CODE BLUE (29-30 October 2020) is an international conference where the world’s top information security specialists gather to give cutting edge talks, and is a place for all participants to exchange information and interact beyond borders and languages. As technology and society move forward and IoT (Internet of Things) is becoming a reality, security is increasingly becoming an urgent issue. The Internet world also needs to gather researchers to collaborate and think together about ways to respond to emergency situations, and come up with possible solutions. CODE BLUE aims to be a place where international connections and communities form and grow, and will contribute to a better Internet world by connecting people through CODE (technology), beyond and across the BLUE (oceans).
This year, Dr Audrey Guinchard (Senior Lecturer in Law, University of Essex) gave a keynote on ‘Reforming cybercrime legislations to support vulnerability research: the UK experience and beyond’.
Cybercrime legislations – or hacking laws- tend to be notoriously broad, resting on a set of assumptions about what ‘unauthorised access’ means, assumptions which hardly match those of the technical or ethical fields. The result is that the offences of unauthorised access and misuse of tools have the potential to criminalise most aspects of legitimate vulnerability research (discovery, proof of concept, disclosure). Independent security researchers are notably at risk of criminal prosecution as they work, by definition, without vendors’ prior authorisation.
The UK is a particular case in point, having drafted its original Computer Misuse Act 1990 in such a way that even switching a computer on can constitute unauthorised access. Further reforms in 2006 and 2015 have expanded even more the scope of the legislation by modifying or adding other offences as broad in scope as the original ones. While the UK is in that respect an outlier, the EU Directive 2013/40/EU on attacks against information systems as well as the Convention on cybercrime n.185 (which is de facto the international treaty) are not without their own weaknesses, despite serious and effective efforts to restrict the scope of criminal law and protect security researchers.
Prosecution guidelines or a memorandum of understanding between the security industry and prosecutorial authorities are a welcome step to avoid outlandish prosecution of security researchers, but I argue that they are not sufficient to protect them once a prosecution starts. Their motive (and the methods used) to improve security will not constitute a legal argument unless a public interest defence exists.
Hence, Audrey’s proposal to reform the cybercrime legislations (UK, EU and the Convention) by incorporating a public interest defence to cybercrime offences, in particular to the ‘hacking’ offence (unauthorised access). Momentum is certainly gathering in the UK. The Criminal Law Reform Now network (CLRNN) has now released a comprehensive study of the UK Computer Misuse Act with a series of recommendations. It is time to make cybercrime legislations fit for the 21st Century, to borrow the slogan of a significant part of the security industry in the UK endorsing the report and the reform.