Overview
legal frameworks affecting good faith researchers and responsible disclosure can roughly be broken down into two categories:
- provision for criminal prosecution (e.g. computer misuse acts), and
- provision for civil suits
Europe
Belgium
Belgium is the first country to explicitly legally permit responsible vulnerability disclosure.
On February 15, 2023, the Centre for Cybersecurity Belgium (CCB) announced clear rules that protect vulnerability researchers who disclose a discovered bug, based on its authority established under the Law of 7 April 2019. Disclosure is subject to very strict rules, including mandatory reporting in many circumstances to the CCB (if the affected organization does not have its own vulnerability disclosure policy).
Read more about the CCB announcement, and details of the disclosure rules here: https://ccb.belgium.be/en/vulnerability-policy
Check out the GFCRC video interview with Inti de Ceukelaire of Intigriti here: https://youtu.be/ehkf-h67NA8
Germany
The German Criminal Code (Strafgesetzbuch) has provisions against unauthorized data access and computer sabotage, notably the “Hackerparagraph” – § 202a StGB Ausspähen von Daten (unauthorized access to information).
The situation is further complicated by the German federal political structure, which leaves interpretation and prosecution of laws to the jurisdiction of state (“Länder”) courts, whose judgments may not be equally informed, nor consistent.
Switzerland
The Swiss criminal code (German: Strafgesetzbuch, StGB) Art. 143 forbids unauthorized access to data or entry into systems.
At the same time, Art. 17 specifies a “justifiable emergency” – defining as rightful the commission of a crime in order to prevent a more serious, otherwise unavoidable crime. This has caused significant confusion regarding ethical hacking.
In good news, the Swiss Federal Council (Bundesrat) issued a set of recommendations on 29. November 2023 in support of ethical hacking, bug bounty programs, and better public-private coordination, e.g. via the Swiss National Security Center (NCSC CH). Full PDF text of the recommendation is available here.
United Kingdom
The Computer Misuse Act 1990 makes unauthorized access to computer material, as well as other computer-related (“computer misuse offences“) offenses, illegal. It criminalizes activities such as unauthorized access, modification, or interception of computer data. This very dated legislation poses problems for ethical hacking because,
The most common challenge posed by the legal measures of the Computer Misuse Act 1990 is the regulation of ethical hacking, which is technically illegal under the act because it defines all non-consensual system access as a crime, regardless of cybersecurity benefits. (from Upguard.com)
That said, the UK NCSC does strongly support CVD via the NCSC Vulnerability Reporting Service, and provides a Vulnerability Disclosure Toolkit for researchers and companies.
Americas
Canada
The Canadian Criminal Code (R.S.C., 1985, c. C-46) section 342.1(1) defined “unauthorised use of a computer”:
Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary conviction who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service;
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a computer system; or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c).
United States of America
Vulnerability disclosure in the USA is governed by the 1986 Computer Fraud and Abuse Act (CFAA), or Title 18, United States Code, Section 1030.
On May 19, 2022, the US Department of Justice announced a change in enforcement of the CFAA, specifically stating that “good faith” disclosure would not be charged by the DoJ.
This is an executive branch policy related to implementation of the CFAA, not a change in the law itself – this means that this approach may change under future administrations. Furthermore, as this is a US federal policy related to a national law, it does not affect potential state-by-state laws.
Asia
China
China’s Cybersecurity Law addresses unauthorized access, data protection, and the security of critical information infrastructure. It establishes legal requirements for the protection of personal information and critical data.
India
The Information Technology Act includes provisions on unauthorized access and hacking, along with other cybercrimes. It criminalizes unauthorized access to computer systems and data.
Indonesia
Indonesia’s Electronic Information and Transactions Law includes provisions on unauthorized access.
Japan
Japan’s Unauthorized Computer Access Law prohibits unauthorized access to computer systems.
Singapore
Section 3(1) of the Computer Misuse Act 1993 (“CMA”) forbids “Unauthorised access to computer material“. According to ICLG, this is particular to “penetration testing”.
South Korea (Republic of Korea)
South Korea’s Act on Promotion of Information and Communications Network Utilization and Information Protection includes provisions on unauthorized access.
Oceania
Australia
The Cybercrime Act of Australia includes provisions on unauthorized access and other computer-related offenses.
International Treaties and Agreements
Several international treaties and conventions address cybercrime and unauthorized computer access. Here’s a list of key agreements:
Budapest Convention on Cybercrime (Council of Europe Convention on Cybercrime):
- Overview: Also known as the Budapest Convention, it is the first international treaty specifically addressing crimes committed on or with the aid of the internet and other computer networks.
- Link: Budapest Convention
United Nations Convention against Transnational Organized Crime (UNTOC) – Protocols on Cybercrime:
- Overview: UNTOC includes protocols that touch on aspects of cybercrime, particularly the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children.
- Link: UNTOC
African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention):
- Overview: The Malabo Convention focuses on promoting a culture of cybersecurity and personal data protection on the African continent.
- Link: Malabo Convention
Asia-Pacific Economic Cooperation (APEC) Privacy Framework:
- Overview: While not a treaty, APEC’s Privacy Framework provides guidelines and principles for the protection of personal information across the Asia-Pacific region.
- Link: APEC Privacy Framework
Organization of American States (OAS) – Model Inter-American Law on Electronic Commerce:
- Overview: The OAS has developed a model law on electronic commerce that addresses various legal aspects, including electronic transactions and computer-related crimes.
- Link: OAS Model Law
These international agreements aim to facilitate cooperation among nations in combating cybercrime, ensuring data protection, and harmonizing legal approaches in the digital domain. It’s important to check the latest updates and developments regarding international agreements on cybercrime, as new treaties or amendments may emerge over time.