The most recent
changes to the Computer Misuse Act will give power to prosecute
those who help or enable others to commit computer crime. While I
am very supportive of this addition, I am also in great fear of
this change and its consequences - the amendments are so vaguely
worded that they will instantly turn security researchers into
criminals once they come into force later this year, writes Ivan
Ristic, vice-president of security research at
Breach Security.
The new 3a section states that a person is guilty of an offence
if "he supplies or offers to supply any article believing that is
it likely to be used to commit, or to assist in the commission of,
an offence". The word "article" refers to any program or data held
in electronic form, which means that it not only includes security
tools, but research papers, blog posts, e-mail messages and other
forms of electronic communication.
The ambiguous language seems to be intentional: it was designed
to enable prosecutors to indict whomever they wish to. And that is
one of the problems: do I feel comfortable knowing my research
activities will be reviewed by prosecutors who, in all likelihood,
will not have the full grasp of the subject matter? No, I
absolutely do not. I might end up being exonerated in court, but a
trial would most certainly ruin me financially, throw me into
despair and otherwise ruin my life.
Take for example
Daniel Cuthbert, a security consultant who in 2005 was
prosecuted for trying to test the security of a website that he had
previously used to donate money to in order to help Tsunami
victims. While he tested the site with two probes and did not
achieve anything, he was detected, identified, arrested and
indicted, though it was clear he had no malicious intent.
Vagueness aside, the sentence is in complete disregard of how
security research is conducted today: collaboratively and entirely
in the open. The security problems we are trying to solve are so
tough that no single person, or even organisation, has a chance
working alone. Yet the law discriminates against public
communication, effectively excluding the security researchers in
Britain from participation within the global security
community.
Judging from the information available so far, the only way to
stay reasonably safe from prosecution is to make sure every
exchange of tools and information is accompanied by a signed
declaration confirming that the receiving party understands what is
lawful and what is unlawful, and that they do not intend to use the
information to contravene the Computer Misuse Act. That should keep
all those providing consultancy and training services safe, but
does anyone really think it will prevent criminals from obtaining
offensive tools?
The truth is that laws cannot do anything to stop the production
and dissemination of offensive tools and information. Such
activities have traditionally been conducted underground anyway,
with the authors' identities hidden. Thus the focus should be on
the ability to prosecute those that are caught red handed, while
leaving the rest of us to do our jobs in peace.
Vernon Coaker: Changes to Computer Misuse Act will not affect
legitimate users >>