CMA amendment "pure idiocy", says peer

A proposed UK law has been heavily criticised by a Tory peer and a senior security expert, who say it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking.

Lord Northesk, a Conservative peer, told silicon.com sister site ZDNet UK on Thursday that an amendment to the Police and Justice Bill 2006 will potentially create a situation where the police would have to prosecute themselves.

A clause in the bill will make it illegal to create or distribute software tools that are likely to be used for hacking purposes and is intended to address the rise of organised cyber crime. However, Northesk believes this could seriously backfire.

He said: "Bodies like the Serious and Organised Crime Unit need to do forensic hacking as part of their investigations. If they are creating hacking tools they know full well they'll be used for hacking."

Northesk vowed to fight the bill in the Lords, calling the clause "pure idiocy" and "absolute madness".

He added: "I will definitely be seeking to change it. The Home Office is in enough trouble already, so the thought of them enacting a law to stop the police doing their job is extraordinary."

Northesk said he had support in the House of Lords to change or even abolish the controversial provision.

Section 41 of the bill would amend the Computer Misuse Act to include a new offence of "making, supplying or obtaining articles for use in computer misuse offences".

It reads:
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article -
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.

A Home Office spokeswoman told silicon.com sister site ZDNet UK on Thursday that it was carefully considering the bill, even though it has already been passed by the House of Commons.

She said: "Many legitimate tools can also be used for criminal hacking. Getting the balance right in controlling access to tools by criminal hackers while preserving access to often the same tools by legitimate network administrators is complex.

"We're continuing to consult industry and to clarify the exact effects of the bill as it stands. We are actively considering the precise legal balance before the bill reaches committee stage in the House of Lords."

Northesk said he will table his amendments to section 41 at the committee stage, which should start within the next few weeks.

Part (b) has been strongly criticised by security experts from the United Kingdom Education and Research Networking Association (UKerna), the body responsible for the Janet educational network.

Andrew Cormack, chief security adviser for UKerna, said the amendment would be likely to criminalise those who create or supply tools that have the potential for both legitimate and malicious use.

He said: "A satisfactory law on making and supplying tools has to take account of the intention of the person making or supplying them. A person who clearly intends them to be used for good must not be at risk of prosecution."

Software used to check the security of systems and commercial remote management tools can both be used to gain unauthorised access to computers. However, making any of those tools unavailable to security professionals and systems administrators would greatly reduce the security of systems and networks, according to Cormack.

Cormack said the problem lay in the wording of part (b), which only requires that it is "likely" that some person will misuse the tool. This takes no account of the supplier's or author's intention that it be used for good or that it may be much more likely, given the context in which the tool is made available, it will be used legitimately.

Cormack added: "Consider what would happen if the same wording were applied to, say, the sale of kitchen knives. Crime statistics, regrettably, suggest that it is likely that some of those knives will be used for crimes. If that were sufficient to make it a serious crime to sell a knife then there would be far fewer kitchen shops and many more people injured by using inappropriate tools to cut food."

Tom Espiner writes for ZDNet UK