Abstract
Information security is something you do, not something you have. It's a recurring process of finding weaknesses and fixing them, only for the next weakness to be discovered, and fixed, and so on. Yet, European Union rules in this field are not built around this cycle of making and breaking: doing offensive information security research is not always legal, and doubts about its legality can have a chilling effect. At the same time, the results of such research are sometimes not used to allow others to take defensive measures, but instead are used to attack. In this article, I review whether states have an obligation under the right to science and the right to communications freedom to develop governance which addresses these two issues. I first discuss the characteristics of this cycle of making and breaking. I then discuss the rules in the European Union with regard to this cycle. Then I discuss how the right to science and the right to communications freedom under the European Convention for Human Rights , the EU Charter of Fundamental Rights and the International Covenant on Economic, Social and Cultural Rights apply to this domain. I then conclude that states must recognise a right to research information security vulnerabilities, but that this right comes with a duty of researchers to disclose their findings in a way which strengthens information security.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
