Research Repository

The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.

Guinchard, Audrey (2018) 'The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.' Journal of Information Rights, Policy and Practice, 2 (2). None-None. ISSN 2398-5437

36-230-1-PB-1.pdf - Published Version
Available under License Creative Commons Attribution.

Download (528kB) | Preview


Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally.

Item Type: Article
Additional Information: Source info: 2017 Journal of Information Rights, Policy and Practice 2(2) 1
Uncontrolled Keywords: cybercrime; cybersecurity; hacking; vulnerability research
Subjects: K Law > K Law (General)
Q Science > QA Mathematics > QA76 Computer software
Divisions: Faculty of Humanities
Faculty of Humanities > Law, School of
SWORD Depositor: Elements
Depositing User: Elements
Date Deposited: 16 Mar 2018 10:49
Last Modified: 06 Jan 2022 14:51

Actions (login required)

View Item View Item