Guide tells 'grey hats' how to avoid legal pitfalls

The Electronic Frontier Foundation has published a guide on how to avoid breaking the law as a result of ethical hacking

The US-based Electronic Frontier Foundation has published a guide on how IT professionals can avoid falling foul of the law as a result of ethical hacking.

The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide ponders such questions as what a security researcher should do if they unintentionally "violate the law" in the course of their investigations.

"A computer-security researcher who has inadvertently violated the law during the course of her investigation faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company's products," the guide states. "By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied."

The EFF said that researchers in this situation could reconstruct research using technology they are authorised to use, or report the flaw in general terms. However, both of these options are "undesirable", the EFF said.

In terms of US law, researchers could inadvertently flout include the Computer Fraud and Abuse Act, anti-circumvention provisions of the Digital Millennium Copyright Act, other copyright law, and other state and international laws, the EFF warned.

The EFF, therefore, recommended that security researchers consult with an attorney before undertaking potentially risky research.

"Because the regulatory regime is complicated and non-intuitive, security researchers may have more reason to worry about legal challenges than other scientists," the guide states. "Potentially, a researcher may unintentionally violate the law through ignorance or misplaced enthusiasm, or an offended party can stretch or misuse the law to challenge research that casts its products or services in a negative light."

The guide adds that companies that regularly deal with vulnerabilities, such as software firms, are less likely to sue "innocent researchers".

UK IT professionals also need to try to avoid legal entanglement, penetration-testing company First Base Technologies told ZDNet UK on Tuesday. Potential pitfalls include transgression of the Computer Misuse Act (CMA) and breaking anti-terrorism, privacy and human-rights laws, according to Peter Wood, chief of operations for First Base Technologies.

"We engage the owner of a system to get explicit permission before doing penetration testing," said Wood. "Some internal employees get a bit over-enthusiastic and unintentionally bring down systems — more frequently than you would expect. Clients have experienced someone doing something silly a couple of times a year. Doing research on the web and then testing exploits on systems will leave you on very dodgy ground."

Using tools such as TCP port scanners inappropriately can transgress the CMA, Wood warned. "Even tools like SuperScan will connect to a service and are not non-invasive," he said.

Use of such tools can be illegal under the CMA, as the researcher would be using the system for a purpose other than that for which it was originally intended, said Wood.

"For example, to do a vulnerability analysis on an SMTP mail server, it's likely you'd connect to a scanning tool, to answer questions about how the mail server is configured," said Wood. "But that would be using the mail server for a purpose [for which] it was not intended."

Gaining explicit consent from the owner of the systems to be tested could circumvent this problem, and also overcome potential problems with privacy and human-rights issues, Wood added.

"People evaluating security on individual workstations may not have thought of privacy considerations," said Wood. To overcome potential copyright issues, non-disclosure agreements could be entered into, he added.