A Conservative peer's attempt to amend a law that could criminalise IT professionals has failed.
The Earl of Northesk's attempt to introduce amendments to the Computer Misuse Act 1990 (CMA) through the Police and Justice Bill 2006 did not pass committee stage discussions on Wednesday.
This proposed law has been heavily criticised by Lords and senior security experts, who say it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking.
The Earl of Northesk attempted to delete a section of the Act which he argued will make it illegal to create or distribute software tools that are likely to be used for hacking purposes. The clause, sub paragraph (b) of Section 41 of the Act, makes it an offence to release any application that is likely to be used for cybercrime purposes.
It is intended to address the rise of organised cybercrime. However, Northesk believes this could seriously backfire.
"Potentially, the police could fall foul of this law. This wasn't denied [in the discussion], which I find surprising," the Earl of Northesk told ZDNet UK.
The Earl of Northesk also said that ethical hacking and penetration testing could be made illegal by the law, as well as courses offering ethical hacking training.
"Increasingly universities are offering ethical hacking degrees, such as Aberdeen. Under sub paragraph (b), these would be illegal. Again, this wasn't countered," said Northesk.
The peer said it was unlikely that his amendment would now be carried into law.
"I don't hold out much hope for a parliamentary response — their minds are set," Northesk said.
As it stands, the current text of the amendment states:
After section 3 of the 1990 Act [CMA] there is inserted —
"3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article —
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or
(b) believing that it is likely to be so used.
Dr Richard Clayton of Cambridge University warned in May that part (b) would catch a wide range of IT tools and activities that are not meant to be used in hacking, but potentially could be.
Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.
"Perl is almost universally used on a daily basis to permit the Internet to function," said Clayton. "I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."
Part (b) has also been strongly criticised by security experts from the United Kingdom Education and Research Networking Association (UKERNA), the body responsible for the JANET educational network.
Andrew Cormack, chief security adviser for UKERNA, told ZDNet UK in May that the amendment would be likely to criminalise those who create or supply tools that have the potential for both legitimate and malicious use.
"A satisfactory law on making and supplying tools has to take account of the intention of the person making or supplying them. A person who clearly intends them to be used for good must not be at risk of prosecution," said Cormack.
Talkback
Excellent. Hopefully the UK will go at it in full force with this new law and thus one more potential global competitor will be removed from the face of the earth because surely once such an idiotic law is enforced the UK will become crackers paradise soon enough. Might I suggest that the UK moves equally swiftly with enforcing software patents, DRM, closed formats and a whole range of other proposals as proposed by self interested lobbiests or otherwise clueless so to set an example for the rest of the earth? No pun intented. Just see it as one man's death is another man's bread. And good luck then with your upcoming recension. Just imagine a country where computers and its data are no longer in the control of their owners. You'll be paying extortion prices (yes, even more then you do now) just to get something out of your computers. I'm sure you'll make a lot of overseas stockholders very happy.
Britannia rules the waves? Sorry, wooden boats are absolete for some time now. The information era requires other means of control and given away that control won't put you in the corner of happy receivers by far.
You have only yourselves to blame really. Afterall, who voted who into power? Being clueless about what makes the information era really ticks doesn't excuse you from having to deal with living with the consequences of making bad decisions. Period.
Since the target for most phishing attacks and trojan distribution is either outlook or internet explorer would not Microsoft be instantly criminalised on enactment of this part of the proposed new law.
for outlook read all other producers of e-mail clients, for explorer read all other producers of net clients.
If you think about it ALL the IT industry will be co-defendants
Not retrospective so MS would have to withdraw old OS and IEs and everyone would have to buy new.
We do seem to have a bad legal system where bad laws are made by clueless people.
These laws are then not verbatim, but are interpreted, first by the Police who again have a lack of knowledge and then by barristers, judges etc, who by career definition are not IT professionals and therefore haven't a clue.
Best idea is to ignore the prerequisite for evidence and ship all our cybercriminals off to the states where they know what they are talking about. Damn, appears TB is already one up on me on that one!.
Just realised that this is built upon their proven track record, after all by making owning sporting guns illegal, the government stopped all gun crime at a stroke.
This well thought out IT legislation will obviously stop all illegal computer activity from day 1 and I might even stop receiving spam.
Silly me I should have trusted them instead of raising doubts.
I have never used perl, i looked at it but never bothered with it.
i also love this advert tha tis on the side
Excellent C++ - Gain Security Skills to 55000
That job is now illegal, there goes the governments tax monies!