We are puzzled why the UK IT technical press, let alone the mainstream media is not taking more notice of the impending amendments to the Computer Misuse Act 1990, via the Police and Justice Bill 2006. Yet again, only a few blogs such as ourselves, TalkPolitics, Blogscript and, of course, our friends at The Register seem to have taken any notice of this impending legislative disaster.
How long would you consider to be a reasonable time, for Members of Parliament to debate the first substantial attempt to amend the obsolete Computer Misuse Act 1990, to bring it into the Internet age in the 21st Century ?
How long do you think that the House of Commons will spend debating such a vital part of our armoury to defend the Economy and our National Security ? A month ? A week ? A day ?
Since the Programming Motion i.e. " the guillotine" on debate has been passed last Thursday 16th March 2006, then all the following Clauses and Schedules in this complicated and lengthy Bill will have to be dealt with by 7.00 p.m. on Tuesday 28th March:
Clause 7; Schedule 4; Clauses 8 to 10; Schedule 5; Clauses 11 to 13; new Clauses relating to Part 2; new Schedules relating to Part 2; Clause 14; Schedule 6; Clauses 15 to 20; Schedule 7; new Clauses relating to Part 3; new Schedules relating to Part 3; Clauses 21 to 28; Schedule 8; Clauses 29 and 30; Schedule 9; Clause 31; Schedule 10; Clause 32; new Clauses relating to Part 4; new Schedules relating to Part 4; Clauses 33 to 37; Schedule 11; Clauses 38 and 39; Schedule 12; new Clauses relating to Part 5; new Schedules relating to Part 5; Clauses 40 to 43; Schedules 13 and 14; Clauses 44 to 46; remaining new Clauses; remaining new Schedules; remaining proceedings on the Bill
Clause 33 doubles the penalty for the unauthorised access "computer hacking" offence, without clarifying the major problems with the existing legislation, namely that of words like "unauthorised" and "intent".
Remember that any prosecutions, let alone convictions, under the Computer Misuse Act are rarer than that for murder i.e.only about 20 cases a year of all types, including "disgruntled insider employees" as well as remote attacks via the internet from overseas etc. so the problem is one of detection, enforcement and extradition, rather than that the existing penalties are somehow inadequate.
However, there are no amendments tabled, and it appears this Clause 33 will not be debated in Committee.
The unworkably stupid Clause 34, which fails to properly deal with Denial of Service attacks, a topic which the Earl of Northesk unsuccessfully devoted a whole Private Members Bill to back in 2002.
However, there are no amendments tabled, and it appears this Clause 34, also, will not be debated in Committee.
Currently there only seems to be one single amendment tabled (by the Opposition) , so the only discussion and debate in Standing Committee D
[UPDATE: new link to the latest amendments - see below]
Lynne Featherstone Martin Horwood
Clause 35, page 30, line 18, leave out 'or' and insert 'and'.
This refers to the controversial "dual use" possession of an article offence, supposed to deal with "hacking" or" virus" or "denial of service" tools, but which will, in fact, criminalise many essential maintenance and testing tools, used every day by innocent systems and network administrators, and which would amend
After section 3 of the 1990 Act insert—
“3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) knowing that it is designed or adapted for use in the course of
or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
What the MPs should be debating about this Clause is the unworkably overbroad scope of wording like "any article" or "to assist in the commission of", but it does not appear that they will bother to do so.
Given the guiilotine on debate, and the number of other Clauses and Schedules which have to be got through by 7pm, and given that these Computer Misuse Act 1990 amendments Clauses are not some of the first ones in the running order, it seems likely that they will be rushed through, with little or no debate, or even a vote.
If you work in the technical side of information technology, then please lobby your Member of Parliament, e.g. through WriteToThem to express your concern about this amateur attempt to pretend to be seen to be doing something about Computer Misuse laws, without proper scrutiny or debate, on a topic which deserves its own full Primary Legislation slotm but which has been relegated to what could be as little as 5 minutes of debate.
Unity kindly points out in the comments, that the latest list of tabled amendments published on 23 March. now also includes one by the Home Office Minister Hazel Blears
We fully agree with Unity's analysis of this Government amendment posted at Liberty Central - this amendment would make things even worse than the original text.
Whilst still retaining the overbroad wording of "assist in the commission of, an offence", which potentially criminalises all the perfectly innocent software and infrastructure which is necessary to transmit any computer virus or real denial of service or penetration attacks, the Home Office has now added the words:
(b) believing that it is likely to be so used.'
This puts the liberty of a software developer at the mercy of the present, or future intentions of persons unknown to them, anywhere in the world !
If, instead of a "computer security or network performance maintenance tool" or a "hacker tool", this wording was applied to a dual use physical tool, such as a hammer or a knife, surely even the least technical Members of Parliament would see how stupidly wrong this Clause 35 is ?
Remember, that whilst a knife or a hammer may be used as an offensive weapon, and may well be prohibited from being carried in public, but a generally legal in say a chef's kitchen or in a carpenter's workshop, It is also perfectly legal to make or adapt such physical tools in a factory or workshop.
However this clause 35 would prohibit the manufacture or copying or sale of dual use software tools and utilities, even in a legitimate software company such as Microsoft.
How exactly are the police meant to be able to enforce this stupid clause, fairly and equally ?
Most normal computer systems are installed, by default, with several tools and utilities which could be abused by someone with malicious intent.
Even supposedly secure computer systems which have a deliberate security "lockdown" policy, often still have such utilities or components of such utilities which might "assist" in the commission of an offence, simply available to more privileged users, such as systems administrators.
Where is the Regulatory Impact Assessment cost / benefit analysis of these amendments to the Computer Misuse Act ?
Why is there not a full new Computer Misuse Bill so that these complicated issues can be addressed in the proper detail which they merit ?
Note the the order paper is now packed with even more amendments and new clauses, but that the amount of Parliamentary time allocated for debate under the Programme Motion is still guillotined , so there is even less chance of these clauses being debated properly, simply due to lack of time.