hantke2024redlines.pdf (355.34 kB)

Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research

Download (355.34 kB)
conference contribution
posted on 2024-05-15, 10:46 authored by Florian HantkeFlorian Hantke, Sebastian Roth, Rafael Mrowczynski, Christine Utz, Ben StockBen Stock
Comprehensive and representative measurements are crucial to understand security and privacy risks on the Web. However, researchers have long been reluctant to investigate server-side vulnerabilities at scale, as this could harm servers, disrupt service, and cause financial damage. This can lead to operator backlash and problems in peer review, as the boundaries posed by the law, ethics, and operators’ stance towards security research are largely unclear. In this paper, we address this research gap and investigate the boundaries of server-side scanning (3S) on the Web. To that end, we devise five typical scenarios for 3S on the Web to obtain concrete practical guidance. We analyze qualitative data from 23 interviews with legal experts, members of Research Ethics Committees, and website and server operators to learn what types of 3S are considered acceptable and which behavior would cross a red line. To verify our findings, we further conduct an online survey with 119 operators. Our analysis of these different perspectives shows that the absence of judicial decisions and clear ethical guidelines poses challenges in overcoming the risks associated with 3S, despite operators’ general positive stance towards such research. As a first step to mitigate these challenges, we suggest best practices for future 3S research and a pre-registration process to provide a reliable and transparent environment for 3S-based research that reduces uncertainty for researchers and operators alike.


Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)




@conference{Hantke:Roth:Mrowczynski:Utz:Stock:2024, title = "Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research", author = "Hantke, Florian" AND "Roth, Sebastian" AND "Mrowczynski, Rafael" AND "Utz, Christine" AND "Stock, Ben", year = 2024, month = 5, journal = "IEEE S&P" }

Usage metrics


    No categories selected



    Ref. manager