New computer crime laws for the UK are currently being fine tuned before hopefully being passed in to law later this year. However, some of the measures intended to punish hackers harder than than they currently are could be used to criminalise people legally working in the IT industry.
The UK has needed a thorough update of it’s outdated computer crime laws for years now, and the Computer Misuse Act which was included in the Police and Justice Act 2006 is intended to do just that. Amongst the new measures, are increases of the maximum penalty for hacking offences up to ten years, and denial of service offences made unambiguously illegal.
The problem part of the new bill, expected to come in to effect by May 2008, is the banning of developing, owning, or distributing what are being described as “hacker tools”. The industry has strongly criticised the wording, and universal targeting of the measure, and the application of this new crime could put system administrators and security consultants.
People working in the IT industry often use these legitimate tools to test system vulnerabilities in company systems. If the law is taken to the letter, these same people who are trying to stop hackers from breaking in to closed networks, could be charged.
As The Register points out:
“The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.”
That may seem like a simple explanation but it’s a good example of how normal people could again be criminalised by some bad wording in a new law intended to stop real criminals from flourishing.
After the criticism, the government, via the CPS (Crown Prosecution Service) has issued some guidelines on how to read the rules. These establish that to be convicted, the developer of a tool would have to be shown to intend to use it for a criminal activity.
Although these new guidelines will help, the new set of rules does seem to be a bit of a mess, and it remains to be seen what, if any, real difference this all makes when it becomes law in the UK.