Pentesting Laws In UK

Computer Misuse Act 1990

The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063 (see below). Critics of the bill complained that it was introduced hastily and was poorly thought out. Intention, they said, was often difficult to prove, and that the bill inadequately differentiated "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime”.

The Act introduced three criminal offences:

1.     Unauthorized access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);
2.     Unauthorized access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;
3.     Unauthorized modification of computer material, subject to the same sentences as section 2 offences.

Note: Nothing to make DOS attacks illegal. DDOS via botnets illegal as you have unauthorized access. Ensure you have written permission to attack systems and ensure you do not go out of scope (follow redirects?).

Data Protection Act 1998

The Data Protection Act controls how personal information is used by organizations, businesses or the government.

Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

1. Used fairly and lawfully
2. Used for limited, specifically stated purposes
3. Used in a way that is adequate, relevant and not excessive accurate
4. Kept for no longer than is absolutely necessary
5. Handled according to people’s data protection rights
6. Kept safe and secure
7. Not transferred outside the UK without adequate protection

There is stronger legal protection for more sensitive information, such as:

1. Ethnic background
2. Political opinions
3. Religious beliefs
4. Health
5. Sexual health
6. Criminal records

Human Rights Act 1998

The Human Rights Act 1998 is an Act of Parliament of the United Kingdom, which received Royal Assent on 9 November 1998, and mostly came into force on 2 October 2000. Its aim is to "give further effect" in UK law to the rights contained in the Convention for the Protection of Human Rights and Fundamental Freedoms, but more commonly known as the European Convention on Human Rights. The Act makes available in UK courts a remedy for breach of a Convention right, without the need to go to the European Court of Human Rights in Strasbourg.

1. Article 8 of the Human Rights Act.
2. Right to respect for private and family life.
3. Everyone has the right to respect for his private and family life, his home and his correspondence.
4. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Police and Justice Act 2006

The Police and Justice Act 2006 is an Act of the Parliament of the United Kingdom. As at August 2007 many of the provisions are not yet in force. The majority of the Act extends only to England and Wales.

1. Makes amendments to the Computer Misuse Act 1990
2. Sections 35-38
3. Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition)
4. Made it illegal to perform DOS attacks.
5. Made it illegal to supply and own hacking tools.
6. Be careful about how you release information about exploits!

"The current Home Office line appears to be a balance of probabilities argument, that a court decide whether it is more likely than not each individual instance of the article will be used to commit an offence, ie the offence is only committed if it will be used criminally more than legally."
Most hacking tools are normal tools used in a slightly different manner. It is possible to fully compromise a machine using a standard web browser with SQL injection etc. You probably don't want to write a proof of concept exploit that deletes the whole file system rather than just loading calc.