Other relevant legislation

There are several more laws which can affect the work of the ethical hacker.

Communications Act 2003

The Communications Act has two sections which are directly relevant to penetration testing:

• Section 127(1) covers offensive and threatening messages sent over a ‘public’ electronic communications network (such as email or social media)
• Section 127(2) covers causing annoyance by sending messages known to be false (such as hoax calls and emails)

Tips for the ethical hacker

Be careful when targeting employees as part of a social engineering penetration test. Make sure that people will not be offended by the messages you send and don’t use any threatening or otherwise generally unacceptable language.

Fraud Act 2006

The Fraud Act was introduced in 2006 in order to streamline existing fraud-related legislation and cover some new types of crime. It covers cases where someone is acting dishonestly with the intention of self-gain or to cause loss or risk of loss to another.

It defines fraud as:

• Fraud by false representation, by presenting information which they know is misleading or untrue
• Fraud by failing to disclose information if they are under a legal duty to do so
• Fraud by abuse of position, where a person dishonestly abuses their position in which they are expected to safeguard the interest of another
• Obtaining services dishonestly, when a person obtains paid services without permission or payment for them

Tips for the ethical hacker

The Fraud Act has additional sections defining it as an offence to make, supply or possess articles for use in frauds. Some of the tools and techniques we use in social engineering attacks could fall under these sections. Make sure that you have been explicitly authorised to carry out these steps in the penetration test and stay well within the scope.

Human Rights Act

Article 8 of the Human Rights Act is the most relevant for us: Rights to respect for private and family life.

1. Everyone has the rights to respect for their private and family life, their home and their correspondence
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others

Tips for the ethical hacker

Network-level snooping or sniffing can be a fairly indiscriminate process that captures a lot of private information and/or communications. This could easily violate the first clause of Article 8 – the right to privacy in correspondence.

To avoid this, you would need to ensure that you set your filters sufficiently so that private traffic can’t be captured. If you were to capture private data, you would need to delete it immediately.

Investigatory Powers Act 2016

The Investigatory Powers Act (IPA) regulates the UK intelligence agencies and law enforcement activities regarding the interception of communications and interference with electronic equipment. While it is quite enabling in the powers and flexibility it gives, there are relevant safeguards and overseeing provisions in order to ensure it is applied appropriately.

IPA allows the agencies to carry out:

• Bulk collection of communications data
• Targeted and bulk interception of communications
• Targeted and bulk equipment interference (ie hacking)

In other words, it allows them to intercept any communication or hack into the devices of an individual (‘targeted’) or a large group of people (‘bulk’). These powers can only be used in specific cases and with explicit authorisation by the Secretary of State. They are also overseen by an independent Interception of Communications Commissioner.

IPA requires communication service providers (eg mobile operators or internet service providers) to retain connection records for one year. Such information can include location, time and number of phone calls, source and destination of emails, and URL of websites visited.

In order to ensure freedom of speech, independence of judiciary and human rights, there are some notable exemptions: IPA provides some extra protection regarding the interception of communications of journalists, lawyers and doctors.

Tips for the ethical hacker

The IPA is important only if you work for law enforcement agencies, in which case you’ll need to be aware of the following:

• Ensure that you get explicit written permission, in the rules of engagement, to perform traffic interception to cover yourself as much as possible under IPA
• Be very careful what you intercept on somebody else’s network, be it wired or wireless
• Be very careful when you defeat a cryptographic mechanism in order to intercept communications (which is plausible in the case of SSL) – you don’t know what information is being communicated, there may be further penalties

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (ICR)

The Interception of Communications Regulations (ICR) provide the conditions under which organisations can monitor and intercept traffic on their networks. Many companies will need to monitor the traffic on their networks for different reasons, such as ensuring performance, making sure that their network is not misused or used for illegal activities and so on.

The traffic which is monitored and/or intercepted could be from employees, visitors or customers. ICR allows organisations to do this monitoring under the condition that all parties have given their informed consent for the interception. In some cases, this will be laid out in the employment contract or the company security policy which all employees will have to agree with. In other cases, this might be in the terms and conditions given to visitors prior to providing access to the infrastructure.

Tips for the ethical hacker

As part of penetration testing, you might have to capture traffic from corporate networks. Before doing that, you must ensure the organisation holds a document which has been agreed by the employees and allows the interception of communications. If this is not the case, the company has no right to authorise the interception of such traffic, and so can’t authorise you to do so.

Communications Act 2003

Fraud Act 2006

Human Rights Act 1998

Investigatory Powers Act 2016