“Is scanning lawful?” sounds as if it ought to be a straightforward question with a simple answer. However investigating it turns out to be a good illustration of how tricky it is to apply real-world analogies to the Internet, and the very different results that different countries’ legislators (and courts) can come up with when they try.
The legal starting point is indeed simple: nearly all countries have a criminal offence that prohibits “unauthorised access” to computers. And nearly all of them, explicitly or not, seem to have had ideas of real-world “trespass” in mind when drawing up their laws. But that should immediately ring warning bells, because merely being on someone else’s property isn’t normally a criminal offence. In English law you need more than just trespass to commit a crime: for example entering someone else’s property with intent to steal is a crime (burglary), entering someone’s property by force used to be a separate crime (housebreaking).
Nonetheless the UK Computer Misuse Act is very clear that what is prohibited in the case of a computer is mere “access” and defines that in very wide terms: “causes a program to be executed” (s.17(3)). So in the UK scanning will almost always constitute “access” (since the whole point is to get the scanned computer to respond in some way) and the question of whether it is lawful depends almost entirely on the meaning of “authorised”. And, since life in both the Internet and the real world would be impossible if we always had to seek permission in advance, on the circumstances in which you may presume that your “access” is authorised implicitly by the behaviour, rather than the explicit words, of the person entitled to give or deny authorisation. That question turns out to be sufficiently complex that I could write more than 3000 words on it, and an academic law journal was happy to publish it. And even that discussion still only reaches a provisional conclusion, as none of the few relevant cases actually defines the boundary between authorised and unauthorised and none creates a precedent that would bind future court cases!
So what about other countries? It turns out their criminal laws don’t just come to different answers: they ask completely different questions in order to get there. Germany asks whether the action involved circumventing a protective measure – roughly analogous to our housebreaking offence – so if scanning can be done “outside” a barrier (whatever that means), or if the system owner didn’t install a barrier (access control lists, passwords, etc.) in the first place, then it appears to be lawful. Austria considers the intent of the person seeking “access” – akin to our intention-based form of “burglary” – there, if there’s no criminal intention then it seems there can’t be a crime. And the Netherlands defines “access” more narrowly – more like “breaking in” – so there the question would be what technical activity counts as “getting in”. All of those variations appear to be permitted by the Council of Europe Cybercrime Convention and the EU Directive on Attacks on Information Systems, the best attempts we have harmonising the law in this area.
So the answer to the question – “is scanning lawful?” – is definitely “it depends”. But what it depends on may be completely different depending on where you (and possibly the computers you are scanning) are!