It's time for the Government Misuse Act

The ill-thought-out addition to the Computer Misuse Act could make criminals of large swathes of the IT industry. But it is the lawmakers who should really be on trial

The sooner parliament is dragged kicking and screaming out of the 19th century and into this one, the better for us all – Alan via ZDNet UK Talkback

If the law is an ass, then IT law must be an exceptionally short-sighted donkey. While it is laudable that lawmakers have finally woken up to the threat posed by Distributed Denial of Service (DDoS) attacks and are attempting to amend the Computer Misuse Act (CMA) accordingly, their response can best be described as "too much, too late".

The Police and Justice Bill passed by the House of Commons earlier this month and currently residing in the Lords contains an update to the CMA that lawmakers no doubt formulated in good faith. But vague wording together with a liberal sprinkling of technical ignorance means the amendment as it stands could well criminalise large portions of the IT community.

Section 41 of the bill includes a new offence of "making, supplying or obtaining articles for use in computer misuse offences" but is worded in such a vague way as to effectively make it illegal to make any tool available simply on the grounds that it could be used for hacking. It makes about as much sense as banning knives from kitchens and dinner tables, and going on to ban forges and all knife-producing machinery simply because their end product could be used to commit a crime. Some experts have even suggested that the definition of what is banned could be so broad as to criminalise the act of informing people about security vulnerabilities.

The feeling that IT professionals are being actively hampered by lawmakers, rather than empowered by them, was further exacerbated by the re-emergence of the Regulation of Investigatory Powers (RIP) Act. This, alongside other legislative gems such as the Anti-Terrorism Act, the Data Protection Act and the Human Rights Act, has added to the already hefty compliance burden facing IT professionals. Under the RIP Act, authorities will be able to order the disclosure of encryption keys, or force suspects to decrypt protected data. The problem, which was pointed out when the Act was first introduced, is what happens if you forget your password? Or, if you simply don't own the key for encrypted data that is found on your PC.

At a recent meeting of the IT trade body Intellect to discuss the development of the UK Information Economy, the consensus from the gathered experts was that while the government couldn't be expected to formulate that much policy to actually foster growth, it could do a lot to harm it if not properly informed. The update to the CMA and re-emergence of the RIP Act are brilliant examples of the kind of harm we should all be worried about and why it is incumbent on the IT industry to engage with government or suffer the consequences.