Above the Parapets: The Chilling Effect Finally Has Receipts

For years, the case against overbroad anti-hacking law has rested on anecdotes. The talk that got pulled. The disclosure that never happened. The grad student who quietly picked a safer thesis. Anecdotes move some people. Evidence moves more — and as the authors of a new study put it, "empirical evidence can be essential for reform."

That study does the hard, unglamorous work of gathering the evidence. "Sticking their heads out above the parapets": Lived Experiences of Legal Risks in Research, by Sunoo Park (NYU) and Daniel R. Thomas (University of Strathclyde), is the first qualitative study built specifically around researchers' lived experiences of legal risk. It's headed to USENIX Security 2026.

The scope is what makes it land. Park and Thomas interviewed 36 researchers across the US and UK who had personally navigated legal risk — walking through 130 distinct projects and incidents spanning more than three decades — plus 8 professionals who support researchers in legal trouble and have, between them, helped hundreds (some, thousands). Fifty-four hours of interviews, conducted between November 2024 and January 2026.

The throughline is the one we've been making at disclose.io for years: the US Computer Fraud and Abuse Act and the UK Computer Misuse Act don't cleanly separate malicious hacking from good-faith research. So the people who find and fix vulnerabilities — or who hold powerful platforms accountable — carry real legal risk for doing public-interest work. As one participant put it: "Researchers publish their results; bad actors don't. Because they publish their results, researchers effectively stick their heads out above the parapets in terms of legal liability."

What they found

• The chilling effect is real, and it's documented. Researchers described abandoning projects, pulling talks, and suppressing results because of legal risk. "[The risk] makes my life painful and it drives me away from [this research area]." "I just bowed and pulled the talk, simple as that."
• "Stockpiling" is happening at scale. Researchers afraid to disclose are simply keeping the vulnerabilities they find — which turns them into targets. Three described being approached with "life-changing money" for their stockpiles and their silence, sometimes by parties they couldn't identify. The authors frame this squarely as a national-security problem, sharpened by adversarial states buying access and bugs.
• The human toll is severe. Lost weight, sleepless nights, lost jobs — and, for more than one participant, criminal conviction and incarceration (later overturned). This is the part the "factual, technical" framing usually hides.
• Vulnerability research carries the longest history of legal risk; social computing is where it's getting worse, tracking a rise in politically motivated threats to platform-accountability research.
• Your own lawyer helps; relying on your institution is a coin flip. Researchers who hired their own counsel reported overwhelmingly positive experiences; institutional support was "highly variable."

The calls to action

For researchers, three things you can do unilaterally:

1. Think through legal risk early — ideally a brief attorney consult before you start, not after the letter arrives.
2. Map the incentives. Expect that the other side often runs a PR strategy; be ready to counter the narrative about why the work matters.
3. Build a support network of trusted colleagues and lawyers before you need one.

And then: watch your stockpiles, and — if you can — tell your story.

For everyone else, the paper is refreshingly specific:

• Companies: stop threatening good-faith researchers; set up real contact methods that aren't buried in contractual conditions; and — named directly in the paper — "leverage support and expertise from existing organisations like disclose.io, HackerOne, or CyberUp." Consider a voluntary pledge not to threaten good-faith research.
• Academic institutions: actually defend academic freedom, and don't "obey in advance."
• Conferences: adopt explicit policies that separate law from ethics, and stop acting as enforcers of any jurisdiction's law.
• Law enforcement: exercise prosecutorial discretion for good-faith researchers and put non-pursuit policies in writing — the 2022 DOJ charging policy is the model to build on.
• Governments: raise awareness, support disclosure intermediation, and recognize — per the Vulnerabilities Equities Process — that a rising risk of adversary discovery should tilt the balance toward getting vulnerabilities fixed.

Why this matters right now

The authors don't pretend this is academic. They connect it to the moment: tools like Anthropic's Claude Mythos have made vulnerability discovery dramatically faster and more scalable — Anthropic reported finding 1,596 vulnerabilities across 281 open-source projects, with only 97 patched at the time of writing. When discovery accelerates, hostility toward the people reporting findings becomes a direct security liability.

And the reform window is open. The UK committed in late 2025 to revise the CMA. The DMCA's research exemptions have strengthened over time. Van Buren narrowed the CFAA in 2021. Advocacy — amicus briefs, Copyright Office comments, the CyberUp Coalition — has demonstrably moved the needle. The authors' ask is blunt: "We encourage readers to consider getting involved."

Go read it — and go see the talk

This is the evidence base our community has been missing, and exactly the kind of work that makes reform arguments land in rooms full of policymakers. Read the paper on IACR ePrint, and catch Park and Thomas presenting it at USENIX Security 2026.

If you're a researcher sticking your head above the parapet: you're not the only one up there, and there are people whose job is to help.