The government has introduced an amendment to the Data Protection Bill which seeks to ensure that security researchers who test security protocols will not be treated at par with hackers with criminal motives.
The new amendment to the Data Protection Bill will help security researchers conduct detailed security testing and assessments without fear of criminal prosecution or harassment by authorities.
Back in September, the government said it would introduce exceptions in the new Data Protection Bill to protect journalists, anti-doping agencies, and financial firms that collect data on money laundering and terrorist financing. At the same time, it said it will ensure that terrorists, money launderers and other criminals will not be able to misuse the new law.
The government added that it would also introduce a framework for intelligence and security agencies to enable them to conduct their investigations while protecting the rights of victims, witnesses and suspects at the same time.
Thanks to the latest amendment, the government has ensured that aside from investigative journalists, anti-doping agencies, and financial firms, ethical hackers and security researchers will also be protected from prosecution under the new law because of the nature of their work.
In order to benefit from the new amendments, security researchers will need to inform the Information Commissioner’s Office before they start effectiveness testing of security protocols at various organisations. At the same time, they will also be required to convince the ICO that their work is in public interest and will benefit the society as a whole.
These requirements will not only help researchers get the backing of the ICO, but will also prevent cyber criminals who may seek to abuse the law by masquerading as ethical hackers.
Last year, independent security researcher Marcus Hutchins, who discovered a ‘kill switch’ for the WannaCry ransomware, was arrested in the U.S. after being iindicted for creating and distributing Kronos, a banking Trojan that is used by cyber criminals to steal banking passwords and other financial information.
Following his arrest, a number of cyber security experts said that his arrest could be a result of mistaken identity. According to Ryan Kalember, a security researcher at Proofpoint, malware researchers have to dig deep and interact in malware-selling forums to find out what they need to know. As such, they end up leaving as much footprint as any other malware developer or seller.
“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crimeware tools and interfaces and play around. It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference,” he said.
With the government introducing new amendments to the Data Protection Bill, security researchers will be able to conduct their investigations without fear of prosecution unless, of course, they do not follow the stated requirements.