Home Office 'wrong' over criminalisation of IT pros

The Home Office's claims that updates to the Criminal Misuse Act won't affect legitimate users have been rubbished by IT law experts, while security professionals claim the law is 'unenforceable'

The Home Office has been blasted by lawyers over its claims that changes to the Computer Misuse Act (CMA) will not affect legitimate users.

Home Office minister Vernon Coaker claimed this week that amendments to the CMA will only criminalise those who make and distribute hacking tools with the intention of breaking the law.

Critics of the amendment to Section 42 of the Police and Justice Bill, which would modify the CMA, say a clause criminalising those creating software tools that are likely to be used for hacking would catch legitimate developers too.

They are concerned that anyone who makes tools which could be used both for legitimate purposes and hacking, such as systems administrators, the police, and ethical hackers, will be criminalised.

"Concerns have rightly been raised about whether the new offence will criminalise IT professionals who make and distribute these tools for legitimate purposes, such as penetration testing or identifying vulnerabilities," said Coaker in a piece which first appeared in Computer Weekly.

However, Coaker insisted that IT pros would not be affected by the law, arguing that the courts would be directed to consider whether the tool had been created for criminal purposes.

"The test for the offence will be whether the person believed at the time that the tool would be used more criminally than legitimately, so IT professionals will not be affected," Coaker added.

However, IT law experts have rubbished this interpretation of the clause, saying that the law cannot be read in this way.

"I don't think he's right when he says 'more criminally than legitimately' — that's not what it says," said Struan Robertson, senior associate at Pinsent Masons solicitors.

"A person is guilty if they believe the tools are likely to be used for any criminal purposes at all, not if the balance is more criminal than legitimate. I think Vernon Coaker is wrong," Robertson told ZDNet UK.

Section 42 of the amended Police and Justice Bill states:

After section 3 of the 1990 Act [CMA] there is inserted —

"3A Making, supplying or obtaining articles for use in offence under section 1 or 3

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —

(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or

(b) believing that it is likely to be so used.

Robertson heavily criticised the amendment itself, saying that part b is an "unreasonable burden on developers" as it expected them to predict how the tool would be used.

"If you supply software, how will you know what people will do with it in the future? You can't ask a developer to predict the future about how his product's going to be used. Part B is an unreasonable burden on developers," said Robertson.

"The law doesn't distinguish between software used for legitimate purposes and that used primarily for hacking purposes. Firefox and Internet Explorer are tools that can be used to assist in hacking — but that was never the intention of the supplier," Robertson added.

"It needs to be identified that the primary purpose of an article, as defined in the Act, would be for use in a computer misuse offence, rather than an incidental use. I hope this is amended before this becomes legislation," Robertson said.

Last week, the Earl of Northesk failed in an attempt to get part b of the amendment deleted.

Security experts have also heavily criticised the amendment, saying that the law as it stands would be impractical, and impossible to enforce.

"The law regarding the production of hacking tools is unenforceable. Everyone I've talked to in the Infosecurity community has agreed — you just can't enforce it from a practical standpoint," said Richard Starnes, president of the Information Systems Security Association.