Kenneth de Spiegeleire, manager of the security assessment services team at Internet Security Systems (ISS), told MicroScope: “It [Section 58 of the Act] is so vague that about 99 per cent of my consultants could be regarded as terrorists under this Act.”
De Spiegeleire pointed to one of the key areas of the Act, which states a person commits an offence if “he collects or makes a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism, or he possesses a document or record containing information of that kind”.
According to de Spiegeleire: “The way it’s phrased basically means any kind of information you have about security flaws in certain systems is also a possession of information that can be used by a terrorist.
“This means the tools we use to test the security of such operating systems could also be considered as tools that can be used by terrorists. That is an area of concern.”
De Spiegeleire suggested parallels could be drawn with the situation last year with data encryption, when a number of governments around the world wanted to impose restrictions on encryption strength so they would be able to decrypt it.
“If this Terrorism Act is applied to the strict letter of the law, it would mean most IT security firms, which have a kind of tool that can evaluate security, would be prohibited from developing, possessing and even selling it,” he argued.
This was first published in March 2001