In defense of offense: information security research under the right to science

Information security is something you do, not something you have. It's a recurring process of finding weaknesses and fixing them, only for the next weakness to be discovered, and fixed, and so on. Yet, European Union rules in this field are not built around this cycle of making and breaking: doing offensive information security research is not always legal, and doubts about its legality can have a chilling effect. At the same time, the results of such research are sometimes not used to allow others to take defensive measures, but instead are used to attack. In this article, I review whether states have an obligation under the right to science and the right to communications freedom to develop governance which addresses these two issues. I first discuss the characteristics of this cycle of making and breaking. I then discuss the rules in the European Union with regard to this cycle. Then I discuss how the right to science and the right to communications freedom under the European Convention for Human Rights , the EU Charter of Fundamental Rights and the International Covenant on Economic, Social and Cultural Rights apply to this domain. I then conclude that states must recognise a right to research information security vulnerabilities, but that this right comes with a duty of researchers to disclose their findings in a way which strengthens information security.