"Just a tool, until you stab someone with it": Exploring Reddit users' questions and advice on the legality of port scans

Users, particularly amateurs, face uncertainties about technology law related to both interpretation and enforcement. This uncertainty can have a chilling effect on how users experiment with technology. However, little is known about the precise uncertainties that users face and what kind of advice is available. Our paper focuses on user questions and advice surrounding the legality of port scanning, a dual-purpose technique used in both defensive and offensive security. We identified and analyzed 414 pieces of advice, in response to questions about the legality of port scanning from 36 Reddit threads. We find that users ask two types of questions: (1) reactive questions in which they have scanned and are concerned by the consequences; and (2) proactive questions in which they ask about legality and seek ways to comply with the law. We found no consensus in the advice about legality or the likelihood of prosecution. In justifying advice, users deployed a range of anecdotes, analogies, and URLs. Subtle variations on the analogy between port scanning and physical building security are used to explain why it is both legal and illegal. Users also reason from individual cases, such as arguing prosecution is unlikely because the user had not personally been prosecuted or arguing prosecution is likely because Aaron Swartz was prosecuted. Finally, the most influential URL was a “Legal Issues” page maintained as part of an open-source project. We reflect on how these results can inform forum moderation and public-policy dissemination.