U.K. hack tool guidance 'confused', says expert
Guidelines published this week by the U.K. Crown Prosecution Service (CPS) on how to interpret amendments to the Computer Misuse Act have been branded "confused" by a renowned security expert.
The Computer Misuse Act (CMA) amendments criminalize the production, distribution and use of software for malicious attack. Richard Clayton, a security researcher at the University of Cambridge, said that while much of the guidance from the CPS on how to interpret the amendments was "extremely sensible", there were still "significant difficulties" in dual-use tool distribution offenses.
The problem as Clayton sees it is that many software tools, such as network vulnerability scanning tools, are dual-use, or can be used for both malicious and benign purposes.
The CPS guidance gives an example of basing a decision to prosecute a suspect on the amount of thought that has gone into how a tool has been distributed. Distribution to a "closed and vetted list of security professionals" should be viewed differently from dual-use tools "posted openly". Clayton argued that this was too restrictive.
"For almost all [CMA] offenses the prosecution has to prove intent--they have to show you are a bad person," Clayton said on Thursday. "The problem with the guidance on distribution offenses is that it catches someone that doesn't write or use [dual-use tools], but merely provides the program on a Web site. Most security tools are general purpose--they are like Swiss Army knives. Most people use Swiss Army knives for jobs like taking the stones out of horses' hooves. We tend to prosecute the people who use [the knives] to stab other people. We don't prosecute shop keepers for selling Swiss Army knives in the first place."
The CPS guidance, published on Monday, states that prosecutors should be aware there is a legitimate security industry that uses dual-use tools. However, the guidance states they should in part base a decision to prosecute on the likelihood of the tool that is being distributed being used for malicious purposes.
Clayton criticized this CPS provision, saying that the meaning something being "likely" to be used for criminal purposes remained unclear.
"It's all a bit confused," said Clayton. "There's no discussion of what 'likely' might mean. Is this a greater than 50 percent probability [that the tools will be used maliciously]? This is not the crystal clear guidance we were promised."
Clayton added that specific programs, such as penetration testing tools, were designed with the express purpose of hacking into systems, and that the distribution of such tools would be limited by UK law.
The amendments to the CMA were brought into UK law in the Police and Justice Act 2006.
The CPS declined to comment on Clayton's specific criticisms at the time of writing. However, a CPS spokesperson stated: "In accordance with usual practice, prosecutors will consider each case on its own merits. Legal guidance provides prosecutors with pertinent aspects to consider in respect of a potential prosecution."