Changes to British law will affect computer security industry

Changes to British law will affect computer security industry

Summary: Ivan Ristic (pictured to the right) posted a story today on his blog that highlights some changes that are to go into effect in England sometime this year.  The changes to the Computer Misuse Act (CMA) would appear to put security researchers and consultants in the UK at risk of being considered criminals.

SHARE:
TOPICS: Security, CXO, Hardware
18

Ivan RisticIvan Ristic (pictured to the right) posted a story today on his blog that highlights some changes that are to go into effect in England sometime this year.  The changes to the Computer Misuse Act (CMA) would appear to put security researchers and consultants in the UK at risk of being considered criminals. Ristic mentions the key proposed additions below:

The key proposed addition in reads as follows (a marked-up copy of the changes is available, courtesy of Clive Feather):

3A Making, supplying or obtaining articles for use in offence under section 1 or 3

  1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  2. A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  3. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
  4. In this section “article” includes any program or data held in electronic form.
  5. A person guilty of an offence under this section shall be liable—

    • on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
    • on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
    • on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

The main issue is the ambiguity of the word likely in "[...] likely to be used to commit, or to assist in the commission of, and offence [...]", which effectively criminalises a large number of security professionals who are just doing their jobs.

I think we all know that the tools a security researcher/consultant uses are the same (for the most part, likely minus some Ninja scripts/tools that some hackers keep private) as those hackers use.  I'm a security researcher and a security consultant as a full-time job; however, I also consider myself a hacker.  The only time I'm doing anything malicious is when I'm playing pranks on friends (mostly Mike Wood), but to me, what defines someone as a hacker is their mindset.  I think most people understand that these days.  Governments are just a few years behind the curve apparently, and it is dangerous to all of us in this profession.

It seems like every law that comes out related to computer security is either so vague it loses its bite (see PCI), or so vague it allows people who aren't even guilty of anything evil to be implicated and treated as criminals (see my recent post on the new laws to crack down on child pornography).  It's a scary world we live in.  I'm not big into politics, but as a US citizen, this is a disturbing trend to me.  I wonder if the US is beginning to consider similar non-sensical (I don't even think that's a real word that's how fired up I am right now) laws.

As Ristic mentions:

A much bigger problem is that the new law leaves too much to interpretation. The risk is just too high: do you want to be in a position to defend your actions in front of a jury that will almost certainly fail to understand the subject matter? Even if you are successful in your defence, such an event will require significant financial resources, disrupt your life, cause you and your family endless pain, and most certainly kill your career.

I mean, how do you even go about hiring a lawyer if you are implicated of something like this?  I'd actually feel more comfortable representing myself with my very limited knowledge of law than I would hiring an attorney with a very limited knowledge of computers.

Further, Ristic mentions the possible outcomes of this law coming into effect:

Possession it not likely to be criminalised (from the Guidance: "[...] does not criminalise possession per se unless an intent to use it to commit one of the other offences in section 1 or 3 CMA can be shown.") so it will probably still be safe to research computer security in private, but exchanging information with others might become dangerous. With the threat of persecution hanging over their heads, most people in the UK are likely to stop publicly discussing what they know.

Full disclosure—no matter what you think of it—will be criminalised, but it won't go away. Those who believe will continue to release vulnerability information, but they will likely take precautions to keep their identities secret.

Tool authors will have a choice to make. If they don't change their distribution practices they will risk becoming a target of investigation and, possibly, prosecution. The Guidance seems to imply the safe way to distribute the tools is via a vetted list of computer security professionals. This is not feasible for most tool writers as they cannot afford the overhead of such a process. On top of that, even if such practices are followed, there is still no guarantee that you won't be persecuted. Each case will be reviewed on its own merits. Thus the alternatives—ending further development or moving the tools underground—seem far more likely.

So great idea, let's just go ahead and nab all those evil security researchers and consultants who keep trying to make our systems more secure, since we can catch them, as they are public enough to be seen.  Then, we'll completely miss out on all those underground hackers who are actually doing the evil deeds, cause we have neither the time, people, nor skill to catch them.

Way to think it through guys.  Well played.

-Nate

Topics: Security, CXO, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • So much for Linux security

    [i]In this section ?article? includes any program or data held in electronic form.[/i]

    Looks to me like the person who finds a flaw is in deep grief unless he makes sure to never commit it to electronic form, including e-mail to the software vendor.

    In [u]very[/u] particular, anyone posting security patches to open-source projects are potentially doomed.
    Yagotta B. Kidding
    • RE:

      Haha, yeah, an interesting take away point.
      nmcfeters
      • Just goes to show how disconnected lawmakers are

        I am surprise our congress hasnt done such things.. but then again most of them probably dont know how to turn a PC on.
        Been_Done_Before
        • Yep

          And we are so screwed when they figure that out!
          nmcfeters
        • Re: Just goes to show how disconnected lawmakers are

          Oh, our Congress has done such things. Replace "article" with "device" and you nearly have the DMCA.

          Except here a guilty plea is the same as a conviction at trial. Sounds like in the UK they get a little pissy if you make them actually do their jobs.





          :)
          none none
        • I disagree

          Lawmakers are "connected" very well to the authoritarian and corporate interests in this country. Agencies like the FBI and DOJ have full-time liaisons with Congress, indistinguishable from the legions of corporate lobbyists who walk the halls of Congress with ease and familiarity.

          The "connection" to the citizenry is quite simple: they advertise on TV, and we vote them back into office time and time again. It doesn't have to be like this, but the lack of "connection" is entirely our fault, not theirs.
          terry flores
          • What?

            I don't think we are talking about their connection to society as a whole, although I tend to disagree with your statement, I think our government has evolved in a way that takes power out of the hands of the people (think electoral college).

            In ancient democracies, like the Greek, people would vote on issues in town squares, etc.

            Anyhow, the disconnect is between lawmakers and what's happening the digital world.

            -Nate
            nmcfeters
          • Okay, to split the argument in two parts ...

            Elected officials don't really write legislation. They have staffers and consultants that do. Many bills are actually written *in detail* by lobbyists and political action committees. Most regulatory bills are written by experts in the executive branch, including almost all law-enforcement bills which are authored by full-time attorneys working for the FBI, DOJ, etc. And of course the budget bills are all written by the executive branch.

            While it's true that all these people live in their own little world of "the Beltway", they are all professionals who are writing with full knowledge of all the details and ramifications of the legislation.

            To your other argument, consider these points: the electoral college is only a factor in exactly one position: the President of the United States. And yes, we are a republic instead of a true democracy, but the average person declines to exercise even a minimal interest in legislative matters. We don't even keep track of our reps' voting records, can you imagine if WE had to vote on all the legislation directly?

            Americans today are not willing to invest much of their time into the political process, and what little they do spend is usually in passive watching of TV or expressing a gut opinion as opposed to doing any actual research. It's a damn shame, because we have even more tools today to monitor our legislators' performance than ever before, all of them free with a internet connection or even just a library card.

            So, how can we explain that our Congress as a whole has one of the lowest approval ratings in history, but the highest re-election rate? Since the members can't elect themselves, ultimately it is our fault.
            terry flores
        • Tubes

          After all. To them the interweb is just a series of tubes, right?
          martian@...
  • Mass criminalization

    The essential effect of this legislation is that it creates a whole new community of criminals: computer users. The terms used are so broad that it could be interpreted to include security analysts, but it might also be argued to include any number of tools that COULD be used in a malicious way. Hell, that would include everything up to and including Microsoft Word.

    This is the lawmakers' equivalent of "Kill 'em all, and let God sort 'em out." You are effectively a criminal if somebody in authority decides to label you one, because they are the ones interpreting the law.

    This trend has been happening in the US for many years, starting with the "War on Drugs" and continuing with the "War on Terror." A law professor once wrote that the average US citizen who has a bank account, computer, cellphone, or camera has probably broken some federal law for which they could be convicted with prison time. Laws on money-laundering, computer crimes, conspiracy, wire fraud, piracy, obscenity, you name it. We are all guilty of something, according to the hundreds of thousands of laws on the books.

    Where does it stop? When the authorities essentially classify all citizens as criminals, they remove all of the rights associated with a free and democratic society. In the US federal system, a person is now a criminal if any law enforcement agent decides he is; with a conviction rate of 97%, the court trial is just a formality.
    terry flores
    • Nice

      Very deep and cutting points. I like it.

      It's really scary now, cause I feel like a pretty regular ass guy, with some minor indulgencies like drinking, etc., but all in all a good citizen.

      Now, because I'm a computer security consultant/research/evangelist whatever, I have to be concerned about my livelihood.

      -Nate
      nmcfeters
  • RE: Changes to British law will affect computer security industry

    Vague laws abound. The current "Hate Crimes" bill wending its way through the US Congress is vague enough that Liberal or Conservative doctrine (depending on who's won the latest election) would be included as a hate crime. Something as simple as disagreeing with Homosexuality would go from mildly offensive to a jailable offense.
    aureolin
    • Perhaps there's much bigger concerns

      Very good point, perhaps there are much bigger concerns than just computers.

      -Nate
      nmcfeters
  • RE: Changes to British law will affect computer security industry

    My suggestion would enlist the "Good" computer Hackers out in cyber land to draft sensible law parameters to present to their countries governments. And since the internet is Global the laws must be identical across the world. But be sure that if you don???t make the proposed laws strict enough for the "Bad" hackers then these countries will not support the proposals.
    jstubblefield@...
    • Is it so black and white?

      I'm not entirely certain that the line is so black and white though. In any case, I think that congress should hear the arguments of both sides... I mean, malicious hackers, even if they are criminals, have rights as well.

      -Nate
      nmcfeters
      • Terminology

        Why can't any writers of security and related articles EVER get this one right?

        A malicious "hacker" is actually referred to as a "cracker".

        Write it correctly if you're going to write it at all.

        My $0.02
        martian@...
        • Your $0.02 are worthless

          Actually, cracker was a term originally applied to those people who cracked copyright protections. Hacker to me defines someone who solves complex problems, malicious hacker being someone who does that maliciously.

          In the end, who really cares? Did you understand what malicious hacker meant? I'm sure you did, so why waste time commenting on it?
          nmcfeters
  • RE: Changes to British law will affect computer security industry

    Again the British and other law makers are going after the device to control human behavior which never works. It sounds good but in really it punishes the good, law abiding people and the criminals will still do their evil way no matter what. We need to punish the bad human behavior not the device. The device doesn't do anything with human input and the human input is what we should control.
    phatkat