Home page logo

Nmap Announce mailing list archives

Re: Valuable papers on the legality of port scanning and exploit code
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 29 Dec 2003 10:03:10 +0100

Fyodor wrote:
As part of the Nmap book, I am including a section on the legality of
port scanning.  In the process I came across a couple good papers that
I feel shed light on this important issue (at least for United States

Just for what it's worth, I don't know the exact differences between US and Europe legislations, but the fact that port scanning is legal is, as far as I know, yet to be proven in a court of law in a European country.

As a matter of fact the "cybercrime" laws in Europe are not very detailed yet, the recent Convention on Cybercrime [1] describes illegall access as:

"44. "Illegal access" covers the basic offence of dangerous threats to and attacks against the security (i.e. the confidentiality, integrity and availability) of computer systems and data. The need for protection reflects the interests of organisations and individuals to manage, operate and control their systems in an undisturbed and uninhibited manner. The mere unauthorised intrusion, i.e. "hacking", "cracking" or "computer trespass" should in principle be illegal in itself. It may lead to impediments to legitimate users of systems and data and may cause alteration or destruction with high costs for reconstruction. Such intrusions may give access to confidential data (including passwords, information about the targeted system) and secrets, to the use of the system without payment or even encourage hackers to commit more dangerous forms of computer-related offences, like computer-related fraud or forgery."

It does say further on that these does not include sending a file or an e-mail. Now, this convention has been signed by all European member states (even by the US [2]) but has yet to be transposed to law in the member countries.

For example, the current spanish law only punishes damage done to private property if the damage is over 300 EUR. The "private property" definition includes "electronic data, programs, and documents contained in network, media or information technology sistems" (CĂ“DIGO PENAL, organic law 10/1995, article 263-264). This is not going to be expanded in the review of the criminal law.

Having in mind that, in order to be illegal under spanish law, port scanning would need to generate damage to private property (in excess of that quantity), and, also, needs to be done "with the intention to harm" I thing that current law would not rule port scanning illegal unless unrightfully done by someone against a system that is vulnerable to "dying" from a port scan, and that system in fact dies and causes damages over 300 EUR to its owners.

Just my 2c.



[1] http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185
[2] http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm

For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]