Guinchard, Audrey (2018) The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime. Journal of Information Rights, Policy and Practice, 2 (2). None-None. DOI https://doi.org/10.21039/irpandp.v2i2.36
Guinchard, Audrey (2018) The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime. Journal of Information Rights, Policy and Practice, 2 (2). None-None. DOI https://doi.org/10.21039/irpandp.v2i2.36
Guinchard, Audrey (2018) The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime. Journal of Information Rights, Policy and Practice, 2 (2). None-None. DOI https://doi.org/10.21039/irpandp.v2i2.36
Abstract
Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally.
Item Type: | Article |
---|---|
Additional Information: | Source info: 2017 Journal of Information Rights, Policy and Practice 2(2) 1 |
Uncontrolled Keywords: | cybercrime; cybersecurity; hacking; vulnerability research |
Subjects: | K Law > K Law (General) Q Science > QA Mathematics > QA76 Computer software |
Divisions: | Faculty of Humanities Faculty of Humanities > Essex Law School |
SWORD Depositor: | Unnamed user with email elements@essex.ac.uk |
Depositing User: | Unnamed user with email elements@essex.ac.uk |
Date Deposited: | 16 Mar 2018 10:49 |
Last Modified: | 06 Jan 2022 14:51 |
URI: | http://repository.essex.ac.uk/id/eprint/21710 |
Available files
Filename: 36-230-1-PB-1.pdf
Licence: Creative Commons: Attribution 3.0