The new law modifies the Computer Misuse Act of 1990, the
cornerstone of Britain's anti-hacking law. The changes make clear
for the first time that denial of service
attacks are an offence; but they also address the distribution
of hacking tools.
The new Act will make a person guilty of an offence "if he
supplies or offers to supply any article believing that it is
likely to be used to commit, or to assist in the commission of, [a
hacking offence]." The word "article" is defined in the Act to
include "any program or data held in electronic form".
Some software tools commonly used by IT security professionals
can also be used for malicious purposes, making the new legislation
a cause for concern.
"This applies particularly to dual use tools like nmap, which
security professionals use to check if a network is insecure or not
and which the bad guys use to scan for insecurities to then attack
it," said Richard Clayton, a member of digital rights group the
Open Rights Group and a security researcher at Cambridge
University. "Distributors of this have to decide if the people
getting it from them are the good guys or the bad guys."
Legal argument and uncertainty will surround what exactly
constitutes 'likelihood' to be used for malicious purposes. "The
Home Office believes that likely is more than 50%, so you have to
have a trial within a trial to decide if it is more than 50% likely
that distribution is more likely than not to result in an offence
being committed," said Clayton.
The final wording of the legislation is broader than was
initially proposed. A
version of the bill published in January 2006 (145-page /
663KB PDF, at clause 35) made the offence contingent upon knowledge
or intent that the article would be used for hacking; but the final
version reduced that requirement to a belief that such use is
likely. The legislation may have been broadened as it went through
Parliament to ensure that a person can be prosecuted if, for
example, he posts software to the internet with a reckless
disregard for its use.
Another fear of the new law is that it could be stretched to
apply to warnings about security flaws and damage the ability of
security firms to warn about third party software security
breaches.
"The difficulty in the Act is that it says 'any item' and people
are worried that that might include information about a piece of
software's security vulnerability," said Clayton. "If you
distribute information about a security vulnerability and the bad
guys use it to attack it then the information about that
vulnerability might qualify."
That could then allow software companies themselves to block
publication of their products' flaws. "There are worries that
software companies will use this to stop people publishing
information about security flaws, to suppress that because they
don't want the information out," said Clayton.
Security company Sophos said that it did not plan to alter its
practices, despite the law change. "We have no intention of
changing our procedures in light of this legislation," said Carole
Theriault, a spokeswoman for Sophos. "We don't believe it likely
that any information relating to a computer threat supplied by us
would be used to commit an offence."
"Trusted vendors in the security market provide information and
tools to prevent security risks – certainly not to help them," said
Theriault. "We are always careful – common sense dictates that we
obfuscate information that might help someone contemplating online
crime."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
