Penetration Testing mailing list archives
Re: Information Assessment Legality
From: Joe Peters <joepete () joepete com>
Date: Tue, 12 Oct 2010 09:48:31 -0400
On Mon, 2010-10-11 at 13:35 +1030, Stephen wrote:
I'd appreciate if anyone could offer their views and experiences, or preferably, reference to the relevant laws.
The increasing amount of IT and privacy regulation makes this question difficult to answer. I would suggest making sure any work you do is a "work for hire" - something that will be owned by a client. Hence if there is any legal issue (say you start collecting protected intellectual property in your research), you might be limiting your liability. An indemnification clause would be essential as well. But in general this question is like saying "I will be driving from New York to Los Angeles, doing any number of things people tend to do in a car, what laws might I be breaking?"
Option B I would also assume would be legal, as services like Intelius do a similar thing (publicly available information on anyone at a cost)
It depends. The issue tends to be more the how than the what but both apply. If I found out a rival company is bankrupt by aggregating a bunch of public records, I would say that is legal. If I find out it is bankrupt because I find a letter from CFO to the CEO, that may be illegal. As to the what, if I happen to create a report that includes copyrighted information, I may have violated copyright by duplication and dissemination of someone else's intellectual property even though this information is published by the company frequently. On the surface, these services seem to be without much risk, but the problem with being a third party is you don't always understand the mess you are stepping into. If Company B was founded by a bunch of former employees of Company A, there may be private non-disclosure or non-compete agreements in place. There are a lot of ways you can find trouble without ever being found at fault. You could be in the middle of an injunction, have your computer seized as evidence, need to hire a lawyer, etc. -- Joe Peters ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Information Assessment Legality Stephen (Oct 11)
- Re: Information Assessment Legality Michal Zalewski (Oct 12)
- Re: Information Assessment Legality Stephen (Oct 12)
- Re: Information Assessment Legality anthony . cicalla (Oct 12)
- Message not available
- Re: Information Assessment Legality Stephen (Oct 12)
- Re: Information Assessment Legality Michal Zalewski (Oct 12)
- Message not available
- Information Assessment Legality bala subramanian (Oct 12)
- Re: Information Assessment Legality Stephen (Oct 12)
- RE: Information Assessment Legality Brad Bemis (Oct 13)
- Information Assessment Legality bala subramanian (Oct 12)
- Re: Information Assessment Legality Joe Peters (Oct 13)
- Re: Information Assessment Legality Stephen (Oct 13)