« Self-signed certificates in production point to a failure of SSL | Main | Defect-free code is vulnerability-free code »

Changes to Computer Misuse Act will turn security professionals into criminals

July 23, 2008

ComputerWeekly has just published my opinion on the forthcoming changes to the Computer Misuse Act (CMA). From the article:

The most recent changes to the Computer Misuse Act will give power to prosecute those who help or enable others to commit computer crime. While I am very supportive of this addition, I am also in great fear of this change and its consequences - the amendments are so vaguely worded that they will instantly turn security researchers into criminals once they come into force later this year.

If you are new to the story you'll find more facts in my previous post: Changes to British law target criminals, but affect the entire security industry.

The CMA seems to be intentionally written to be ambiguous in order to cover all sorts of activities, including the legitimate ones, leaving it to prosecutors to decide what is crime and what isn't. Frankly, I think that is ludicrous.

No one disputes that we need to be able to prosecute all criminal activities, but we shouldn't be destroying the innocent people's lifes in the process. Good intentions only count before laws are passed. Afterwards, laws just have lives of their own.