The most recent changes to the Computer Misuse Act will give power to prosecute those who help or enable others to commit computer crime. While I am very supportive of this addition, I am also in great fear of this change and its consequences - the amendments are so vaguely worded that they will instantly turn security researchers into criminals once they come into force later this year, writes Ivan Ristic, vice-president of security research at Breach Security.
The new 3a section states that a person is guilty of an offence if "he supplies or offers to supply any article believing that is it likely to be used to commit, or to assist in the commission of, an offence". The word "article" refers to any program or data held in electronic form, which means that it not only includes security tools, but research papers, blog posts, e-mail messages and other forms of electronic communication.
The ambiguous language seems to be intentional: it was designed to enable prosecutors to indict whomever they wish to. And that is one of the problems: do I feel comfortable knowing my research activities will be reviewed by prosecutors who, in all likelihood, will not have the full grasp of the subject matter? No, I absolutely do not. I might end up being exonerated in court, but a trial would most certainly ruin me financially, throw me into despair and otherwise ruin my life.
Take for example Daniel Cuthbert, a security consultant who in 2005 was prosecuted for trying to test the security of a website that he had previously used to donate money to in order to help Tsunami victims. While he tested the site with two probes and did not achieve anything, he was detected, identified, arrested and indicted, though it was clear he had no malicious intent.
Vagueness aside, the sentence is in complete disregard of how security research is conducted today: collaboratively and entirely in the open. The security problems we are trying to solve are so tough that no single person, or even organisation, has a chance working alone. Yet the law discriminates against public communication, effectively excluding the security researchers in Britain from participation within the global security community.
Judging from the information available so far, the only way to stay reasonably safe from prosecution is to make sure every exchange of tools and information is accompanied by a signed declaration confirming that the receiving party understands what is lawful and what is unlawful, and that they do not intend to use the information to contravene the Computer Misuse Act. That should keep all those providing consultancy and training services safe, but does anyone really think it will prevent criminals from obtaining offensive tools?
The truth is that laws cannot do anything to stop the production and dissemination of offensive tools and information. Such activities have traditionally been conducted underground anyway, with the authors' identities hidden. Thus the focus should be on the ability to prosecute those that are caught red handed, while leaving the rest of us to do our jobs in peace.