Quiz — International Penetration Testing Law: UK CMA, Germany § 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure

Module: 01y — International Penetration Testing Law: UK CMA, Germany § 202c, EU NIS2, Canada, Australia, SIM Swap, and Extradition Exposure Difficulty: advanced

Questions

Q1. R v. Gold & Schifreen (1988) directly led to which piece of legislation, and why were the defendants acquitted in the House of Lords?

• A) The defendants were acquitted under the Data Protection Act 1984 because no personal data was stolen; Parliament responded by passing the Computer Fraud Act 1990.
• B) The defendants were acquitted because existing forgery law under the Forgery and Counterfeiting Act 1981 did not reach unauthorized computer access; Parliament passed the Computer Misuse Act 1990 directly in response.
• C) The defendants were acquitted on procedural grounds; Parliament passed the Police and Justice Act 2006 to close the gap.
• D) The defendants were acquitted because the Prestel network was not classified as a "computer" under existing law; Parliament passed the Telecommunications Act 1990.

Correct answer: B Explanation: Robert Schifreen and Steve Gold accessed British Telecom's Prestel network in 1984 and briefly accessed Prince Philip's mailbox. The Crown charged forgery of a machine-readable device under the Forgery and Counterfeiting Act 1981. The House of Lords acquitted both in 1988 because existing law simply did not reach unauthorized computer access, directly prompting Parliament to pass the Computer Misuse Act 1990.

Q2. Under CMA § 3A, which condition triggers liability even without the defendant having criminal intent to personally commit unauthorized access?

• A) Possessing dual-use tools while traveling in the UK.
• B) Supplying or offering to supply any article while "believing it is likely to be used" to commit a CMA § 1 or § 3 offence — even if the supplier's own intent is lawful.
• C) Carrying Metasploit on a laptop to a UK client site under a written engagement contract.
• D) Downloading publicly available exploit code from GitHub while connected to a UK network.

Correct answer: B Explanation: CMA § 3A(1)(b) criminalizes supplying or offering to supply any article while believing it is "likely to be used" to commit a § 1 or § 3 offence. This provision does not require the supplier's own criminal intent — only a belief in the likelihood of criminal use by someone else. This creates the asymmetric risk for tool authors and distributors that makes § 3A the most dangerous UK statute for security professionals.

Q3. Germany's § 202c StGB criminalizes "preparation" of unauthorized data access offences. What distinguishes § 202c from CMA § 3A in terms of the legal trigger for tool-related liability?

• A) § 202c requires proof of actual harm to data, while CMA § 3A is a strict liability offense.
• B) § 202c focuses on the tool's "purpose" (designed for unauthorized access), while CMA § 3A focuses on the supplier's "intent" or "belief" about likely use.
• C) § 202c applies only to tools with no legitimate security use, while CMA § 3A applies to all dual-use tools.
• D) § 202c requires distribution to at least three persons, while CMA § 3A applies to supply of even a single article.

Correct answer: B Explanation: Germany's § 202c centers on whether the computer program's purpose is the commission of unauthorized access — a tool-centric analysis. CMA § 3A centers on the supplier's intent or belief about whether the article will be used for unauthorized access — a person-centric analysis. In practice, broadly dual-use tools like Nmap are most safely handled under § 202c by documenting the lawful professional purpose, while § 3A risk is managed by controlling who receives the tools.

Q4. Under GDPR Article 3(2), a U.S.-based pen tester who accesses an EU company's systems and exfiltrates real user records as proof-of-concept is subject to which GDPR obligation as a "processor" under Article 28?

• A) The tester must register as a data controller with the relevant EU supervisory authority before testing begins.
• B) GDPR does not apply to the tester because they are not established in the EU.
• C) The tester is subject to GDPR processor obligations and the data transfer to U.S. systems constitutes a restricted transfer under GDPR Chapter V, requiring a valid transfer mechanism such as Standard Contractual Clauses.
• D) The tester must obtain individual consent from every EU data subject whose data is accessed during testing.

Correct answer: C Explanation: GDPR Article 3(2) establishes extra-territorial reach: GDPR applies to processing of EU data subjects' data by controllers or processors not established in the EU when they monitor EU data subjects. A U.S. tester who handles EU personal data is a "processor" subject to Article 28 obligations. Transferring that data to U.S. systems constitutes a restricted transfer under GDPR Chapter V, requiring SCCs, an adequacy decision, or binding corporate rules without which the transfer is unlawful.

Q5. Under Canada's Criminal Code § 342.1, which legal concept gives a security researcher the best available defense when they genuinely (even if incorrectly) believed they had authorization to access a system?

• A) The "good faith researcher" safe harbor, which is codified in the Criminal Code.
• B) The "colour of right" defense — a genuine belief in a legal right to act, whether or not that belief is legally correct.
• C) The DOJ CFAA Charging Policy, which Canada has adopted by treaty.
• D) The Van Buren "gates-up-or-down" authorization test, which Canadian courts apply by analogy.

Correct answer: B Explanation: Canada's § 342.1 requires both "fraudulently" and "without colour of right." "Colour of right" means a genuine belief in a legal right to act, whether or not that belief is legally correct. A researcher who genuinely believes a bug bounty program or other indication authorizes access may have a colour of right defense — though Canadian courts have not definitively addressed this in the security research context. There is no federal authorization statute or Canadian analog to the DOJ CFAA Charging Policy.

Q6. In R v. Boden (2002, Queensland), an individual remotely accessed SCADA systems controlling sewage infrastructure, causing 800,000 liters of raw sewage to spill. What legal principle does this case establish about Australian computer misuse law?

• A) Australian courts require proof of financial harm before convicting under §§ 477–478.
• B) Australian law recognized a "good faith researcher" exception that Boden failed to invoke.
• C) Australian §§ 477–478 succeed on strict unauthorized access principles with no safety research exception — remote access to critical infrastructure systems without authorization is criminal regardless of physical location.
• D) The prosecution succeeded under a Queensland common law trespass theory, not under computer misuse statutes.

Correct answer: C Explanation: R v. Boden established that Australian unauthorized access statutes apply on strict principles with no research exception. The prosecution succeeded because the access was unauthorized, full stop. Australian law contains no statutory authorization defense or "good faith" exemption for researchers — the closest protection is the "lawful excuse" under § 478.1, which requires actual documented authorization from someone with authority to grant it.

Q7. SIM swapping is described as a "three-statute federal crime." Which three U.S. statutes most directly apply, and what is the maximum first-offense penalty under 18 U.S.C. § 1029 for access device fraud?

• A) §§ 1028, 1030, 1343 — maximum 10 years under § 1028.
• B) §§ 1029, 1030, 1343 — maximum 10 years under § 1029(c)(1)(A)(i).
• C) §§ 1029, 1036, 1343 — maximum 5 years under § 1029.
• D) §§ 1028, 1029, 2511 — maximum 15 years under § 1028.

Correct answer: B Explanation: SIM swapping triggers CFAA § 1030 (unauthorized access to the victim's authentication system), wire fraud § 1343 (the fraudulent misrepresentation to the carrier), and access device fraud § 1029 (the fraudulently obtained SIM carrying the victim's number is an "unauthorized access device"). The maximum first-offense penalty under § 1029(c)(1)(A)(i) is 10 years, rising to 20 years for subsequent offenses.

Q8. The FCC adopted rules under FCC-23-111 in November 2023 requiring carriers to implement SIM swap protections. Which of the following accurately describes the legal consequence when a carrier negligently facilitates a SIM swap despite these rules?

• A) The carrier faces criminal liability under 18 U.S.C. § 1029 as a principal.
• B) FCC-23-111 creates regulatory enforcement exposure for the carrier but does not create criminal liability for carrier negligence; however, a carrier employee who knowingly facilitates a SIM swap faces § 1029 liability as a principal or aider and abettor.
• C) The carrier is strictly criminally liable under the Communications Act for any unauthorized SIM swap.
• D) Carrier employees are immune from prosecution if the carrier had not yet implemented the FCC-mandated verification procedures.

Correct answer: B Explanation: FCC-23-111 is a regulatory requirement — carriers that fail to implement the mandated SIM swap protections face FCC enforcement but are not criminally liable merely for facilitating a swap by negligence. Civil negligence claims exist. However, a carrier employee who knowingly facilitates a SIM swap faces § 1029 liability as a principal or aider and abettor, and several carrier employees have received 5–10 year sentences in SIM swap prosecutions.

Q9. The US-UK Extradition Treaty (2003, ratified 2007) made extradition of cybercriminals from the UK to the US operationally easier by eliminating which previous requirement?

• A) The requirement that the offence be punishable by more than one year in both countries.
• B) The requirement that the US present prima facie evidence sufficient to justify a trial — the treaty now requires only a warrant and charging documents.
• C) The double criminality requirement — conduct need no longer be criminal in both countries.
• D) The requirement that the defendant be a UK citizen or permanent resident.

Correct answer: B Explanation: The US-UK Extradition Treaty eliminated the "prima facie evidence" requirement that the UK previously imposed. The US no longer needs to present evidence sufficient to justify a trial — only a warrant and charging documents are required. Gary McKinnon fought extradition for 10 years under the new treaty framework, ultimately blocked in 2012 on human rights grounds (Asperger's, suicide risk) — a rare outcome requiring extraordinary circumstances.

Q10. A U.S. pen tester is engaged by a multinational company to test servers physically located in Germany. To comply with § 202c StGB and CMA § 3A simultaneously, which contractual element is specifically required by this module's multi-jurisdiction checklist for both German and UK engagements?

• A) A GDPR Data Processing Agreement and NIS2 Article 25 certification.
• B) A "colour of right" declaration and an Australian "lawful excuse" clause.
• C) A tool authorization schedule — UK engagements must list all tools and state their purpose (CMA § 3A mitigation); German engagements must include language confirming tools are deployed for authorized testing purposes (§ 202c mitigation).
• D) Pre-notification of local police departments in each jurisdiction and a signed indemnification from the BSI.

Correct answer: C Explanation: The module's multi-jurisdiction engagement checklist specifically requires: for UK engagements, explicitly listing all tools to be used and stating their purpose (CMA § 3A mitigation); for Germany engagements, including language confirming tools are deployed for authorized security testing purposes, not for commission of §§ 202a–202c offences. Both requirements target the "tool purpose" and "intent" elements that distinguish criminal from lawful tool use in each jurisdiction.