Security News > 2021 > November > CyberUp presents four principles to keep security researchers out of jail for good-faith probing
Campaigners want a new code of practice alongside a proposed public interest defence for the Computer Misuse Act 1990, in the hope it will protect infosec pros from false threats of prosecution.
In a published paper, CyberUp said it wants judges "To 'have regard to' Home Office or Department for Digital, Culture, Media and Sport guidance on applying a statutory defence that would, ideally, be based on the framework we propose."
CyberUp wants the Home Office, "Owners" of the CMA, to table a Parliamentary amendment to the act which would do two things: insert a public interest defence into the CMA and create a binding guidance document issued by the Home Office.
She said: "The risk of any list of exemptions being unduly limited, or quickly out of date, is significant. The key difference that a defence will make is that those unfairly caught by the current CMA offences have the opportunity to justify their actions and have them deemed defensible, which is something that simply does not exist at present as any act of unauthorised access is criminal without any regard for the circumstances under which it occurred."
The Criminal Law Reform Now Network said in its 2020 report about CMA reform that current conversations around the law are hampered by a lack of useful information about prosecutions as well as "Under enforcement", noting that recommendations for reform should be set.... If CyberUp's proposals become a binding statutory guidance document they'll be an arguable point outside the courtroom as well as in front of a judge, providing a bit of clarity to companies and individual security researchers alike.
None of CyberUp's proposals directly affect civil law, meaning a civil suit in the county or High Court for damages after a breach wouldn't be stopped by a new CMA defence.