Legislation drawn up to tackle cyber criminals could catch IT professionals in its net, an expert has warned.
Cambridge University’s Richard Clayton says the Police and Justice Bill, now in the House of Lords, is badly phrased and could be used against IT professionals and security experts who make or distribute security tools.
The bill states that someone is guilty of an offence if they make, adapt, supply or offer to supply an article if they are “intending it to be used to commit” an offence under sections of the Computer Misuse Act covering unauthorised access or the creation of viruses or denial of service attacks.
But a sub-clause adds that someone is also guilty of an offence if they make, adapt, or supply an article “believing that it is likely to be so used”.
Clayton says that those creating legitimate security tools or distributing them for download online could be caught by the legislation if they “believe” it might be used maliciously, even if that is not their intent.
“If you create a dual use tool that could be used for hacking or could be used for good things… that is an offence, believing you could use it for bad things.”
Clayton saids, "It seems to me insane to say you are going to look into the state of mind of the tool builder. It just seems nonsensical to me."
He added: “The Home Office have not understood the notion of ‘dual use’ tools and must change the clause to incorporate the notion of intent to have the bad guys use the tools, not the current wording of ‘believing’ that they might.
“If not then legitimate sysadmins will have fewer tools to use, less safe places to get them from, and legitimate research which makes the Internet more secure will be stifled.”