Peer loses cybercrime fight

Lord Northesk's attempt to prevent IT pros and the police from being criminalised by the updated Computer Misuse Act has failed

A Conservative peer's attempt to amend a law that could criminalise IT professionals has failed.

The Earl of Northesk's attempt to introduce amendments to the Computer Misuse Act 1990 (CMA) through the Police and Justice Bill 2006 did not pass committee stage discussions on Wednesday.

This proposed law has been heavily criticised by Lords and senior security experts, who say it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking.

The Earl of Northesk attempted to delete a section of the Act which he argued will make it illegal to create or distribute software tools that are likely to be used for hacking purposes. The clause, sub paragraph (b) of Section 41 of the Act, makes it an offence to release any application that is likely to be used for cybercrime purposes.

It is intended to address the rise of organised cybercrime. However, Northesk believes this could seriously backfire.

"Potentially, the police could fall foul of this law. This wasn't denied [in the discussion], which I find surprising," the Earl of Northesk told ZDNet UK.

The Earl of Northesk also said that ethical hacking and penetration testing could be made illegal by the law, as well as courses offering ethical hacking training.

"Increasingly universities are offering ethical hacking degrees, such as Aberdeen. Under sub paragraph (b), these would be illegal. Again, this wasn't countered," said Northesk.

The peer said it was unlikely that his amendment would now be carried into law.

"I don't hold out much hope for a parliamentary response — their minds are set," Northesk said.

As it stands, the current text of the amendment states:

After section 3 of the 1990 Act [CMA] there is inserted —

"3A Making, supplying or obtaining articles for use in offence under section 1 or 3

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —

(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or

(b) believing that it is likely to be so used.

Dr Richard Clayton of Cambridge University warned in May that part (b) would catch a wide range of IT tools and activities that are not meant to be used in hacking, but potentially could be.

Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.

"Perl is almost universally used on a daily basis to permit the Internet to function," said Clayton. "I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."

Part (b) has also been strongly criticised by security experts from the United Kingdom Education and Research Networking Association (UKERNA), the body responsible for the JANET educational network.

Andrew Cormack, chief security adviser for UKERNA, told ZDNet UK in May that the amendment would be likely to criminalise those who create or supply tools that have the potential for both legitimate and malicious use.

"A satisfactory law on making and supplying tools has to take account of the intention of the person making or supplying them. A person who clearly intends them to be used for good must not be at risk of prosecution," said Cormack.