back to article CyberUp presents four principles to keep security researchers out of jail for good-faith probing

Campaigners want a new code of practice alongside a proposed public interest defence for the Computer Misuse Act 1990, in the hope it will protect infosec pros from false threats of prosecution. The CyberUp campaign hopes the four principles it put forward this week will be used by judges to help decide whether accused …

  1. The Man Who Fell To Earth Silver badge

    some criminals do have certificates

    And so do an absolutely mind boggling number of pure idiots.

  2. Eclectic Man Silver badge


    The issue of causing harm is tricky. The company could well claim reputational harm caused by revelation of a flaw or breach despite having been made aware of it and 'doing nothing' or taking too long to rectify the situation. Maybe the statement concerning harm could be amended to specify whether it was 'altering computer settings, stored data or changing how processes run' rather than publicity and reputational damage caused by publicity.

  3. Peter2 Silver badge

    This is the section of the computer misuse act in question at present:-

    1 Unauthorised access to computer material.

    (1)A person is guilty of an offence if—

    (a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured] ;

    (b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and

    (c)he knows at the time when he causes the computer to perform the function that that is the case.

    Note that A B & C should be read as ANDIF statements.

    Thus anybody with a logical mind should see the obvious built in defence here; If you have permission from somebody whom a reasonable person would believe is entitled to provide it then you don't commit an offence under the computer misuse act as it stands.

    Now from a sysadmins perspective I don't see what's the problem with being required to obtain permission from the person owning the system that your trying to hack.

    From a "security researchers" perspective I can see plenty of reasons why it would be convenient to be able to hack a system without obtaining permission or worrying about being prosecuted, but what I can't see is why the rest of the population should agree to change this principle.

    1. Yet Another Anonymous coward Silver badge

      Because the permission probably comes with a requirement not to tell anyone.

      And 'owner' gets complicated these days, what if you find a flaw in a clients. oracle install on AWS, can Amazon and Oracle still sue you?

      1. Peter2 Silver badge

        Even if the permission came with a legal requirement not to tell anybody, it's still admissible in court as evidence. All you'd have to do would be to fill in the "not guilty" plea, and attached the letter to the form that you get with your summons to court. Only the judge or magistrate would see it, following which they'd suggest to the prosecution that the case couldn't proceed unless they are able to prove that said letter is a fake.

        Searching for a couple of seconds shows that both Oracle & Amazon allow penetration testing within reasonable limits, subject to reasonable restrictions such as "you shouldn't try and access other customers data" and "you have to tell us if you find anything", which are not exactly onerous requirements so i'm not sure why this would be a major issue, or for that matter how or why it would be covered by the proposed "public interest" defence.

    2. the spectacularly refined chap

      Thus anybody with a logical mind should see the obvious built in defence here; If you have permission from somebody whom a reasonable person would believe is entitled to provide it then you don't commit an offence under the computer misuse act as it stands.

      Absolutely. Whenever I read of these complaints the CMA is outdated it is always from the same set of security researchers beginning from the foundational principal that they have a god-given right to test any random system without consent to satisfy their own curiosity.

      I've said it before here: if you returned to your home to find someone probing your front door with lock picks you would not accept "I'm just seeing how secure the lock is" as an explanation - they'd get a good kicking and then you call the police. Why should it be any different online?

      If you have consent you can do whatever tests you like. If you don't you keep your hands off. The reports that this effectively outlaws are those of the form "We scanned X thousand systems and found Y thousand with this vulnerability", but those should be read as "We attempted to illegally hack X thousand systems". Those reports are always of questionable value in any case, since there is no context known of the systems or what they hold and protect.

      Undoubtedly the CMA could do with some updating to reflect the mass interconnectivity of today that was not true of 1990. Some form of implied consent is justified, so just as in the real world you are not guilty of trespass if you go up to someone's door and ring the bell it should be codified you don't need permission to e.g. say "is that domain running a webserver that tells me about it?" However, that should be restricted to access types and protocols generally used on the public facing internet. Actively probing for vulnerabilities or attempting to bypass access restrictions should remain a no-no, security "researchers" be damned.

  4. Frank Thynne

    Does Software Testing risk prosecution?

    Good software testing should include attempts to "break" a product, as this frequently reveals flaws which, if not fixed, provide opportunities for criminal activity.

    How can we test software before releasing it for public sale? Once a product is released, it will be difficult for testers to establish a defence under the Computer Misuse act. It would require testing and confidential reporting to be limited to registered testers and the authors of unqualified software and so would prohibit the sale of unqualified products.

    The current situation in which there is no obligation for software to be scrutinised and tested is not tenable. Regulation of new products is urgently needed as is the continued use of software known to contain criminally-exploitable flaws.

    The present incidence and frequency of corrections to released software reveals risks in its continued use.

  5. Anonymous Coward
    Anonymous Coward

    NCC ?!?!?!?

    Are NCC producing cheat sheets for the civil servants and parliamentarians to help get the legislation passed?

    Is there any amendment proposed that makes any organisation that deliberately makes it's staff cheat exams so that a) unqualified people are advising others about security and b) are charging for consultancy at rates for qualified consultants while using consultants who have cheated to get their qualifications, ineligible to put forward any sort of legislative proposal?

    Just asking.....

  6. Cederic Silver badge

    Mixed feelings on this

    I don't want a competent security expert to hack into my system with the intent of resolving what they believe to be a security issue and have protection under the law because they thought they were enacting a public good.

    I want them prosecuted for not contacting me first and asking my permission. I don't know them, I don't trust them, I can't legally allow them access to data I hold and I already have security professionals that can do that job for me.

    So the legislation needs to be very cautious about providing a statutory defence, because the moment I spot them attempting to access my systems without authorisation, the statutory defence gives me carte blanche to retaliate, and why would I do anything less than a full on assault on them?

    1. This post has been deleted by its author

    2. Frank Thynne

      Re: Mixed feelings on this

      I understand and agree with Cederic's concerns.

      In my opinion unauthorised use can defeat a statutory defence. A user who buys or licenses and installs software on his own system becomes its owner. Only the owner can authorise its experimental use, and his permission must be sought and recorded.

      However, the owner must grant permission to an individual if the individual has a lawful purpose such as verifying that his personal data is not unlawfully held and protected. There would also be a need to provide permission to law-enforcement bodies which is another can of worms to consider.

      To carry out testing of a software product the tester must install it on his own system and share discovered errors with the seller privately. The use of public bug reporting is a matter of practice to be discussed elsewhere.

      Regrettably, I cannot agree with retaliation as a remedy -- tempting though it would be!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon