mailing list archives
Re: Valuable papers on the legality of port scanning and exploit code
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 29 Dec 2003 10:03:10 +0100
As part of the Nmap book, I am including a section on the legality of
port scanning. In the process I came across a couple good papers that
I feel shed light on this important issue (at least for United States
Just for what it's worth, I don't know the exact differences between
US and Europe legislations, but the fact that port scanning is legal
is, as far as I know, yet to be proven in a court of law in a European
As a matter of fact the "cybercrime" laws in Europe are not very
detailed yet, the recent Convention on Cybercrime  describes
illegall access as:
"44. "Illegal access" covers the basic offence of dangerous threats to
and attacks against the security (i.e. the confidentiality, integrity
and availability) of computer systems and data. The need for
protection reflects the interests of organisations and individuals to
manage, operate and control their systems in an undisturbed and
uninhibited manner. The mere unauthorised intrusion, i.e. "hacking",
"cracking" or "computer trespass" should in principle be illegal in
itself. It may lead to impediments to legitimate users of systems and
data and may cause alteration or destruction with high costs for
reconstruction. Such intrusions may give access to confidential data
(including passwords, information about the targeted system) and
secrets, to the use of the system without payment or even encourage
hackers to commit more dangerous forms of computer-related offences,
like computer-related fraud or forgery."
It does say further on that these does not include sending a file or
an e-mail. Now, this convention has been signed by all European member
states (even by the US ) but has yet to be transposed to law in
the member countries.
For example, the current spanish law only punishes damage done to
private property if the damage is over 300 EUR. The "private property"
definition includes "electronic data, programs, and documents
contained in network, media or information technology sistems" (CÓDIGO
PENAL, organic law 10/1995, article 263-264). This is not going to be
expanded in the review of the criminal law.
Having in mind that, in order to be illegal under spanish law, port
scanning would need to generate damage to private property (in excess
of that quantity), and, also, needs to be done "with the intention to
harm" I thing that current law would not rule port scanning illegal
unless unrightfully done by someone against a system that is
vulnerable to "dying" from a port scan, and that system in fact dies
and causes damages over 300 EUR to its owners.
Just my 2c.
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List archive: http://seclists.org