It’s well over a year since the Government first brought forward their proposals to make security research illegal crack down on hacking tools.
They revised their proposals a bit — in the face of considerable lobbying about so-called “dual-use” tools. These are programs that might be used by security professionals to check if machines were secure, and by criminals to look for the insecure ones to break into. In fact, most of the tools on a professionals laptop, from nmap through wireshark to perl could be used for both good and bad purposes.
The final wording means that to succesfully prosecute the author of a tool you must show that they intended it to be used to commit computer crime; and intent would also have to be proved for obtaining, adapting, supplying or offering to supply … so most security professionals have nothing to worry about — in theory, in practice of course being accused of wickedness and having to convince a jury that there was no intent would be pretty traumatic!
The most important issue that the Home Office refused to concede was the distribution offence. The offence is to "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]"
. The Home Office claim that “likely” means “more than a 50% chance” (apparently there’s caselaw on what likely means in a statute).
This is of course entirely unsatisfactory — you can run a website for people to download nmap for years without problems, then if one day you look at your weblogs and find that everyone in Ruritania (a well-known Eastern European criminal paradise) is downloading from you, then suddenly you’re committing an offence. Of course, if you didn’t look at your logs then you would not know — and maybe the lack of mens rea will get you off ? (IANAL ! so take advice before trying this at home!)
The hacking tools offences were added to the Computer Misuse Act 1990 (CMA), along with other changes to make it clear that DDoS is illegal, and along with changes to the tariffs on other offences to make them much more serious — and extraditable.
The additions are in the form of amendments that are incorporated in the Police and Justice Act 2006 which received its Royal Assent on the 8th November 2006.
However, the relevant sections, s35–38, are not yet in force! viz: hacking tools are still not illegal and will not be illegal until, probably, April 2008.
The reason for this is that the Serious Crime Bill, which has just started its progress through the House of Commons after a moderately rough ride in the House of Lords, introduces a new offence of “being nice to criminals” (strictly it says, in Part 2, "he does an act capable of encouraging or assisting the commission of an offence"
, it’s meant to catch people who hire fast cars to criminals for getaways…)
However, this new offence, which is expected to be brought into force in April 2008 (MPs permitting of course), will overlap with some parts of the amendments to the CMA (though not the hacking tools offences). Since it is considered to be bad form to have two offences for the same thing, this makes it necessary to amend the amendments (hence clause 57 [as presently numbered]).
In their wisdom the Home Office have decided that bringing the CMA amendments in now, and then amending them again, will be too confusing for everyone — so they’ve decided to wait and do everything all at once, which will be next April. So, in the interim, the tariff for unauthorised access remains at six months, the legal situation on DDoS remains confused, and the intentional construction of hacking tools is not yet a crime…
… hmm, except there’s provisions in s7 of the Fraud Act, which says A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article (a) knowing that it is designed or adapted for use in the course of or in connection with fraud, or (b) intending it to be used to commit, or assist in the commission of, fraud
.
So maybe a hacking tool constructed for fraudulent purposes is already illegal! But that would mean two offences for the same thing 🙁 so perhaps you need to find that lawyer to have a chat with after all !
Does this mean that doing something as simple as writing a blog post about using nmap or wireshark could get someone in deep water?
If you wrote a blog post about how to use nmap to commit a CMA offence with the explicit intent that the post should be copied and used by people for that criminal purpose, then you could indeed be prosecuted… though it might look a little thin if that’s all that you’ve done.
There have been similar cases relating to people who published books on how to grow cannabis
http://www.thepulse.co.uk/lcc.scotland/news0396.htm#18th
IAstillNAL! but it’s probably worth also noting that it is expected that the Director of Public Prosecutions will issue some public guidance on the circumstances in which prosecutions should proceed — the intent is to avoid overreaction by the secuity communty (cancelling training courses etc) — that advice is expected in “the summer”. ie well before the new offences come into force.
As very rightly mentioned the brunt of legality involved in the use of security (!) tools will mostly be suffered by ethical hackers/penetration testers/tiger team members/legitimate security auditors. Also the concepts relating to the intentions of the actor is very vague in both CMA90 and PJA06, and so is the aspects relating to white/gray/black hat hacking.
Even though the amendments to the CMA90, particularly the new Police and Justice Act 2006, deals with DDoS, I’m not quite sure how it is supposed to deal with the application of law and jurisdiction with reference to botnets spread across the world.
Another interesting thing to note is that even though the Fraud Act 2006 has clauses to deal with crimes like Phishing, no one has been prosecuted or convicted reasons mostly attributed to well-known technical difficulties of properly gathering
sufficient forensic evidence.
@Richard,
“the intent is to avoid overreaction by the secuity communty (cancelling training courses etc)”
‘IF’ the US response to 9/11 is anything to go by two side effects of this legislation will be,
1, Presure will be applied from the relavant authorities to have “registered” training schemes, with all the attendent increase in costs and disclosure of attendies details etc (with of course big fat fees).
2, A register or trade association will be proposed to make the teaching or practicing security effectivly a “closed shop” in order to keep the “appropriate standards” (again with big fat fees)
Oh and plain simple investigation of security by your ordinary everyday “old school hacker” types will be severly curtailed by the fear of prosecution (similar to that over the DMCA etc).
Which will give large software companies the excuse not to fix security faults because they will be able to keep the bad news quiet…
All in all I precict that the result of these new laws will be less security overall, oh and as we have seen with previous ICT legislation in the U.K. a few silly court cases where legal types with insufficient technical ability will make fairly arbitary descisions based on mainly unfathonable argument that would not survive a blog posting let alone serious competent review…