In the UK the legal debate over whether you are an ethical or white hat hacker is based upon intent. When conducting a penetration test the intent of the tester is easily demonstrated as they would have a contract and a written agreement to conduct the test, it is obvious that the tester was aiming to conduct the test ethical by remaining within the law and getting permission to access the systems, hence the test is not unauthorised access and not illegal. However it is worth pointing out that it may not be just the organisation whose systems you are testing that need to give permission for the testing to occur, if the system is hosted by a 3rd party you will need authorisation from them as well, it may be covered by the hosting agreement between the 3rd party and the organisation about to be tested, but it is worth your while requesting proof of authorisation, in particular Amazon have a requirement that they need to issue permission for tests to be carried out on systems hosted on their AWS.
As a ethical or white hat hacker in the UK a big problem within the UK is the ownership of tools for conducting a penetration test, the Computer Misuse Act (CMA) of 1990 as modified by the Police and Justice Act of 2006 introduced a new offence section 3A Making, supplying or obtaining articles for use in computer misuse offences.
The offence is to do with articles that could be used for either the section 1 (unauthorised access) or the section 3 offence (carrying out unauthorised acts) just outlined. Here, articles is stated to include "any program or data held in electronic form".
Someone is guilty of the offence if
- he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
- he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
- he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
- Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
- Are students, customers and others made aware of the CMA and what is lawful and unlawful?
- Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:
- Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
- Is the article available on a wide scale commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
In the UK the word intent is important in many legal cases, as proving intent is proving a guilty mind. In a criminal case in the UK the measure of whether you are guilty or not is based upon the prosecution proving the case "beyond all reasonable doubt" if the members of the jury feels there is doubt as to whether the defendant acted illegally then case is not proven and the defendant should be found not guilty.
For an illegal act to take place there must be two things
- Actus reus (guilty act)
- Mens rea (guilty mind)
A guilty act can be quite easy to prove, the defendant accessed the system or not, a more everyday example would be the
defendant smashing a window in a house that does not belong to them, a case of vandalism or not. Prove the defendant guilty would involve showing the defendant meant to break the window, a game of street football and an accidental misplaced shot hitting a neighbours window is an example of not being a guilt mind, there was no intent it was an accident. However if they had been a history of confrontation between the two parties then it could be proved there was intent to break the window.
If in the UK and you get into legal trouble as we have an adversary judicial system it will come down to how well your defence lawyer argues your case against the prosecution lawyer, in a sense it is a debate between the defence and the prosecution with the jury or magistrates making the decision on who has made the better case. The problem being is that outcome sometimes relies on who is the better debater rather than the merits of the case.
No comments:
Post a Comment