Security teams routinely scan their own networks to identify computers that may be vulnerable to attacks that would damage the organisation‟s information or services. However, the discovery in early 2014 of the widespread Network Time Protocol (NTP) reflection and Heartbleed vulnerabilities highlighted that serious risks to information and systems can also result from vulnerable systems outside the organisation‟s network. Security teams would like to identify these vulnerable systems, both to prepare their own defences and to try to warn the systems‟ operators to fix the vulnerabilities. It is far from clear, however, whether UK criminal law permits scanning of external systems. This paper considers the unauthorised access offences contained in the UK Computer Misuse Act 1990 and the few reported cases. It concludes that scanning to determine whether or not a computer is vulnerable probably does constitute “access” and for an external computer is unlikely to be explicitly “authorised”. However actions that have been accepted by courts as lawful (sending an e-mail and visiting a website) indicate that authorisation may also be implicit. Theories of cyberproperty and cases under the US Computer Fraud and Abuse Act, including the historic US v Morris, suggest that connecting a computer or service to the Internet does implicitly authorise actions related to the intended function of that service. This appears consistent with the UK decisions in Lennon and Cuthbert and implies that while scanning for NTP reflection vulnerabilities should be lawful, testing for Heartbleed probably is not.
