The computer crimes we most often hear about involve fraud, extortion and child abuse but the problematic offences of hacking and viruses, set out in the 1990 Computer Misuse Act, are on the increase.
Computers and networks, and the degree to which we rely on them, have changed almost beyond recognition since 1990, but the framework of the Act remains effective. But to reflect the changed environment, the government is proposing to increase the penalties for unauthorised access and modification of computers in the Police and Justice Bill currently before Parliament.
Hacking and malware have also expanded and, more worryingly, in recent years we have seen an explosion in the availability of hacking tools and services and their use by organised criminals. To target them, we are proposing a new offence to criminalise those individuals who make and distribute hacking tools.
It is important to stress that the new offence does not affect those that use the tools, but covers those who make or distribute them.
There is wide support for a law criminalising individuals who distribute and supply these tools for unlawful means, and the Cybercrime Convention obliges countries to do this. Concerns have rightly been raised about whether the new offence will criminalise IT professionals who make and distribute these tools for legitimate purposes, such as penetration testing or identifying vulnerabilities.
The test for the offence will be whether the person believed at the time that the tool would be used more criminally than legitimately so will not affect them. In a case, the prosecution would need to prove that the accused believed that the hacking tool was likely to be used to commit an offence under section 1 or 3 of the Computer Misuse Act.
In the case of the producer of the hacking tool, it would not be sufficient for the prosecution to show that the tool has been used for illegal purposes on some occasions because that does not prove a belief that the hacking tool in question will definitely be used for criminal means.
On the contrary, the producer would be taken to believe that the hacking tool would be used honestly, as it is in the majority of cases. In the case of a supplier, the prosecution may well need to prove that the supplier knew something about the person to whom he supplied the article on which to base a belief of dishonest use.
It is important that we get the balance right between protecting IT security professionals and those who work to improve the security of products and systems and criminalising those who deliberately develop or supply tools for criminal use. The changes to the Act strike that balance.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats