Comment by andix

Comment by andix a day ago

10 replies

View on Hacker News

The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.

There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.

immibis a day ago

It is, however, a data breach, triggering the requirement for them to report it to the regulator immediately or get fined, etc etc (if such rules exist in the UK)

Reply View 1 reply
  • wyldfire 8 hours ago

    I suppose even if O2 isn't in EU jurisdiction they could apply pressure since the example showed a Denmark customer being impacted. Maybe that telco in Denmark can't peer with O2 if O2 can't secure their EU customers data.

    Reply View 0 replies
18172828286177 a day ago

> The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking

You clearly aren’t familiar with how broad the Computer Misuse Act is

Reply View 7 replies
  • andix a day ago

    > You clearly aren’t familiar with how broad the Computer Misuse Act is

    No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.

    It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).

    Reply View 6 replies
    • watusername a day ago

      > Dumping data from the memory of your phone can't be unauthorized.

      > just dumping the diagnostics for regular phone calls should be fine

      IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.

      [0]: In the US, the DOJ has revised its policy to not prosecute defendants pursuing "good faith security research," which you may trust at your own risk: https://www.justice.gov/archives/opa/pr/department-justice-a...

      Reply View 5 replies
      • andix a day ago

        I don't have a lot of knowledge about US and UK law, but I hear a lot of bad things.

        "good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.

        Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.

        Reply View 1 reply
        • immibis 7 hours ago

          Legally, using any tool that allows you to view raw cellphone traffic from your own phone is already unauthorized access (probably).

          Famously, in Germany, it's illegal to be carrying a laptop on which nmap is installed. Everyone (who has a laptop and knows how to use nmap) still does it. It's one of those crimes which they get you for if they don't like you but you didn't commit any actual crime.

          Reply View 0 replies
      • mrjeeves a day ago

        It's tough, but when the people don't respond what do you do?

        Do you just sit on the info, hoping noone else sees it and exploits it?

        Or do you try and get them to fix it somehow?

        Reply View 2 replies