News / Govt introduces amendment to Data Protection Bill to shield security researchers
Govt introduces amendment to Data Protection Bill to shield security researchers
11 January 2018 |
The government has introduced an amendment to the Data Protection Bill which seeks to ensure that security researchers who test security protocols will not be treated at par with hackers with criminal motives.
The new amendment to the Data Protection Bill will help security researchers conduct detailed security testing and assessments without fear of criminal prosecution or harassment by authorities.
Back in September, the government said it would introduce exceptions in the new Data Protection Bill to protect journalists, anti-doping agencies, and financial firms that collect data on money laundering and terrorist financing. At the same time, it said it will ensure that terrorists, money launderers and other criminals will not be able to misuse the new law.
The government added that it would also introduce a framework for intelligence and security agencies to enable them to conduct their investigations while protecting the rights of victims, witnesses and suspects at the same time.
Thanks to the latest amendment, the government has ensured that aside from investigative journalists, anti-doping agencies, and financial firms, ethical hackers and security researchers will also be protected from prosecution under the new law because of the nature of their work.
In order to benefit from the new amendments, security researchers will need to inform the Information Commissioner's Office before they start effectiveness testing of security protocols at various organisations. At the same time, they will also be required to convince the ICO that their work is in public interest and will benefit the society as a whole.
These requirements will not only help researchers get the backing of the ICO, but will also prevent cyber criminals who may seek to abuse the law by masquerading as ethical hackers.
Last year, independent security researcher Marcus Hutchins, who discovered a 'kill switch' for the WannaCry ransomware, was arrested in the U.S. after being iindicted for creating and distributing Kronos, a banking Trojan that is used by cyber criminals to steal banking passwords and other financial information.
Following his arrest, a number of cyber security experts said that his arrest could be a result of mistaken identity. According to Ryan Kalember, a security researcher at Proofpoint, malware researchers have to dig deep and interact in malware-selling forums to find out what they need to know. As such, they end up leaving as much footprint as any other malware developer or seller.
“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crimeware tools and interfaces and play around. It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference,” he said.
With the government introducing new amendments to the Data Protection Bill, security researchers will be able to conduct their investigations without fear of prosecution unless, of course, they do not follow the stated requirements.
Latest posts by Jay Jay (see all)
- Classified Ministry of Defence data lost to 37 cyber incidents in 2017 - 16th October 2018
- Facebook’s access token breach impacted 30 million user accounts - 15th October 2018
- Dropbox: most impersonated company for phishing attacks in first half of 2018 - 12th October 2018
- UK ratifies Convention 108 that safeguards personal data at international level - 12th October 2018
- DHSC reveals WannaCry ransomware attack cost the NHS £92 million - 11th October 2018