Comment by 18172828286177 a day ago
> The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking
You clearly aren’t familiar with how broad the Computer Misuse Act is
> Dumping data from the memory of your phone can't be unauthorized.
> just dumping the diagnostics for regular phone calls should be fine
IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.
[0]: In the US, the DOJ has revised its policy to not prosecute defendants pursuing "good faith security research," which you may trust at your own risk: https://www.justice.gov/archives/opa/pr/department-justice-a...
I don't have a lot of knowledge about US and UK law, but I hear a lot of bad things.
"good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.
Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.
Legally, using any tool that allows you to view raw cellphone traffic from your own phone is already unauthorized access (probably).
Famously, in Germany, it's illegal to be carrying a laptop on which nmap is installed. Everyone (who has a laptop and knows how to use nmap) still does it. It's one of those crimes which they get you for if they don't like you but you didn't commit any actual crime.
First of all, thank you for trying to resolve this with the carrier and finally bringing it up to everyone's attention here. Perhaps public attention is what's needed to push them to address the problem.
To be honest, I personally would be scared to report such vulnerabilities with my real identity to begin with. With big tech companies, no matter how poorly their bug bounty programs are run, I still have this naive expectation that they won't shoot the messenger. At worst they could ban my accounts and maybe send threatening letters, but they probably won't ruin my life as long as I abide by the norms (agreed by technical people).
However, I do not feel the same naive optimism towards "legacy" institutions like telecoms and public services. At best it's thankless work, at worst I get sued [0] or become a scapegoat so some official could score some political points [1]. It's unfortunate - I am acutely aware that this is chilling effect at work, and our systems are collectively less secure because of it.
[0]: https://www.cnbc.com/2024/09/15/dark-web-expert-warned-us-ho... [1]: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...
Being a customer yourself, I guess you could sue them
> You clearly aren’t familiar with how broad the Computer Misuse Act is
No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.
It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).