Branchoria UFO Hackers UFO Hackers

The hacking cases, UFO claims, court battles, and evidence gaps behind a modern myth.

Within Legal Limits

When Does Security Research Stop Being Research?

Security research can receive special legal consideration, but curiosity-driven access to systems usually does not.

On this page

  • What qualifies as good faith research
  • Why curiosity alone is not enough
  • Current policy and reform debates
Preview for When Does Security Research Stop Being Research?

Introduction

The legal debate around UFO-motivated hackers such as Gary McKinnon highlights a distinction that modern cyber law increasingly tries to draw: the difference between security research conducted in the public interest and unauthorised exploration driven by curiosity. Both activities may involve examining computer systems, identifying weaknesses, or accessing information. Yet the legal system generally focuses less on a person’s stated motive and more on whether the activity was authorised, proportionate, and designed to improve security rather than simply satisfy interest or obtain information. [Department of Justice]justice.govGood faith security research means accessing a…Read more…

Research Limits illustration 1 This distinction matters because many individuals who describe themselves as researchers, explorers, or truth-seekers believe that a lack of malicious intent should protect them from liability. In practice, courts, prosecutors, and government cybersecurity policies usually require much more than good intentions. Permission, responsible disclosure, and efforts to avoid harm are often the factors that separate recognised security research from unlawful intrusion. [Department of Justice+2Department of Justice]justice.govGood faith security research means accessing a…Read more…

When Does Security Research Stop Being Research?

What qualifies as good-faith research?

Modern cybersecurity depends heavily on independent researchers who identify vulnerabilities before criminals can exploit them. Governments and organisations increasingly encourage this work through vulnerability disclosure programmes, bug-bounty schemes, and formal reporting channels. The UK’s National Cyber Security Centre (NCSC), for example, promotes structured vulnerability disclosure processes that allow researchers to report weaknesses responsibly rather than exploit them. National Cyber Security Centre+2National Cyber Security Centre [ncsc.gov.uk]ncsc.gov.ukvulnerability disclosure toolkitNational Cyber Security CentreThe NCSC's Vulnerability Disclosure Toolkit14 Sept 2020 — The NCSC's Vulnerability Disclosure Toolkit conta…

A common set of characteristics appears across government guidance and enforcement policies:

  • The researcher acts to identify or verify a security flaw.
  • The activity is limited to what is necessary for testing.
  • Harm to systems, users, or data is actively avoided.
  • Findings are reported through responsible disclosure channels.
  • The primary objective is improving security rather than obtaining unrelated information. [Department of Justice+2Department of Justice]justice.govGood faith security research means accessing a…Read more…

The United States Department of Justice formally adopted this approach in 2022 when it announced that prosecutors should not bring Computer Fraud and Abuse Act charges against genuine good-faith security research. The policy defines such research as access undertaken solely to test, investigate, or correct security vulnerabilities, conducted in a way designed to avoid harm and used primarily to improve security. [Department of Justice+2Department of Justice]justice.govGood faith security research means accessing a…Read more…

Importantly, this does not create a blanket exemption for hacking. It reflects a judgement that cybersecurity can benefit when researchers responsibly discover and report weaknesses. The protection depends heavily on purpose, conduct, and disclosure behaviour rather than on a self-declared identity as a researcher. [Department of Justice+2Jones Day]justice.govGood faith security research means accessing a…Read more…

Recent DOJ Policy for Charging Cases under the Computer Fraud and Abuse Act: Fair or Foul?

Channel: The Federalist Society

Open on YouTube

Why authorisation remains central

One of the most persistent misconceptions in cybersecurity law is that beneficial intent can replace permission. In reality, authorisation remains the foundation of most legal frameworks.

Evidence submitted to UK parliamentary discussions on reform of the Computer Misuse Act repeatedly emphasised that cybercriminals and security professionals often use similar technical methods. The traditional legal distinction is that security professionals normally operate with permission, contractual authority, or a recognised disclosure framework, whereas attackers do not. [UK Parliament Committees]committees.parliament.ukUK Parliament CommitteesWe use essential cookies to make our site work.6 Dec 2022 — The Computer Misuse Act was created to criminalise un…

This is why many vulnerability disclosure policies contain careful legal language. Government and public-sector programmes frequently encourage reports of weaknesses while simultaneously stating that researchers are not authorised to exceed defined boundaries. NHS and Ministry of Justice policies, for example, support responsible reporting but make clear that participation does not grant unrestricted rights to access systems or data. [NHS England+2Justice Digital]england.nhs.uksecurity vulnerability disclosureNHS EnglandSecurity vulnerability disclosure policyIt does not grant permission under the Computer Misuse Act 1990 to access, attempt to…

In practical terms, a researcher who follows a published testing programme is usually in a much stronger position than someone who independently probes systems because they are curious about what might be hidden inside.

Research Limits illustration 2

Why Curiosity Alone Is Not Enough

The McKinnon case illustrates why curiosity is rarely treated as a legal defence.

McKinnon consistently described his objective as searching for evidence relating to UFOs, advanced technologies, and alleged government secrecy. His supporters often portrayed him as a curious investigator rather than a conventional criminal. However, the legal allegations focused on unauthorised access to military and NASA systems rather than on the beliefs that motivated the access. According to the US indictment, he allegedly accessed and damaged numerous government computers without authorisation. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon accessed and damaged without authorization 92…

From a governance perspective, curiosity creates several problems:

  • It provides no objective limit on what systems may be accessed.
  • It does not require minimising harm.
  • It does not necessarily involve reporting vulnerabilities.
  • It can lead to viewing sensitive information as a target rather than a by-product of research.
  • It offers no reliable way for system owners to distinguish explorers from malicious actors. [UK Parliament Committees+2UK Parliament Committees]committees.parliament.ukUK Parliament CommitteesWe use essential cookies to make our site work.6 Dec 2022 — The Computer Misuse Act was created to criminalise un…

A person searching military networks for UFO-related information may sincerely believe they are pursuing truth. Legally, however, that activity resembles unauthorised exploration rather than vulnerability research if there is no permission, no security-testing mandate, and no intention to improve the security of the affected systems. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon accessed and damaged without authorization 92…

This distinction explains why courts and prosecutors generally evaluate actions rather than motivations. A curiosity-driven intrusion may be non-commercial and non-destructive, yet still fall outside recognised research norms because the objective is discovering information rather than securing systems. [UK Parliament Committees+2UK Parliament Committees]committees.parliament.ukUK Parliament CommitteesWe use essential cookies to make our site work.6 Dec 2022 — The Computer Misuse Act was created to criminalise un…

UK hacker to learn extradition fate

Channel: Al Jazeera English · Views: 20.8K · Uploaded: October 2012 · Length: 2 minutes 6 seconds

Open on YouTube

Current Policy and Reform Debates

Despite the importance of authorisation, many cybersecurity experts argue that existing laws were written before modern vulnerability research became common and can create uncertainty for legitimate researchers.

Critics of the UK Computer Misuse Act note that some activities widely viewed as beneficial—such as certain forms of vulnerability discovery, internet-wide scanning, or threat intelligence gathering—may technically involve unauthorised access. As a result, researchers and industry groups have repeatedly called for clearer statutory protections or defences for responsible cybersecurity work. Essex Open Access Research Repository+2clrnn.co.uk [repository.essex.ac.uk]repository.essex.ac.ukvulnerability disclosure policies that the NCSC.Read moreEssex Open Access Research RepositoryPage 1 of 33 The Computer Misuse Act 1990 to support…by A Guinchard · 2018 · Cited by 7 — Novembe…

Supporters of reform argue that legal uncertainty can discourage the reporting of vulnerabilities and make organisations less secure. They point to the growing use of vulnerability disclosure programmes as evidence that governments increasingly rely on cooperation with independent researchers. National Cyber Security Centre+2National Cyber Security Centre [ncsc.gov.uk]ncsc.gov.ukvulnerability disclosure toolkitNational Cyber Security CentreThe NCSC's Vulnerability Disclosure Toolkit14 Sept 2020 — The NCSC's Vulnerability Disclosure Toolkit conta…

Opponents of broad exemptions caution that any defence for security research must be carefully drafted. A rule that protects anyone claiming curiosity, public interest, or investigative intent could weaken protections against unauthorised access and create opportunities for abuse. The challenge is finding a legal standard that protects responsible researchers without creating loopholes for intruders who retrospectively describe their actions as research. [UK Parliament Committees+2clrnn.co.uk]committees.parliament.ukUK Parliament CommitteesWe use essential cookies to make our site work.6 Dec 2022 — The Computer Misuse Act was created to criminalise un…

The emerging policy trend is therefore not to excuse hacking because it is interesting, educational, or motivated by unusual beliefs. Instead, governments increasingly seek to recognise research that is demonstrably tied to security improvement, conducted within clear boundaries, and accompanied by responsible disclosure practices. [Department of Justice+2Department of Justice]justice.govGood faith security research means accessing a…Read more…

Research Limits illustration 3

The Practical Line in UFO-Hacking Cases

For readers examining UFO-related hacking cases, the key lesson is that modern cyber law generally does not ask whether a person was curious, sceptical, idealistic, or searching for hidden truths. The central questions are whether the access was authorised, whether the activity was aimed at improving security, whether harm was minimised, and whether any discovered vulnerability was responsibly disclosed. [Department of Justice+2Department of Justice]justice.govGood faith security research means accessing a…Read more…

Good-faith security research can receive special consideration because it serves a recognised cybersecurity function. Curiosity-driven exploration, even when sincere and non-commercial, usually lacks the authorisation and security purpose that policymakers increasingly regard as essential. In cases such as Gary McKinnon’s, that distinction helps explain why claims of curiosity and public interest attracted public sympathy but did not eliminate the underlying legal concerns about unauthorised access. [Department of Justice+2tarrdaniel.com]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon accessed and damaged without authorization 92…

Gary McKinnon Case (Interview from 2009)

Channel: Bill Buchanan OBE · Views: 15.3K · Uploaded: February 2017 · Length: 1 minute 37 seconds

Open on YouTube

Amazon book picks

Further Reading

Books and field guides related to When Does Security Research Stop Being Research?. Use these as the next step if you want deeper reading beyond the article.

Browse more on Amazon: Cybersecurity and Cyberwar Tribe of Hackers Ghost in the Wires

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Using USA
Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

  1. Source: justice.gov
    Link: https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act
    Source snippet

    Good faith security research means accessing a...Read more...

  2. Source: committees.parliament.uk
    Link: https://committees.parliament.uk/writtenevidence/114076/html/
    Source snippet

    UK Parliament CommitteesWe use essential cookies to make our site work.6 Dec 2022 — The Computer Misuse Act was created to criminalise un...

  3. Source: justice.gov
    Title: Department of Justice9-48.000
    Link: https://www.justice.gov/jm/jm-9-48000-computer-fraud
    Source snippet

    Computer Fraud and Abuse ActFor purposes of this policy, the attorney for the government should apply the definition of “good-faith secur...

  4. Source: justice.gov
    Title: vulnerability disclosure policy
    Link: https://www.justice.gov/jmd/vulnerability-disclosure-policy
    Source snippet

    Department of JusticeVulnerability Disclosure Policy (VDP)3 Apr 2024 — This Vulnerability Disclosure Policy (VDP) provides guidelines for...

  5. Source: committees.parliament.uk
    Link: https://committees.parliament.uk/writtenevidence/107707/html/
    Source snippet

    UK Parliament CommitteesOpen HTML 34KBThe Computer Misuse Act was created to criminalise unauthorised access to computer systems, or ille...

  6. Source: england.nhs.uk
    Title: security vulnerability disclosure
    Link: https://www.england.nhs.uk/security-vulnerability-disclosure/
    Source snippet

    NHS EnglandSecurity vulnerability disclosure policyIt does not grant permission under the Computer Misuse Act 1990 to access, attempt to...

  7. Source: digital.nhs.uk
    Title: security vulnerability disclosure
    Link: https://digital.nhs.uk/cyber-and-data-security/security-vulnerability-disclosure
    Source snippet

    Policy2 Apr 2026 — To report an urgent cyber security incident or a vulnerability being actively exploited within the NHS, call 0300 303...

  8. Source: justice.gov
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
    Source snippet

    Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...Gary McKinnon accessed and damaged without authorization 92...

  9. Source: tarrdaniel.com
    Link: https://www.tarrdaniel.com/documents/Ufology/gary_mckinnon_case.html
    Source snippet

    UFO - Ufology - The Gary McKinnon CaseHe claims his motivation, drawn from a statement made before the Washington Press Club on 9 May 200...

  10. Source: clrnn.co.uk
    Title: clrnn 1a comparative report on computer misuse defences
    Link: https://www.clrnn.co.uk/media/1028/clrnn-1a-comparative-report-on-computer-misuse-defences.pdf
    Source snippet

    Report: Computer Misuse Act 1990In CLRNN 1, Reforming the Computer Misuse Act 1990, we make a series of recommendations for reform across...

  11. Source: justice.gov
    Link: https://www.justice.gov/
    Source snippet

    Department of Justice (DOJ). DOJ's mission is to enforce the law and defend the interests of the United States according to the...

  12. Source: ncsc.gov.uk
    Title: vulnerability disclosure toolkit
    Link: https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit
    Source snippet

    National Cyber Security CentreThe NCSC's Vulnerability Disclosure Toolkit14 Sept 2020 — The NCSC's Vulnerability Disclosure Toolkit conta...

  13. Source: ncsc.gov.uk
    Title: reporting disclosure
    Link: https://www.ncsc.gov.uk/collection/vulnerability-management/reporting-disclosure
    Source snippet

    National Cyber Security CentreVulnerability reporting & disclosure28 Nov 2024 — The NCSC's Vulnerability Disclosure Toolkit contains the...

  14. Source: gca.gov.uk
    Link: https://www.gca.gov.uk/about-gca/vulnerability-disclosure-policy
    Source snippet

    ernment Commercial AgencyVulnerability Disclosure Policy | GCAThis is the Government Commercial Agency (GCA) Security Vulnerability Di...

  15. Source: jonesday.com
    Link: https://www.jonesday.com/en/insights/2022/06/department-of-justice-significantly-revises-policy-on-charging-cfaa-violations
    Source snippet

    DOJ Revises Policy on Charging CFAA ViolationsThe DOJ clarified two longstanding ambiguities under the CFAA: The Policy makes clear that...

  16. Source: mojdigital.blog.gov.uk
    Title: Justice Digital Vulnerability disclosure policy
    Link: https://mojdigital.blog.gov.uk/vulnerability-disclosure-policy/
    Source snippet

    It does not give you permission...Read more...

  17. Source: repository.essex.ac.uk
    Title: vulnerability disclosure policies that the NCSC.Read more
    Link: https://repository.essex.ac.uk/21710/1/36-230-1-PB-1.pdf
    Source snippet

    Essex Open Access Research RepositoryPage 1 of 33 The Computer Misuse Act 1990 to support...by A Guinchard · 2018 · Cited by 7 — Novembe...

  18. Source: ncsc.gov.uk
    Link: https://www.ncsc.gov.uk/information/vulnerability-reporting
    Source snippet

    Vulnerability ReportingIf you believe that you have spotted a vulnerability that is specifically on the NCSC web platform then you can re...

  19. Source: ncsc.gov.uk
    Link: https://www.ncsc.gov.uk/section/advice-guidance/all-topics/vulnerabilities
    Source snippet

    VulnerabilitiesA weakness, or flaw, in software, a system or process. An attacker exploits these to (for example) gain unauthorised acces...

  20. Source: ncsc.gov.uk
    Title: improving your response to vulnerability management
    Link: https://www.ncsc.gov.uk/blog-post/improving-your-response-to-vulnerability-management
    Source snippet

    Where there is exploitation, engages with the NCSC and...Read more...

  21. Source: Wikipedia
    Title: United States Department of Justice
    Link: https://en.wikipedia.org/wiki/United_States_Department_of_Justice
    Source snippet

    United States Department of JusticeThe Justice Department contains most of the United States' federal law enforcement agencies, includ...

  22. Source: nesc.co.uk
    Title: Vulnerability Disclosure
    Link: https://www.nesc.co.uk/vulnerability-disclosure/
    Source snippet

    "NESCIf you do not wish to report a vulnerability to NESC directly, please follow the NCSC's guidance [https://www.ncsc.gov.uk/information/..."](https://www.ncsc.gov.uk/information/...")...

Additional References

  1. Source: usmarshals.gov
    Link: https://www.usmarshals.gov/vulnerability-disclosure-policy
    Source snippet

    Vulnerability Disclosure PolicyThis Vulnerability Disclosure Policy also instructs researchers on how to submit discovered vulnerabilitie...

  2. Source: academia.edu
    Link: https://www.academia.edu/31360553/Gary_McKinnon_A_Curious_Case_Indeed
    Source snippet

    (DOC) Gary McKinnon: A Curious Case IndeedA look at the facts surrounding the claims of Gary McKinnon after his breach into NASA and Depa...

  3. Source: hackerone.com
    Link: https://hackerone.com/ncsc_uk
    Source snippet

    NCSC UK | Vulnerability Disclosure PolicyThis policy is intended to give guidelines for submitting vulnerabilities discovered in the UK's...

  4. Source: ico.org.uk
    Link: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/security-outcomes/
    Source snippet

    Security outcomesThe aim of this guidance is to describe an overall set of outcomes that are considered 'appropriate' to prevent personal...

  5. Source: utelize.co.uk
    Link: https://www.utelize.co.uk/vulnerability-disclosure/
    Source snippet

    Vulnerability Disclosure PolicyThis is the Utelize Security Vulnerability Disclosure Policy and applies to any vulnerabilities you are co...

  6. Source: dataprivacysimplified.co.uk
    Link: https://www.dataprivacysimplified.co.uk/post/drawing-the-digital-line-the-ethics-and-consequences-of-non-consensual-cyber-security-scanning
    Source snippet

    The Ethics and Consequences of Non-Consensual Cyber...11 Jul 2025 — The CMA criminalises unauthorised access to computer systems, and wh...

  7. Source: virtualcabinet.com
    Link: https://www.virtualcabinet.com/legal/vulnerability-disclosure

  8. Source: cyberupcampaign.com
    Title: new research legitimate cyber security activities in the 21st century
    Link: https://www.cyberupcampaign.com/news/new-research-legitimate-cyber-security-activities-in-the-21st-century
    Source snippet

    New Research: legitimate cyber security activities in the...15 Aug 2025 — Through consultation with industry experts, the report establi...

  9. Source: mcdermottlaw.com
    Title: dojs new cfaa policy relief for white hat hackers and web scrapers
    Link: https://www.mcdermottlaw.com/insights/dojs-new-cfaa-policy-relief-for-white-hat-hackers-and-web-scrapers/
    Source snippet

    DOJ's CFAA Policy: Relief for White Hat Hackers & Web...26 May 2022 — The DOJ has announced that it will not charge defendants with: Acc...

    Published: May 2022

  10. Source: researchgate.net
    Link: https://www.researchgate.net/publication/323786681_The_Computer_Misuse_Act_1990_to_support_vulnerability_research_Proposal_for_a_defence_for_hacking_as_a_strategy_in_the_fight_against_cybercrime
    Source snippet

    Proposal for a defence for hacking as a strategy in the fight against cybercrime. · Abstract.Read more...

Topic Tree

Follow this branch

Parent topic

Legal Limits When Curiosity Becomes a Computer Crime

Related pages 5