Hi everyone!

Disclaimer: We are NOT lawyers and the information here should NOT be used as legal advice. We simply wanted to provide BASIC information based on our LIMITED research

Main Actions to be Cautious About:
Malware

Creation

Deployment

Spyware

Creation

Deployment

Scambaiting

Recording Calls

Phishing/Social Engineering

Prank Calls

Reporting

Giving any collected information to a third party

Breakdown:

Malware/Spyware (in the eyes of the law, they are treated the same)

Creation: Legal

Condition: One must, in advance of its creation, be very clear in declaring they have no intention of using it for illegal activities, or else it can be ruled as a premeditated crime

Warning: If one is found to be suspected of a DIFFERENT crime, a warrant can be placed to collect all of an individual’s technology, along with their login credentials. If malware (or illegally obtained information) is found on the device IRREGARDLESS OF ITS RELEVANCE TO THE CASE IN WHICH THE WARRANT WAS SERVED, then being in its possession can be punishable

Deployment: Illegal

Explanation: The misuse or altering of any device not belonging to an individual without the owner’s consent is illegal no matter the context

Exception: If someone is given documented permission from a government agency WHO HAS THE PROPER AUTHORITY, then they are allowed to deploy malware under their supervision with complete transparency

Scambaiting

Recording Calls (Wiretapping): Depends

Explanation of Inter-State Laws: Individual state laws are different, and the law that holds the MOST protection of privacy is the law that is enforced. There are 11 states that require two-part (all participants) consent. In the case where a call is being made across state lines, IN MOST CASES the law of the state in which the recording device is located is the law that is used (though it is recommended to always assume the more restrictive law)

Explanation of International Laws: Similar to state laws, each country is different. Most countries allow some form of recording, normally under a “reasonable assumption of privacy”, meaning that if the conversation was held in a context that it was assumed no other parties were listening (home alone, business/financial call, etc) then it not allowed to be recorded without two-party consent. Each country has different definitions of “reasonable assumption of privacy”

Exception: Most wiretapping laws are allowed to be ignored if a government institution is pursuing an investigation

Warning: Almost all of these laws are under the assumption that a participant of the call is doing the recording and ONLY using the recording for themselves. Once a third party is doing the recording OR RECEIVING THE INFORMATION OBTAINED FROM THE RECORDING, then many of the aforementioned laws are no longer applicable as most places do not allow third party wiretapping, even when all involved parties give consent

Phishing/Social Engineering: Illegal

Explanation: The acquisition of personal information or credentials from an individual without their consent/under false pretenses is considered fraud and can be severely punished

Exception: While one CANNOT trick scammers into providing any personal information, one can still “mess” with them if their intention is not to gain information (i.e., one can use a fake bank account website to see how a scammer interacts with it, but CANNOT have a fake login where a scammer’s login credentials would be tracked)

Warning: If one acquires personal information by accident (i.e. the scammer accidently provides their login credentials), then the individual is not allowed to use the credentials OR POSSES THEM. The usage/possession of another’s credentials without their consent, even if given to someone directly, is considered illegal and they are expected to delete them

Prank Calls: Depends

Explanation: Technically, by pretending to be a potential victim and wasting a scammer’s time, one is “prank calling” scammers. There are no direct laws relating to prank calls, however, people can be charged for harassment and even hate crimes IF WHAT IS SAId ON THE CALLS QUALIFIES. Essentially, so long as someone is not cursing, threatening, or “teasing” them in relation to their ethnicity, religion, or any other physical attribute, then there is no direct legal repercussions on the basis of “prank calling”

Reporting

Giving Information to a Third Party: Depends

Explanation: As mentioned previously, if the information obtained is done so under the assumption that it is for personal use (recorded calls), one is not allowed to involve a third party unless that person feels someone is at immediate risk of physical harm. If information was obtained legally or simply from observations, then it’s fine to report it to proper authorities

Exception: For the FBI in particular (other government agencies and local police also have this option), there are anonymous reporting sites where people can provide information for authorities to have/act on

Other Important Notes:

Ignorance is often not a good enough excuse for cybercrimes, since the laws are newer, they prefer to make it stricter rather than risk loopholes

There are ways of protecting oneself but most of them require the assistance of a lawyer or liability insurance, both of which cost money

However, violators are only liable for damages if the victim chooses to press charges (which in this case would mean the scammer’s would have to admit they themselves were breaking the law)

In terms of where someone can be punished for breaking cyber laws: (state means country as well) https://www.quora.com/Is-it-illegal-to-hack-a-scammers-computer

In the state where you planned the action (only punishable for planning here)

In the state where you conducted the action

In the state of your citizenship

In the state of the victim's citizenship

If the action (or the planning of the action) was not illegal at the time of conduction in the aforementioned places, then you're not punishable anywhere

Sources/Definitions (provided by https://definitions.uslegal.com/):

Malware: programming designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior https://definitions.uslegal.com/m/malware/ Some code would be malware in the sense that it is gaining unauthorized access to a computer system, however would NOT be disrupting or damaging the system if goal is to be undetected

Can be rephrased as automated privilege escalation and deployment of spyware

https://www.nampa.net/download/Virus/VirusLegal.php (is malware legal, not reputable)

If malware of your own creation OR OTHERWISE is ever deployed, regardless of intention (even if by accident or if you are the victim of malware that attacks another device https://en.wikipedia.org/wiki/Connecticut_v._Amero), then you have violated the law and can be subject to a warrant

A warrant can require you to give up all technology in your possession along with any passwords to allow for an investigation. If any malware/proof of illegally obtained information is found, regardless of its relevance to the specific case of malware, you can be convicted

Phishing: the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by assuming another's identity in an official-looking email, IM, etc. https://definitions.uslegal.com/p/phishing

Prank Calls: https://www.brodenmickelsen.com/blog/can-making-a-prank-call-get-me-arrested

Spyware: programs that gather information about a user's Web surfing habits and sends this information to a third party, usually without the user's permission or knowledge … can change system settings, install keystroke loggers, collect and report your personal information, use computer processing capacity without permission, and deliver spam or ads without user’s notice and consent https://definitions.uslegal.com/s/spyware/

Social Engineering: Social engineering is an act of mischievously making someone divulge information or doing something, usually via technology. What social engineers do is to take advantage of their victim’s emotional reactions and natural tendencies Social engineering is fraud, and it is against the law of every country. So, yes, it is illegal, and anyone caught in the act will have to face the law. (extortion, theft) https://www.thefreemanonline.org/is-social-engineering-illegal/

Wiretapping: connecting a concealed listening or recording device connected to a communications circuit … Federal law only requires one-party consent to the recording of a telephone conversation, but explicitly does not protect the taping if it is done for a criminal or tortuous purpose. Many states have similar exceptions https://definitions.uslegal.com/w/wiretapping/

In the US, federal law dictates one-party consent is needed to record a call (some states require all party consent and the state that has the law that favors more privacy is the law that is used, however it is often only punishable in the state the recording device was).

Other countries have other versions of the law,

Explained (US Law): https://www.criminaldefenselawyer.com/resources/criminal-defense/felony-offense/can-i-record-a-conversation-between-myself-anothe https://www.justia.com/50-state-surveys/recording-phone-calls-and-conversations/

Explained (Across State): https://www.rev.com/blog/phone-call-recording-laws-state

Explained (Across Countries): https://cdn2.hubspot.net/hubfs/241981/World_Recording_ebook_Final.pdf (not totally up to date) https://www.avoxi.com/blog/international-call-recording-laws-compliance-guide/ (updated as of 2021)

Examples:

Malware: Indiana University Bloomington created privesc malware: https://ieeexplore.ieee.org/abstract/document/6956577

More Sources: https://www.findlaw.com/criminal/criminal-charges/hacking-laws-and-punishments.html (Key laws for cybersecurity as well as how they are enforced)

https://www.oyez.org/ (database of all supreme court cases)

https://law.justia.com/ (website that holds database of court cases and laws)

Happy scambaiting!

s0merset7