Cybercrime law could adversely affect security professionals
With the Police and Justice Bill 2006 receiving Royal Assent in the Queens speech earlier this month, concern is growing that the new legislation will compel the police to apprehend users of so called dual use software.
With the Police and Justice Bill 2006 receiving Royal Assent in the Queens speech earlier this month, concern is growing that the new legislation will compel the police to apprehend users of so called dual use software.
One example is the security scanner nmap that has many legitimate uses, but could also be used by hackers to scan networks they want to infiltrate for any vulnerability. The new law could prohibit the download and use of tools like nmap.
Malcolm Hutty, head of public affairs at the London Internet Exchange (LINX), said: “We do have to have responsible software supply. However, [under these amendments] any form of download tool could be prohibited. The Government is inadvertently throwing the baby out with the bathwater.”
The Police and Justice Bill states in Part 37 section 3A, clause 2 of the CMA: A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence.
The definition of what an article actually is will come under increasing scrutiny as this could conceivably be software utilities that also have a legitimate purpose and tools that researchers use to develop anti-virus and malware utilities.
Mr Hutty continued: “In theory this covers the announcement of software flaws. The fear in the security world is that the legislation makes it possible for a vendor to come along and say that if security researchers are making [software-flaw] information available to the public, they must know it will be used to exploit software, as well as used for beneficial purposes. The chilling effects on security research is a concern.”
Richard Clayton, a Cambridge University security expert also commented: “If you approach a company and say you`ve found a problem, they can issue a writ to silence you. HSBC threatened to sue the Guardian over reports of research by Cardiff University into HSBC`s online banking authentication procedure. This shows people are starting to think about going to the law to deal with bad news about security.”
LINX have expressed their concerns over the dual use issue to the Home Office asking them to clarify the law.
The Director of Public Prosecutions will issue guidelines to how the new law should be interpreted and implemented, which should give officers a clear indication when a crime has been committed.