Home Office 'wrong' over criminalisation of IT pros

Home Office 'wrong' over criminalisation of IT pros

Summary: The Home Office's claims that updates to the Criminal Misuse Act won't affect legitimate users have been rubbished by IT law experts, while security professionals claim the law is 'unenforceable'

TOPICS: Security

The Home Office has been blasted by lawyers over its claims that changes to the Computer Misuse Act (CMA) will not affect legitimate users.

Home Office minister Vernon Coaker claimed this week that amendments to the CMA will only criminalise those who make and distribute hacking tools with the intention of breaking the law.

Critics of the amendment to Section 42 of the Police and Justice Bill, which would modify the CMA, say a clause criminalising those creating software tools that are likely to be used for hacking would catch legitimate developers too.

They are concerned that anyone who makes tools which could be used both for legitimate purposes and hacking, such as systems administrators, the police, and ethical hackers, will be criminalised.

"Concerns have rightly been raised about whether the new offence will criminalise IT professionals who make and distribute these tools for legitimate purposes, such as penetration testing or identifying vulnerabilities," said Coaker in a piece which first appeared in Computer Weekly.

However, Coaker insisted that IT pros would not be affected by the law, arguing that the courts would be directed to consider whether the tool had been created for criminal purposes.

"The test for the offence will be whether the person believed at the time that the tool would be used more criminally than legitimately, so IT professionals will not be affected," Coaker added.

However, IT law experts have rubbished this interpretation of the clause, saying that the law cannot be read in this way.

"I don't think he's right when he says 'more criminally than legitimately' — that's not what it says," said Struan Robertson, senior associate at Pinsent Masons solicitors.

"A person is guilty if they believe the tools are likely to be used for any criminal purposes at all, not if the balance is more criminal than legitimate. I think Vernon Coaker is wrong," Robertson told ZDNet UK.

Section 42 of the amended Police and Justice Bill states:

After section 3 of the 1990 Act [CMA] there is inserted —

"3A Making, supplying or obtaining articles for use in offence under section 1 or 3

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —

(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or

(b) believing that it is likely to be so used.

Robertson heavily criticised the amendment itself, saying that part b is an "unreasonable burden on developers" as it expected them to predict how the tool would be used.

"If you supply software, how will you know what people will do with it in the future? You can't ask a developer to predict the future about how his product's going to be used. Part B is an unreasonable burden on developers," said Robertson.

"The law doesn't distinguish between software used for legitimate purposes and that used primarily for hacking purposes. Firefox and Internet Explorer are tools that can be used to assist in hacking — but that was never the intention of the supplier," Robertson added.

"It needs to be identified that the primary purpose of an article, as defined in the Act, would be for use in a computer misuse offence, rather than an incidental use. I hope this is amended before this becomes legislation," Robertson said.

Last week, the Earl of Northesk failed in an attempt to get part b of the amendment deleted.

Security experts have also heavily criticised the amendment, saying that the law as it stands would be impractical, and impossible to enforce.

"The law regarding the production of hacking tools is unenforceable. Everyone I've talked to in the Infosecurity community has agreed — you just can't enforce it from a practical standpoint," said Richard Starnes, president of the Information Systems Security Association.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "more criminally" by who's definition?
    Sounds more like 'removing the burden of proof' to me.
    I guess it takes a real IT pro to judge another IT pro. I'm guessing not that many are working for the police and courts. At least not in positions that make a (legal) difference. Enough said.
  • Its the same as "reasonably practicable" in the health and safety stakes.

    One man being wrapped up in cotton wool for his working life might be reasonable, to others given them a pair of gloves and telling them to walk along a 5mile high plank of wood in high winds without a safety harness is ok.

    There is no definition of this and i dont think there can be, that is why the world needs lawyers, they bends the law to fit them.