Guidelines published this week by the U.K. Crown Prosecution
Service (CPS) on how to interpret amendments to the Computer Misuse Act have
been branded "confused" by a renowned security expert.
The Computer Misuse Act (CMA) amendments criminalize the production,
distribution and use of software for malicious attack. Richard Clayton, a
security researcher at the University of Cambridge, said that while much of the
guidance from the CPS on how to interpret the amendments was "extremely
sensible", there were still "significant difficulties" in dual-use tool
The problem as Clayton sees it is that many software tools, such as network
vulnerability scanning tools, are dual-use, or can be used for both malicious
and benign purposes.
The CPS guidance
gives an example of basing a decision to prosecute a suspect on the amount of
thought that has gone into how a tool has been distributed. Distribution to a
"closed and vetted list of security professionals" should be viewed differently
from dual-use tools "posted openly". Clayton argued that this was too
"For almost all [CMA] offenses the prosecution has to prove intent--they
have to show you are a bad person," Clayton said on Thursday. "The problem with
the guidance on distribution offenses is that it catches someone that doesn't
write or use [dual-use tools], but merely provides the program on a Web site.
Most security tools are general purpose--they are like Swiss Army knives. Most
people use Swiss Army knives for jobs like taking the stones out of horses'
hooves. We tend to prosecute the people who use [the knives] to stab other
people. We don't prosecute shop keepers for selling Swiss Army knives in the
The CPS guidance, published on Monday, states that prosecutors should be
aware there is a legitimate security industry that uses dual-use tools. However,
the guidance states they should in part base a decision to prosecute on the
likelihood of the tool that is being distributed being used for malicious
Clayton criticized this CPS provision, saying that the meaning something
being "likely" to be used for criminal purposes remained unclear.
"It's all a bit confused," said Clayton. "There's no discussion of what
'likely' might mean. Is this a greater than 50 percent probability [that the
tools will be used maliciously]? This is not the crystal clear guidance we were
Clayton added that specific programs, such as penetration testing tools, were
designed with the express purpose of hacking into systems, and that the
distribution of such tools would be limited by UK law.
The amendments to the CMA were brought into UK law in the Police and
Justice Act 2006.
The CPS declined to comment on Clayton's specific criticisms at the time of
writing. However, a CPS spokesperson stated: "In accordance with usual practice,
prosecutors will consider each case on its own merits. Legal guidance provides
prosecutors with pertinent aspects to consider in respect of a potential