| In the UK the relevant law AFAIK is the Computer Misuse Act, http://www.legislation.gov.uk/ukpga/1990/18/. He has authorisation to access the data, and authorisation to access the computers in question. He doesn't, perhaps, have authorisation to use the specific mode of access but that isn't pertinent to the Act as written AFAICT. The only possible part he falls foul of is Section 3(3) in that his actions might have caused the system to fail, but "recklessly" has a suggestion of him knowing that such deleterious outcomes were likely, and I don't think that's really true. I think his actions as reported are not in breach of this Act. However, the proposed Section 3A will cover such actions if he [the reporter of the security lapse] believes that the information (see 3A(4)) he published is likely to be used to assist in the commission of an offence. >"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (CMA 1990, proposed S.3A(2)) This section is exceptionally broad. Indeed it appears to outlaw the disclosure of bugs found without malice and without intent. Communicate to Google, say, a program/data that could be used to break in to their system and it seems you fall foul of the letter of that Section. Chilling indeed. |