Cybercrime laws 'will harm security research'

Police and Justice Bill could hamper malware research and affect Linux distributions, experts warn
Written by Tom Espiner, Contributor

Updated cybercrime laws could have a "chilling effect" on anti-malware research, security experts warned this week.

The Police and Justice Bill 2006, which received Royal Assent last Wednesday, contains amendments to the Computer Misuse Act 1990 that alter the law surrounding the creation and distribution of 'dual use' software tools. These are tools such as nmap — a security scanner — which are primarily used by legitimate users and security researchers, but can also be used by hackers to scan networks for vulnerabilities.

The amendments to the law could potentially prohibit the downloading of such security tools, according to Malcolm Hutty, head of public affairs at the London Internet Exchange (LINX).

"We do have to have responsible software supply. However, [under these amendments] any form of download tool could be prohibited," said Hutty earlier this week. "The Government is inadvertently throwing the baby out with the bathwater."

Part 37 of the Police and Justice Bill amends section 3A, clause 2 of the CMA, and states: "A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence."

This will place serious constraints on the distribution of security tools, as the prosecution must only prove that the distributor believed it was likely that the tool will be used for hacking, even if this was not his intention, said Richard Clayton, a Cambridge University security expert. This would include malware researchers, ISPs and universities that host download tools, Clayton claimed.

Malware researchers could also be severely constrained by the new law because of the definition of "article", according to Clayton and Hutty. Clause 4 of section 3A states: "In this section 'article' includes any program or data held in electronic form."

The law is supposed to cover virus writing and hacking tools, but the wording of the law also covers the disclosure of software flaws, according to Hutty.

"In theory this covers the announcement of software flaws. The fear in the security world is that the legislation makes it possible for a vendor to come along and say that if security researchers are making [software-flaw] information available to the public, they must know it will be used to exploit software, as well as used for beneficial purposes," said Hutty. "The chilling effects on security research is a concern."

Clayton added: "If you approach a company and say you've found a problem, they can issue a writ to silence you. HSBC threatened to sue the Guardian [over reports of research by Cardiff University into HSBC's online banking authentication procedure]. This shows people are starting to think about going to the law to deal with bad news about security."

Several experts raised concerns about the amendments in the Police and Justice Bill earlier this year, which prompted the Government to make some changes.

LINX has expressed its concerns to the Home Office, and has asked the Government to clarify the law. The director of public prosecutions will issue guidelines on how the law is used.

As well as security researchers, Linux distributions could also be affected, as they often bundle dual-use systems administration tools, such as TCP dump and nmap, said Hutty.

"TCP dump gives a raw view of what's passed over your network. It's clearly in the public interest that the tool is available — but it could also be used for bad purposes," Hutty explained.

Clayton and Hutty were speaking at an event hosted by anti-spam appliance vendor Barracuda Networks.

Editorial standards