IT pros criminalised by CMA update?

IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.

The Police and Justice Bill will update the UK's existing Computer Misuse Act (CMA), bringing in new powers to address the rise of organised cyber-criminals and offences such as denial of service attacks. It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months.

Leading figures in the UK technology sector believe that the bill, as it currently stands, would outlaw a range of innocent activities.

Section 41 of the bill would amend the CMA to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".

It reads:
"A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article -
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the CMA]; or
(b) believing that it is likely to be so used.

Dr Richard Clayton of Cambridge University believes that section 41, part (b), as currently laid out, would catch a wide range of IT tools and activities that are not meant to be used in hacking but potentially could be.

Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law.

He said: "Perl is almost universally used on a daily basis to permit the internet to function. I doubt if there is a sys-admin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offence under section 1 or section 3 of the CMA will use Perl as part of their toolkit.

"Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable."

People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.

He argued: "The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the internet less safe."

Malcolm Hutty, regulation officer at the London Internet Exchange, shares Clayton's fears about the bill. He believes it would make people much more reluctant to make useful software tools available to the public.

Hutty said: "We are concerned that the scope of [section 41 of] the bill is too broad, and could criminalise a lot of innocent people."

He said organisations such as Linx have been urging the Home Office to have the bill altered. Some amendments were made following these lobbying efforts but Hutty believes the government should have gone further.

He also believes section 41 could be interpreted as including the supply of information about security vulnerabilities, as that advice could be used to commit a criminal offence.

Hutty said: "You could reveal details of a security flaw, and someone could hear that and decide that not everyone would be patched yet," adding that this could even include media outlets which reported on security flaws.

The Home Office denies suggestions the bill will criminalise systems administrators by outlawing software which could be used in cyber crime attacks.

A Home Office spokeswoman said: "There is a hacking amendment but it doesn't criminalise those innocent of hacking attacks. [It] shifts the emphasis on to those intending to deliberately develop tools for criminal use."

Graeme Wearden and Tom Espiner write for ZDNet UK