willful retention and transmission of national defense information under 18 U.S.C. § 793(e) of the Espionage Act
• C) 15 years; convicted under the Export Control Reform Act for unlicensed transfer of classified intrusion software
• D) 12 years; convicted of computer sabotage and espionage conspiracy under 18 U.S.C. §§ 1030 and 794

Correct answer: B Explanation: Harold Martin, an NSA contractor employed by Booz Allen Hamilton, was sentenced to nine years in federal prison after pleading guilty to willful retention and transmission of national defense information under 18 U.S.C. § 793(e) — the Espionage Act. Investigators found approximately 50 terabytes of classified materials at his home, car, and storage unit, including NSA hacking tools and exploit code.

Quiz for Module 02b — LawZeee | Generated 2026-04-17