Compliance Toolkit

UK law will criminalise IT pros, say experts

Tags:
Computer Misuse Act,
Malcolm Hutty,
Richard Clayton,
Police And Justice Bill

Graeme Wearden and Tom Espiner ZDNet.co.uk

Published: 19 May 2006 14:15 BST

IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.

The Police and Justice Bill will update the UK's existing Computer Misuse Act (CMA), bringing in new powers to address the rise of organised cybercriminals and offences such as denial-of-service attacks. It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months.

Leading figures in the UK technology sector believe that the bill, as it currently stands, would outlaw a range of innocent activities.

Section 41 of the bill would amend the CMA to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".

It reads:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.

Dr Richard Clayton of Cambridge University believes that part (b), as currently laid out, would catch a wide range of IT tools and activities that are not meant to be used in hacking, but potentially could be.

Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.

"Perl is almost universally used on a daily basis to permit the Internet to function," said Clayton. "I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."

People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.

"The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the Internet less safe," argued Clayton.

Malcolm Hutty, regulation officer at the London Internet Exchange, shares Clayton's fears about the bill. He believes it would make people much more reluctant to make useful software tools available to the public.

"We are concerned that the scope of [section 41 of] the bill is too broad, and could criminalise a lot of innocent people," said Hutty.

He said organisations such as LINX have been urging the Home Office to have the bill altered. Some amendments were made following these lobbying efforts, but Hutty believes the government should have gone further.

He also believes that section 41 could be interpreted as including the supply of information about security vulnerabilities, as that advice could be used to commit a criminal offence.

"You could reveal details of a security flaw, and someone could hear that and decide that not everyone would be patched yet," said Hutty, adding that this could even include media outlets which reported on security flaws.

The Home Office denies suggestions that the bill will criminalise systems administrators by outlawing software which could be used in cybercrime attacks.

"There is a hacking amendment, but it doesn't criminalise those innocent of hacking attacks," said a Home Office spokeswoman. "[It] shifts the emphasis on to those intending to deliberately develop tools for criminal use."