This paper looks at the UK’s Computer Misuse Act 1990 and how it might apply to the practice of vulnerability scanning. Where a scan has been authorised – either specifically or via a network security policy – there should be no problem. But there are some situations where we’d like to scan hosts for which neither of those options is possible. This turns out to be a legal grey area, depending on how much implicit authorisation is granted by the act of connecting a computer to the Internet. Using the only two reported cases, I tried to work out which kinds of scan a future court might accept as lawful, and which they would probably not. Note that this is not legal advice!
The paper can be found in ScriptEd, at https://doi.org/10.2966/scrip.110314.308