[Hat tip to Dr. Richard Clayton at the Light Blue Touchpaper group blog - Hacking tool guidance finally appears]
The Crown Prosecution Service appear to have published (6 months later than promised !) some Guidance to Prosecutors regarding the Computer Misuse Act 1990, which has been amended by the Police and Justice Act Act 2006 sections 35 to 38. It seems that these amendments may perhaps come into force this April 2008.
Chapter s Computer Misuse Act 1990 Guidance (.pdf 6 pages)
However the CPS Guidance is flawed, as it does not address the fact that the Amendments also criminalise "dual use" data as well as computer programs.
Neither does this CPS Guidance consider the effect of the controversial and inept Identity Cards Act 2006 section 29 Tampering with the register etc., which criminalises denial of service attacks against the National Identity Register infrastructure, and any of the tens of thousands of systems which will be connected to it, and also forbids strike action by Trades Unionists etc.
The controversial aspects of these amendments, which did not receive proper Parliamentary scrutiny due to the guillotines on debate, include
- Section 36 Unauthorised acts with intent to impair operation of computer, etc - which creates a new Section 3 of the Computer Misuse Act - a vague and catch all Denial of Service attack offence, which deserves its own full section of a revised Computer Misuse Act, properly scrutinsed, not a short amendment clause in another portmanteau criminal statute.
- Section 37 Making, supplying or obtaining articles for use in computer misuse offences - creates a new Section 3A under the Computer Misuse Act.
Dual use "hacker tools"
The new Section 3A criminalises of the Creation, Modification or Distribution of "dual use software" - "hacker tools" - which threatens legitimate systems administrators and IT security researchers, but which will have no measurable effect on foreign based cyber criminals, despite the unenforceable attempt at claiming worldwide British jurisdiction for this offence.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
Section 1 is the unauthorised computer access offence (with increased criminal penalties to make the offence serious enough to be extraditable). Section 3 is the new computer denial of service attack offence.
However, it is not just computer programs or scripts which are criminalised, the stupid wording also includes data !
(4) In this section "article" includes any program or data held in electronic form.
The fact that these Amendments criminalise public and commercial Data sources is probably an unintended, but still inevitable consequence, which seems to have escaped the few people who have taken an interest in this legal mess, including the Crown Prosecution Service, who fail to appreciate the difference between Data and Programs in their Guidance.
In what way are, for example, do commercial publishers of email marketing lists, or websites which offer public directory services, or core parts of the internet infrastructure such as Domain Name Servers or Whois searches, or public or private web search engines etc. not also fall foul of this badly worded, catch all law ("any program or data held in electronic form") ?
All of these legitimate sources of data are "dual use" and are abused by spammers, computer virus and trojan software distributors, denial of service attack botnets etc. to feed into their malicious software scripts etc.
Many computer criminals make use of data from say, the Google search engine to assist with their Section 1 or Section 3 offences.
The CPS Guidance really does not seem to be aware of the real world e.g.
In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:How are they going to determine that ? Simply by relying on the name of the software ? Will CPS prosecutors try to explain to a jury the complexities of reverse engineering compiled malware programs for which they do not have access to the source code ?
- Has the article been developed primarily, deliberately and for the sole purpose committing a CMA offence (i.e. unauthorised access to computer material)?
Sold ? Have the CPS really not understood the concept of constantly developing, freely distributed, multi-platform Open Source or public domain software e.g.Perl or nmap, versions of which are available for virtually all modern computers and operating systems ?
Is the article available on a wide scale commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
Knives and hammers are widely used for legitimate purposes, but they can also be used for murder.
Why treat "dual use" software "articles" any differently ?
- Does it have a substantial installation base?
Lots of software e.g. operating systems version or distributions may have an installed base of millions of users.
However any new improvements or additional modules will, initially have a non-existent or very small installed user base.
If, say, the Perl scripting language is considered exempt, because of its large installed base, does the exemption still apply to a new version of an installable Perl extension or module or subroutine, which could be used to assist committing section 1 or section 3 offences ?
- What was the context in which the article was used to commit the offence compare with its original intended purpose?
How long is a piece of string ?
Section 3A still applies to "dual use" programs or data even if there has never been any actual Section 1 or Section 3 offence ever committed by anyone, let alone a successful prosecution.
If prosecutors have any questions relating to the application of section 3A CMA pleas contact the Policy Helpdesk on 020 7796 8471 or by email at HQPolicy@cps.gsi.gov.uk.
We urge our readers to voice their concerns about this totally inadequate Guidance to this Crown Prosecution Service Policy Helpdesk.
Denial of Service attacks
The CPS Guidance mentions in passing possible alternative offences under the Section 127 of the Communications Act 2003 or the Fraud Act 2006 in certain instances, but fails to mention the controversial Identity Cards Act 2006 section 29 Tampering with the Register etc., which has its own disastrously flawed attempt to prevent Denial of Service attacks on the National Identity Register infrastructure. This clause also received literally no Parliamentary scrutiny whatsoever, when all debate on it was guillotined and it went through "on the nod", unamended, during the passage of the Identity Cards Act 2006.
This stupid Section 29 criminalises both deliberate computer based denial of service attacks on the NIR infrastructure, but also anything and everything which
(b) where it makes it more difficult or impossible for such information to be retrieved in a legible form from a computer on which it is stored by the Secretary of State, or contributes to making that more difficult or impossible.
i.e. it also applies to otherwise normal, legal industrial action such as work to rule or strike action by Trades Unionist civil servants, power failures, floods, genuine errors and mistakes in software, hardware or network infrastructure configuration, or any security flaws and errors in the massively complicated software.
The effect of this section on Trades Union strike or work to rule action was acknowledged by the then Labour Home Office Minister Baroness Scotland, during the very short debate on what was then Clause 31, at the Lords Report stage of the previous Identity Cards Bill 2005 (which ran out of time due to the calling of the 2005 General Election). No amendments were made to the wording, which was rubberstamped into law as Section 29 of the Identity Cards Act 2006, this time, with no debate at all.
Therefore the potential for legalistic collateral damage to anyone foolish or unlucky enough to be working on or with computer or telecommunications systems connected to the centralised biometric National Identity Register, whether in the public or private sectors, anywhere in the world, remains.
It will apply not just to the central core National Identity Register, but to all the people and infrastructure of the systems linked to the NIR by other Government Departments and the estimated 40,000 commercial partner companies e.g. financial services, insurance, banking, airlines,travel agents etc. who will also be licensed to "download information in a legible form" (who will be forced to do so under under licensing or statutory regulations). Any Distributed Denial of Service attack on any Government or large commercial company or telecomms infrastructure is therefore also very likely to fall foul of the Identity Cards Act 2006 section 29, something which the CPS Guidance seems to be unaware of.
This wording criminalises these partner systems if they fail for any reason, even if the core NIR system is working perfectly.
What the CPS should do
The allegedly independent (which really seems to mean not publicly accountable) Crown Prosecution Service and the Labour Government should get their act together and produce more relevant and detailed Guidance before these controversial Computer Misuse Act amendments are brought into force.
Ideally. there should be a properly debated, properly scrutinised, full new Computer Misuse Act, including data security breach notification provisions, fit for the internet and mobile phone age, rather than the collateral damage to legitimate businesses and individuals, which these Amendments will cause.
The Identity Cards Act 2006 should be repealed in its entirety.