[ISN] How to legislate against hackers

From: InfoSec News (isn@private)
Date: Tue Mar 14 2006 - 00:12:15 PST


http://news.bbc.co.uk/1/hi/technology/4799338.stm

13 March 2006

Everyone is in favour of sending hackers to prison for longer, but
technology commentator Bill Thompson wonders if our MPs are competent
to make good cyber-laws.

If all goes to plan and the fuss over ID cards and school governance
does not derail the parliamentary timetable, then we will soon have a
new Police and Justice Act.

It makes many changes to the criminal law, but anyone considering
writing a virus, hacking a bank system, launching a phishing or denial
of service attack or installing some of the dodgier tools that can be
used to 'test' network security should pay particular attention to
clauses 33 to 36.

These amend the 1990 Computer Misuse Act in line with recommendations
made last year by the All Party Internet Group of MPs, and take on
board Tom Harris MP's proposals from his recent private member's bill.

If they go through then the maximum penalty for hacking will become 10
years for the most serious offences. The new act will also make it an
offence to supply the software used to break into systems, and make it
clear that denial of service attacks, where large numbers of requests
are sent to a server, count as hacking.

MPs from all parties have welcomed the changes, even though they do
not much like the rest of the bill, and overall they seem an
acceptable update of the original act.

The All Party Internet Group has a reputation for being sensible when
it comes to negotiating the interface between law and technology.

In this case they refused to be bounced into proposing the sort of
illiberal measures that often emerge when computer security and
critical information infrastructure are being discussed.


Lack of clarity

I have been around long enough to remember the original Computer
Misuse Bill back in 1990.

It was proposed by a conservative backbench MP, Michael Colvin, and
supported by the government at a time when viruses were spread by
floppy disk and hackers used university systems to break into
government and military installations.

Mr Colvin knew little about computers or computing, and had proposed
the bill as a result of lobbying after he came near the top in the
ballot for private member's bills.

Although it concerned computers and hacking, using a computer system
without the owner's consent, it famously failed to define what a
computer was.

I pointed out to him that this would mean I was committing a criminal
offence if I reprogrammed a video recorder at a friend's house without
asking first, and he was happy to accept this. His argument was that
the courts would not allow anything so foolish to proceed.

He was right in his belief that the courts would be cautious about
allowing prosecutions. However the lack of clarity in the act was
almost certainly the reason why it was used so rarely in the last 15
years, since the chances of a defendant being able to wriggle out of a
conviction are too high for it to be worth prosecuting.

On the occasions when it has been applied rigidly it has sometimes
produced results as bad as we feared it would.


Law and knowledge

Last October, Londoner Daniel Cuthbert was fined for probing a website
set up to raise funds for victims of the Asian tsunami with a range of
security tools after he failed to get a confirmation that his donation
had been registered.

The proposals in the new bill that deal with the possession of
security software could easily be abused to make life difficult for
researchers or those, like me, who want to understand what these tools
do.

Understanding the difference between a security tool, used to probe
networks looking for holes that can be patched, and a hacker toolkit,
used to probe networks looking for holes that can be exploited, is as
much one of intention as implementation.

We should be wary of laws which require judges to look into the mind
of the accused, and not only because every philosopher of mind tells
us that such access is impossible.

Too few MPs really understand the issues at stake here. None on the
front benches, apart perhaps from former computer consultant Stephen
Timms, could describe why a port scan might be a legitimate activity
or even, I suspect, what a network port is in the first place.

And with the departure of Richard Allan from the House of Commons at
the last election, Parliament lost its only serious programmer.

This is a matter of growing concern. It is clear that the debate about
the implementation of ID cards hinged on an assessment by MPs and
peers of the technical arguments put forward on both sides, but few of
those arguing were really competent to judge the issue.


Complex issues

This week I will be speaking at a seminar in London, organised by the
Westminster eForum. We are talking about copyright and digital rights
management and other issues which may well take up some serious
parliamentary time in the next few years, especially when Andrew
Gowers finishes his review of intellectual property law for the
Treasury.

Although it is reassuring that Derek Wyatt, one of the few MPs who
does embrace the internet, is chairing, I suspect we will see few of
his fellow members there even though this is another issue where
technology and law are inextricably linked.

MPs will argue that they are perfectly capable of being briefed on the
most complex issues, but this assumes that they can get unbiased and
comprehensible briefings. Some of the technical issues underlying ID
cards, and DRM and computer crime may well not be amenable to this
approach.

So what are we to do? Do we let generalist MPs with no real
comprehension of what they are doing make law based on the last piece
of lobbying they received?

We could call this the e-Lothian question, after the long-standing
concern over letting MPs for Scottish constituencies vote on purely
English matters even after the Scottish Parliament was set up.

Perhaps we should limit voting on clauses 33 to 36 of the Police and
Justice Bill to those MPs who can demonstrate that they have at least
two e-mail addresses, know how to use an RSS reader and can download
and install their own web browser.

Somehow, I do not think they will go for it. Unless we recognise that
MPs need a better understanding of technology we will continue to get
bad law, just like we did in 1990.


----------------------------------------------------------------- Bill
Thompson is a regular commentator on the BBC World Service programme
Go Digital



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Mar 14 2006 - 00:16:47 PST