UK law will criminalise IT pros, say experts
Summary: Security experts fear that the UK government is on track to outlaw the supply of network security tools, and even scripting languages such as Perl
IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.
The Police and Justice Bill will update the UK's existing Computer Misuse Act (CMA), bringing in new powers to address the rise of organised cybercriminals and offences such as denial-of-service attacks. It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months.
Leading figures in the UK technology sector believe that the bill, as it currently stands, would outlaw a range of innocent activities.
Section 41 of the bill would amend the CMA to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".
It reads:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.
Dr Richard Clayton of Cambridge University believes that part (b), as currently laid out, would catch a wide range of IT tools and activities that are not meant to be used in hacking, but potentially could be.
Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.
"Perl is almost universally used on a daily basis to permit the Internet to function," said Clayton. "I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."
People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.
"The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the Internet less safe," argued Clayton.
Malcolm Hutty, regulation officer at the London Internet Exchange, shares Clayton's fears about the bill. He believes it would make people much more reluctant to make useful software tools available to the public.
"We are concerned that the scope of [section 41 of] the bill is too broad, and could criminalise a lot of innocent people," said Hutty.
He said organisations such as LINX have been urging the Home Office to have the bill altered. Some amendments were made following these lobbying efforts, but Hutty believes the government should have gone further.
He also believes that section 41 could be interpreted as including the supply of information about security vulnerabilities, as that advice could be used to commit a criminal offence.
"You could reveal details of a security flaw, and someone could hear that and decide that not everyone would be patched yet," said Hutty, adding that this could even include media outlets which reported on security flaws.
The Home Office denies suggestions that the bill will criminalise systems administrators by outlawing software which could be used in cybercrime attacks.
"There is a hacking amendment, but it doesn't criminalise those innocent of hacking attacks," said a Home Office spokeswoman. "[It] shifts the emphasis on to those intending to deliberately develop tools for criminal use."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Why is it that time and time again, under the umbrella of child abuser, terrorist, cyber criminal or whatever else hype word, gained and hard fought rights are so easily taken from us?
Today they'll go for those in the know. Tomorrow they'll go for those that might detect it. After that they'll go for those that might report about it. Then to be followed by those that might do something about it. By the time they'll reach you there will be no-one left to defend you.
The real question to ask is: what poor and lame government do we currently have that they require so much additional powers at so much costs to do the job they told us before the elections they could do?
In short: all I'm hearing is poor excuses for poor results. Be sure to know who to point the finger of blame at coming elections. Do nothing, keep quiet, and they'll point your finger for you. Don't be surprised if that'll leave you empy handed.
Actually maybe this is the real point of the legislation - it has commercial intent. Perhaps hackers generally use open source tools, so selling MS Windows will be ok, but Linux will be illegal to sell, as it could be a hacking tool.
Do I detect the hand of an Operating System manufacturer worried about losing market share?
The digital revolution is up and running and it's going to leave all those dinosaurs in it's wake.
At best this is bad legislation being passed by people who don't understand the technology. The cynic in me notes that software deemed as hacking tools is predominantly open-source coded by dedicated enthusiasts (nmap, Cain, winpcap etc) whereas the big network scanning products (such as GFI Languard) don't seem to suffer from the same level of suspicion.
I mean correct me if I'm wrong, but I read part (b) to say:
A person is guilty of an offence if he makes or supplies any article, believing it is likely to be used to assist in the commission of, an offence [of hacking etc].
You cannot very easily commit a computer misuse offence without a computer, and it's probably going to be running MS Windows. So people like Mr Dell and Mr Gates are going to believe it likely their products will be used to assist with commiting computer misuse offences - hence they are breaking the proposed law.
This is totally stupid - you may as well make it illegal to sell cars, as it is likely they will be used by some people to commit road traffic offnces. Or it's illegal to sell houses as it's likely they will be used by some people to set up illegal crack dens. Come on - anything CAN be used for a crime, and is likely to be used for one, and you can, in selling it, reasonably expect it will be, but it's the CRIMINALS who are committing the offence.
Does the government have no legal advisers - I thought Tony Blair was a barrister.
Interestingly under this law will the Home Office not find themselves guilty of a crime once their ill-planned ID cards are 'used to commit' ID-Fraud?
I even got a reply from Paul Goggins at the Home Office catagorically stating that the lynchpin to this was to be in proving the intent. However, its not just the CMA thats a problem, this, combined with clause 35 of the new Police and Justice Bill would make it illegal to even supply tools that have "dual use" (Their words, not mine). So kiss good bye to most of the contents of your tcp/ip stack, and prepair to hand in all current copies of operating systems in use, these morons just made them illegal.
The laws are too broad and have clearly been written by people who know little or nothing about computing.
If it will be illegal for XP, w2k, w98 etc to be sold or used by businesses does that mean we will all have to buy the secure Vista because even if that is flawed no one will be able tell their friends and exploit it thanks to the security afforded us by the new law...
I notice that this never stopped anyone!
Dont worry about it, i highly doubt the coppers will come and get if if you write your software. IF you start to misuse it then maybe.
All they are going to do is push it further underground. just like the drugs world that needs to be legalised. The sooner the government controls it the better but they are too stupid to realise!