ORG submission to the Home Office consultation on a duty to cyberprotect
0. Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 20,000 active supporters, we are a grassroots organisation with local groups across the UK.
1. We welcome the opportunity to respond to the Home Office consultation on “Unauthorised access to online accounts and personal data”. Having contributed to the previous call for information regarding the Computer Misuse Act 1990 (CMA), we wish to reiterate some of the issues raised in that regard in light of the plans to introduce a Cyber Security Duty to Protect.
2. In our previous submission we raised concerns about the lack of clarity over what “intention” means within the meaning of the CMA (answer to Q7). These concerns are still relevant. Cyber Security research oftentimes consists in testing the security of an IT system by trying to gain unauthorised access, or by compromising the functionality of such system for demonstrative purposes. As such, ensuring that researcher can conduct their activities without fear of criminal liability or backlash from organisations is pivotal. Likewise, researchers may act autonomously and fear retribution from organisations whose cybersecurity flaws are exposed. Either way, it is important to ensure that researchers can act with confidence, subject to appropriate ethical and professional conduct, and that the findings of these tests can be shared and put into good use.
3. As such, we