[ISN] Computer Misuse Act could ban security tools

From: InfoSec News (alerts@private)
Date: Wed Nov 22 2006 - 23:20:26 PST


http://www.theregister.co.uk/2006/11/22/cma_could_ban_security_tools/

By OUT-LAW.COM 
22nd November 2006

The new Police and Justice Act, published today, could criminalise 
legitimate IT security activity. There are fears among security experts 
that changes it makes to the Computer Misuse Act will make it illegal to 
distribute some vital tools.

The new law modifies the Computer Misuse Act of 1990, the cornerstone of 
Britain's anti-hacking law. The changes make clear for the first time 
that denial of service attacks are an offence [1], but they also address 
the distribution of hacking tools.

The new Act will make a person guilty of an offence "if he supplies or 
offers to supply any article believing that it is likely to be used to 
commit, or to assist in the commission of, [a hacking offence]". The 
word "article" is defined in the Act to include "any program or data 
held in electronic form".

Some software tools commonly used by IT security professionals can also 
be used for malicious purposes, making the new legislation a cause for 
concern.

"This applies particularly to dual use tools like nmap, which security 
professionals use to check if a network is insecure or not and which the 
bad guys use to scan for insecurities to then attack it," said Richard 
Clayton, a member of digital rights group the Open Rights Group and a 
security researcher at Cambridge University. "Distributors of this have 
to decide if the people getting it from them are the good guys or the 
bad guys."

Legal argument and uncertainty will surround what exactly constitutes 
"likelihood" to be used for malicious purposes. "The Home Office 
believes that likely is more than 50 per cent, so you have to have a 
trial within a trial to decide if it is more than 50 per cent likely 
that distribution is more likely than not to result in an offence being 
committed," said Clayton.

The final wording of the legislation is broader than was initially 
proposed. A version of the bill published in January 2006 [2] (145 
page/663KB PDF, at clause 35) made the offence contingent upon knowledge 
or intent that the article would be used for hacking; but the final 
version reduced that requirement to a belief that such use is likely.

The legislation may have been broadened as it went through Parliament to 
ensure that a person can be prosecuted if, for example, he posts 
software to the internet with a reckless disregard for its use.

Another fear of the new law is that it could be stretched to apply to 
warnings about security flaws and damage the ability of security firms 
to warn about third party software security breaches.

"The difficulty in the Act is that it says 'any item' and people are 
worried that that might include information about a piece of software's 
security vulnerability," said Clayton. "If you distribute information 
about a security vulnerability and the bad guys use it to attack it then 
the information about that vulnerability might qualify."

That could then allow software companies themselves to block publication 
of their products' flaws. "There are worries that software companies 
will use this to stop people publishing information about security 
flaws, to suppress that because they don't want the information out," 
said Clayton.

Security company Sophos said it did not plan to alter its practices, 
despite the law change. "We have no intention of changing our procedures 
in light of this legislation," said Carole Theriault, a spokeswoman for 
Sophos. "We don't believe it likely that any information relating to a 
computer threat supplied by us would be used to commit an offence.

"Trusted vendors in the security market provide information and tools to 
prevent security risks certainly not to help them," said Theriault. "We 
are always careful common sense dictates that we obfuscate information 
that might help someone contemplating online crime."

See:

* The Police and Justice Act 2006 (184 page/875KB PDF; see clauses 35-38)
  http://www.opsi.gov.uk/acts/acts2006/ukpga_20060048_en.pdf   

* The Computer Misuse Act 1990 (before amendment)
  http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

Copyright 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

-=-

[1] http://www.out-law.com/page-7462
[2] http://www.publications.parliament.uk/pa/cm200506/cmbills/119/2006119.pdf


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Wed Nov 22 2006 - 23:24:26 PST