Towards a supportive legal environment for global cybersecurity: the case for a public interest defence in international legal instruments on cybercrime.

Security researchers play a crucial role in improving the security of information and network systems, by finding vulnerabilities which enable unauthorised access. Nevertheless, when working independently, without systems owners’ formal approval to hack, they face significant challenges under cybercrime legislations. Some have already been convicted for having committed unauthorised access. Slowly, national legal authorities start to confront the ‘chilling effect’ of cybercrime laws, but the emerging changes are fragmented and unsatisfactory. The same pattern of overreaching criminalisation and underwhelming consideration of the criminal law’s impact on security research underpins the international legal instruments on cybercrime, including the current proposals for a UN Convention on Cybercrime. In effect, calls for a safe harbour have emerged, but without details, as an aside to the clarification attempts of the technical, rather than legal, framework of vulnerability treatment. This chapter argues that these efforts are unlikely to yield any legal certainty for security researchers, since the technical and legal understandings of which searches would be or not authorised do not align. More importantly, the misalignment masks the real focus of the technical debates, which is on identifying the necessity and proportionality of vulnerability research activities. The criminal law best recognises these considerations, not in the structure of its offences, but in defining defences to legitimise otherwise illegal conducts. Therefore, to establish a legal environment effective in its support of global cybersecurity research, this chapter proposes to add a public interest defence to the computer-dependent offences. And in recognition of the global nature of security research, which calls for a harmonised protection of security researchers, the chapter argues for adding a public interest defence in the current and future cybercrime international instruments, namely: the Directive 2013/40/EU on attacks against information systems, the Convention on Cybercrime n. 185 which is currently the de facto international treaty on cybercrime ; and the future UN Convention on cybercrime currently discussed.