Lord vows to fight cybercrime laws

A proposed UK law has been heavily criticised by Lords and senior security experts, who say it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking.

Lord Northesk, a Conservative peer, told ZDNet UK on Thursday that an amendment to the Police and Justice Bill 2006 will potentially create a situation where the police would have to prosecute themselves.

A clause in the bill will make it illegal to create or distribute software tools which are likely to be used for hacking purposes, and is intended to address the rise of organised cybercrime. However, Northesk believes this could seriously backfire.

"Bodies like the Serious and Organised Crime Unit (SOCA) need to do forensic hacking as part of their investigations. If they are creating hacking tools they know full well they'll be used for hacking," said Northesk.

Northesk vowed to fight the bill in the Lords, calling the clause "pure idiocy" and "absolute madness".

"I will definitely be seeking to change it," Northesk told ZDNet UK. "The Home Office is in enough trouble already, so the thought of them enacting a law to stop the police doing their job is extraordinary."

Northesk said he had support in the House of Lords to change or even abolish the controversial provision.

Section 41 of the bill would amend the CMA to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".

It reads:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article --
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.

A Home Office spokeswoman told ZDNet UK on Thursday that it was carefully considering the bill, even though it has already been passed by the House of Commons.

"Many legitimate tools can also be used for criminal hacking," she said. "Getting the balance right in controlling access to tools by criminal hackers while preserving access to often the same tools by legitimate network administrators is complex.

"We're continuing to consult industry and to clarify the exact effects of the bill as it stands. We are actively considering the precise legal balance before the bill reaches committee stage in the House of Lords."

Northesk said he will table his amendments to section 41 at the committee stage, which should start within the next few weeks.

Part (b) has been strongly criticised by security experts from the United Kingdom Education and Research Networking Association (UKERNA), the body responsible for the JANET educational network.

Andrew Cormack, chief security adviser for UKERNA, said the amendment would be likely to criminalise those who create or supply tools that have the potential for both legitimate and malicious use.

"A satisfactory law on making and supplying tools has to take account of the intention of the person making or supplying them. A person who clearly intends them to be used for good must not be at risk of prosecution," said Cormack.

Software used to check the security of systems and commercial remote management tools can both be used to gain unauthorised access to computers. However, making any of those tools unavailable to security professionals and systems administrators would greatly reduce the security of systems and networks, according to Cormack.

Lord Northesk said that the Internet could potentially become a much less usable and much more dangerous place as a consequence of the bill.

"The effects if this bill goes wrong could be huge. If you don't have people to test drive security systems then technology can never find its own failings," said Northesk.

Cormack said the problem lay in the wording of part (b), which only requires that it is "likely" that some person will misuse the tool. This takes no account of the supplier's or author's intention that it be used for good or that it may be much more likely, given the context in which the tool is made available, that it will be used legitimately.

"Consider what would happen if the same wording were applied to, say, the sale of kitchen knives. Crime statistics, regrettably, suggest that it is likely that some of those knives will be used for crimes. If that were sufficient to make it a serious crime to sell a knife then there would be far fewer kitchen shops and many more people injured by using inappropriate tools to cut food," Cormack told ZDNet UK.

Dr Richard Clayton of Cambridge University told ZDNet UK last week that part (b), as currently laid out, would catch a wide range of IT tools and activities that are not meant to be used in hacking.

Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.

But part b) of section 41 of the bill does has some support in parliament. Nick Palmer, Labour MP for Broxtowe, slammed Clayton's comments this week.

"Richard Clayton's comments [are] rhetorical and frankly a bit silly. I can't see that any court is likely to interpret the law as warranting the conviction of Larry Wall," said Palmer.

"In practice the test is likely to be the creation of tools in the reckless expectation that they will be useful in hacking, as opposed to general-purpose tools which a hacker might happen to use. While Perl is used by hackers and non-hackers alike, it is not a tool for the purpose of hacking, which appears the clear intent of the clause."