Research Repository

Transforming the Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.

Guinchard, A (2018) 'Transforming the Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.' Journal of Information Rights, Policy and Practice, 2 (2). ISSN 2398-5437

[img]
Preview
Text
36-230-1-PB-1.pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (528kB) | Preview

Abstract

Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally.

Item Type: Article
Uncontrolled Keywords: cybercrime, cybersecurity, hacking, vulnerability research
Subjects: K Law > K Law (General)
Q Science > QA Mathematics > QA76 Computer software
Divisions: Faculty of Humanities > Law, School of
Depositing User: Elements
Date Deposited: 16 Mar 2018 10:49
Last Modified: 16 Mar 2018 10:49
URI: http://repository.essex.ac.uk/id/eprint/21710

Actions (login required)

View Item View Item