« Criminals are taking over the Internet | Main | No such thing as Open Source business model »

Changes to British law target criminals, but affect the entire security industry

April 01, 2008

Back in 2006, at a computer security panel at Infosecurity London, I found myself criticising the proposed changes to the Computer Misuse Act (CMA), which would essentially outlaw any tool or information that could be used to assist in computer crime. Two years later things are pretty much as they were, and the changes are expected to become effective in England some time this year. They are already in effect in Scotland. There's been an attempt late last year, by the Crown Prosecution Service (CPS), to clear things up by releasing the promised Guidance to Prosecutors, but that did not help (see here and here, with additional coverage at Heise Security).

The key proposed addition in reads as follows (a marked-up copy of the changes is available, courtesy of Clive Feather):

3A Making, supplying or obtaining articles for use in offence under section 1 or 3

  1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  2. A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  3. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
  4. In this section “article” includes any program or data held in electronic form.
  5. A person guilty of an offence under this section shall be liable—
    • on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
    • on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
    • on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

The main issue is the ambiguity of the word likely in "[...] likely to be used to commit, or to assist in the commission of, and offence [...]", which effectively criminalises a large number of security professionals who are just doing their jobs.

As any computer security professional will tell you, criminals use essentially the same articles (tools, books, papers and sources of information) as those in charge of making things secure. Making the articles illegal is not going to stop the criminals from using them—they will be too busy committing the actual offences to care—it will just push the articles underground and out of the reach of the good guys. I am guessing the intention of the proposed changes is to reduce the availability of such "dangerous" stuff by restricting the distribution channels. That, however, is a pointless exercise, as it cannot possibly succeed.

A much bigger problem is that the new law leaves too much to interpretation. The risk is just too high: do you want to be in a position to defend your actions in front of a jury that will almost certainly fail to understand the subject matter? Even if you are successful in your defence, such an event will require significant financial resources, disrupt your life, cause you and your family endless pain, and most certainly kill your career.

What are the possible outcomes?

Possession it not likely to be criminalised (from the Guidance: "[...] does not criminalise possession per se unless an intent to use it to commit one of the other offences in section 1 or 3 CMA can be shown.") so it will probably still be safe to research computer security in private, but exchanging information with others might become dangerous. With the threat of persecution hanging over their heads, most people in the UK are likely to stop publicly discussing what they know.

Full disclosure—no matter what you think of it—will be criminalised, but it won't go away. Those who believe will continue to release vulnerability information, but they will likely take precautions to keep their identities secret.

Tool authors will have a choice to make. If they don't change their distribution practices they will risk becoming a target of investigation and, possibly, prosecution. The Guidance seems to imply the safe way to distribute the tools is via a vetted list of computer security professionals. This is not feasible for most tool writers as they cannot afford the overhead of such a process. On top of that, even if such practices are followed, there is still no guarantee that you won't be persecuted. Each case will be reviewed on its own merits. Thus the alternatives—ending further development or moving the tools underground—seem far more likely.

Tags:  Computer Misuse Act  Security  UK