Appendix A. UK Law
Laws are applied to enemies, but only interpreted as regards friends.
—Giovanni Giolitti, 1842–1928
Penetration testing, whether physical or electronic, carries with it a certain degree of inherent legal risk. It's important to understand the relevant legislation and how it affects penetration testers. It is sometimes very easy for a perfectly legal test to inadvertently cross the line into questionable legal territory. Usually this happens when the tester exceeds the scope of the test or the rules of engagement, but sometimes you can be engaged to do work (with both sides acting in good faith) that is intrinsically illegal. Understanding the law ensures that you don't put yourself (or your clients) in a legally vulnerable position. The legislation most relevant to the penetration tester may be found in the following acts of parliament:
The Computer Misuse Act 1990 and 2006.
The Human Rights Act 1998 (particularly Article 8).
The Regulation of Investigatory Powers Act 2000.
The Data Protection Act 1984 and 1998.
We examine this legislation and I give examples of how you might fall foul of the law. You may be surprised.
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
