Feeds

Computer Misuse Act could ban security tools

Publishing software flaws now an offence?

High performance access to file storage

The new Police and Justice Act, published today, could criminalise legitimate IT security activity. There are fears among security experts that changes it makes to the Computer Misuse Act will make it illegal to distribute some vital tools.

The new law modifies the Computer Misuse Act of 1990, the cornerstone of Britain's anti-hacking law. The changes make clear for the first time that denial of service attacks are an offence, but they also address the distribution of hacking tools.

The new Act will make a person guilty of an offence "if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, [a hacking offence]". The word "article" is defined in the Act to include "any program or data held in electronic form".

Some software tools commonly used by IT security professionals can also be used for malicious purposes, making the new legislation a cause for concern.

"This applies particularly to dual use tools like nmap, which security professionals use to check if a network is insecure or not and which the bad guys use to scan for insecurities to then attack it," said Richard Clayton, a member of digital rights group the Open Rights Group and a security researcher at Cambridge University. "Distributors of this have to decide if the people getting it from them are the good guys or the bad guys."

Legal argument and uncertainty will surround what exactly constitutes "likelihood" to be used for malicious purposes. "The Home Office believes that likely is more than 50 per cent, so you have to have a trial within a trial to decide if it is more than 50 per cent likely that distribution is more likely than not to result in an offence being committed," said Clayton.

The final wording of the legislation is broader than was initially proposed. A version of the bill published in January 2006 (145 page/663KB PDF, at clause 35) made the offence contingent upon knowledge or intent that the article would be used for hacking; but the final version reduced that requirement to a belief that such use is likely.

The legislation may have been broadened as it went through Parliament to ensure that a person can be prosecuted if, for example, he posts software to the internet with a reckless disregard for its use.

Another fear of the new law is that it could be stretched to apply to warnings about security flaws and damage the ability of security firms to warn about third party software security breaches.

"The difficulty in the Act is that it says 'any item' and people are worried that that might include information about a piece of software's security vulnerability," said Clayton. "If you distribute information about a security vulnerability and the bad guys use it to attack it then the information about that vulnerability might qualify."

That could then allow software companies themselves to block publication of their products' flaws. "There are worries that software companies will use this to stop people publishing information about security flaws, to suppress that because they don't want the information out," said Clayton.

Security company Sophos said it did not plan to alter its practices, despite the law change. "We have no intention of changing our procedures in light of this legislation," said Carole Theriault, a spokeswoman for Sophos. "We don't believe it likely that any information relating to a computer threat supplied by us would be used to commit an offence.

"Trusted vendors in the security market provide information and tools to prevent security risks – certainly not to help them," said Theriault. "We are always careful – common sense dictates that we obfuscate information that might help someone contemplating online crime."

See:

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Nokia offers 'voluntary retirement' to 6,000+ Indian employees
India's 'predictability and stability' cited as mobe-maker's tax payment deadline nears
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Adrian Mole author Sue Townsend dies at 68
RIP Blighty's best-selling author of the 1980s
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Analysts: Bright future for smartphones, tablets, wearables
There's plenty of good money to be made if you stay out of the PC market
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.