This is still one of the very few UK blogs which has bothered to comment on the wretched Police and Justice Bill 2006, especially on the the Miscellaneous Part 5 Computer Misuse amendments to the Computer Misuse Act 1990.
We were hoping to read some online expert commentary and discussion on the detailed implications of this Bill on IT Security and Privacy issues, but either our search engine query skills are lacking, or, yet again, it seems to be down to us, by default, to try to stimulate a bit of intelligent discussion on this topic.
As is typical for the Home Office, they do not appear to have bothered to produce a Regulatory Impact Assessment of the Computer Misuse clauses of the Police and Justice Bill.
There does not appear to have been any private thought or public consultation about the cumulative effect on IT Security and Privacy issues of the combination of the Police and Justice Bill, 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005.
The Police and Justice Bill clauses 34 to 36 which amend the Computer Misuse Act are:
- 33 increased penalty etc for offence of unauthorised access to computer material - Prosecutions of any sort, let alone convictions for "unauthorised modification", under the exisiting Computer Misuse Act, run at fewer than 20 a year i.e. they are rarer than prosecutions for murder. Increasing the penalty will do nothing for deterrence of crime, but it does lead to some unjust and stupid "double jeopardy" risks in combination with other legislation.
- 34 Unauthorised acts with intent to impair operation of computer, etc - This is utterly inadequate to protect us from Denial of Service attacks, and suffers from the classic problem of not defining accurately what is a DoS attack, and what is negligence, or is overselling of a Quality of Service Agreement or is simply normal unforseen peak demand for a commercial or public service i.e. normal congestion or queues.
- 35 Making, supplying or obtaining articles for use in computer misuse offences
- This is utterly inadequate to protect us from computer malware such as viruses, trojan horses , password sniffers etc.. It does not bother to distinguish between the "dual use" software tools such as a web browser, or a computer scropting or programming language, or network analysis or security vulnerability testing tools, or to give any exemptions to the "possession" or "obtaining" of such normal, common items. Either this will be completely unenforcable, or it will have a chilling effect on legitimate IT security defence research in the UK.
- 36 Transitional and saving provision - It is hard to imagine how the Home Office could botch the clause dealing with the commencement of the above clauses, but they have managed to do so due to their fondness for all embracing wording such as "every". They do not appear to have considered that they are providing an exemption for "slow burn" Denial of Service attacks e.g. a "bot net" which is currently growing, or stealthy reconnaisance probes or virus malware which is currently spreading at the moment, or denial of service attacks which continue for a long period of time and which will still be attacking systems, if and when these clauses pass into law.
- Sneakily and unobviously, there is also text within the portmanteau Schedule 13 Minor and Consequential Amendments which illogically , and without expanation of what the Home Office is trying to achieve, amends the Criminal Damage Act 1971 and also amends Section 2 and repeals Section 11 of the Computer Misuse Act 1990
The main clauses 33 to 36 run to only two an a half pages in this Bill,.
Contrast this with the detailed procedures and alternative scenarios which the very same Bill goes into, for a single minor amendment, designed to prevent the police from having to return child porn images back to the owners of computers etc. which they have seized. This Schedule 11, runs to over 7 pages !
Surely something as important to national security, personal liberty and privacy and the national economy as Information Technology Security and Privacy deserves its own full Bill, which could then deal with these complicated issues properly ? Instead these clauses are tagged onto the end a complicated Bill, the main purpose of which is the controversial proposal to combine various Police forces together, and which will therefore which will soak up the limited attention span of politicians and journalists.
Thiere is a distinct danger that Parliament will not even debate these Computer Misuse Act amendment clauses, as they are tagged on in the Miscellaneous section at the end of the Bill.
It should be noted that these woefully inadequate computer misuse clauses were not even authored by the Home Office itself, but have been cut and pasted from the failed private members Bill, the Computer Misuse Act 1990 (Amendment) Bill presented in April 2005, by Derek Wyatt MP, the chairman of the All Party Parliamentary Internet Group (APIG).
APIG seems to be at least partly funded by lobbyists Political Intelligence, on behalf of for the Internet Service Provides Association (ISPA), This UK trade body have even awarded their "internet hero" award to APIG for lobbying for the useless Denial of Service attack clause.
An ISPA spokesperson said, “The All Party Parliamentary Internet Group received this award for its recommendations to amend the Computer Misuse Act (CMA) to further protect individual websites and the infrastructure of the Internet against the threat of distributed denial-of-service (DDOS) attacks.”
Presumably this is why there is neither any protections for Domestic Consumers and Business Customers in these clauses, nor any Corporate Liability nor criminal penalties for IT Security or Privacy specific negligence nor anything to do with Quality of Service issues.
The cosy relationship between the Home Office and vested financial interests in the telecomms and internet industries is not serving the public interest of domestic or business consumers in general, who the Home Office usually fail to bother to consult on these issues. They do not appear to even have bothered to consult the independent industry regulator Ofcom, and, a mentioned before, there is no sign of a Regulatory Impact Assessment of the costs of these measures on to the public and private sectors.
There is no announcemnet of any increase in skilled manpower or training budgets for the Police to be able to actually enforce these new amended laws, presumably the Home Office assumes that this will somehow happen by magic.
The increase in penalties from 5 to 10 years in prison for unauthorised modfications to computer data, for any and all "computers" is far too general a penalty, especially as prosecutions, let alone convictions, for such offences in the UK have been rarer than for murders.
If there is so little enforcement and prosecution, then changing the maximum penalty does nothing to prevent the crimes in the first place.
These clauses also needs to be seen in context with the now renamed to Clause 29 Tampering with the Register etc. under the controversial Identity Cards Bill 2005 which also sets up to a 10 year prison penatly (and / or an unlimited fine) only for National Identity Register connected computer systems (not just the NIR itself, but evey other private sector or other government department system which is authorised to connect to the Home Office's systems),and which also, in a vague and stupid way seeks to cover Denial of Service attacks on the NIR
Surely would be unjust and unfair to have two Acts of Parliament , creating two distinct criminal offences, each providing a separate penalty of up to 10 years in prison, which would both apply at the same time, to the same criminal attack on the National Identity Register ?
"Denial of Service Attacks" are not even as well defined in this clause 34, as in the Earl of Northesk's private members Bill the Computer Misuse (Amendment) Bill 2002 which sought to stimulate debate on this topic back in 2002.
It is not at all clear when such Denial of Service attacks would fall under the Computer Misuse Act as amended by the Police and Justice Bill, and when they would be classed as "terrorism", or "acts preparatory to terrorism".
The controversial definition of terrorism in the Terrorism Act 2000 section 1 includes
"2 (e) is designed seriously to interfere with or seriously to disrupt an electronic system."
which will be compounded by the possible life sentence for "acts preparatory to terrorism" (where "terrorism" is defined as per the Terrorism Act 2000) under the controversial Terrorism Bill 2005 clause 5 Preparation of terrorist acts also currently going through Parliament.
The combination of the Police and Justice Bill 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005 show that the NuLabour government and the Home Office ministers and bureaucracy, are simply not up to speed with IT Security and Privacy issues, do not have a clear idea of what they are doing, and are producing a hodge podge of vague criminal law which will do nothing to deter criminals or terrorists, especially those based overseas.
These Bills if passed, will , however, criminalise and demoralise law abiding IT security experts here in the UK, who are trying defend us against such attacks, whilst doing nothing to tighten up the Government and Corporate ITsecurity and privacy abuses which put the consumer and the general public at risk.
On past performance, we have no confidence that there will be any detailed Parliamentary scrutiny of these badly draughted and fragmented Bills, either in the House of Commons, or even in the House of Lords, which will correct and amend the cumulative effect on IT Security and Privacy issues