What eBay and others’ port scanning practice tells us about the Computer Misuse Act

5 June 2020

In the past week or so, there has been a considerable amount of discussion online about eBay’s use of a port-scanning script to check potential customers’ computers for malicious software that would indicate fraud (1). Given the parallels at play, it is worth examining this discussion for what it can tell us about threat intelligence research and the Computer Misuse Act.

To briefly explain the debate, eBay, like a range of other websites, from multinational banks like Citibank, to online marketplaces and e-commerce sites like Gumtree and Ticketmaster (1), use the services of a US-based software-as-a-service solution called ThreatMetrix for the purpose of detecting and mitigating fraud. ThreatMetrix describes itself as offering “an aggressive approach to thwarting bot-centric cyber crime”. Essentially, ThreatMetrix profiles devices used in web transactions, by obtaining connections with end users’ devices to generate a fingerprint to understand device integrity; this entails scanning certain ports to detect manipulation such as a fraudster remotely controlling a machine.

The relationship between port scanning and the UK’s Computer Misuse Act 1990 has always been fraught. Does port scanning without consent constitute unauthorised access as per section 1 of the Computer Misuse Act, or does it not? Some experts conclude that network scanning activity “is almost never acceptable without the express permission of the managers of the target network” (2). Others argue that “some scanning of external systems should be lawful, even without explicit authorisation” (3). The fact that the developer of popular network scanning tool nmap penned more than 3,500 words weighing the various legal quandaries raised by port scanning (4) is, perhaps, proof enough of the ambiguity created by Computer Misuse Act.

Many of the legal issues mirror those presented by threat intelligence research. But the fact that port scanning activities still take place while security researches are held back from conducting much threat intelligence research leaves a sour, “one rule for them, one rule for the rest” taste.

When security researcher Paul Moore questioned Halifax on its (unauthorised) port scanning practices in 2018, the bank’s lawyers explained that their actions helped “pick up evidence of malware infections on customers’ systems” (5). Similarly, eBay’s port scans more recently have been justified as anti-fraud measures, to detect criminals logged into a user’s computer in order to impersonate them (6).

The point isn’t that these organisations ought to be prosecuted, or that they should immediately cease their practices, which arguably offer a considerable benefit to society. The point is these organisations’ justification for their practices – that their intentions are well-meaning – should not matter if the law was applied consistently.

The CyberUp Campaign continues to argue that the fact that the Computer Misuse Act takes no account of an actor’s motivations is a failing and one of the central reasons reform is needed. Whether or not an actor undertook a port scan in good faith, to protect a user from fraud, or in order to commit a subsequent crime, is not something the Act, as it is currently written, allows to be taken into account: this outdated law cares nothing for the good intentions of anyone potentially breaking it.

That port scanning takes place while threat intelligence researchers are held back by fear of prosecution is a source of frustration. The best way to address the problem is by reforming the Computer Misuse Act to remove the legal ambiguities holding back the UK’s cyber defenders.

Sources:

1. https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/

2. https://community.jisc.ac.uk/library/janet-services-documentation/port-and-address-scanning

3. https://script-ed.org/article/can-csirts-lawfully-scan-for-vulnerabilities/

4. https://nmap.org/book/legal-issues.html

5. https://www.theregister.com/2018/08/07/halifax_bank_ports_scans/

6. https://www.theregister.com/2020/05/26/ebay_port_scans_your_pc/