Another Day. Another Home Office Bill. Another example of badly drafted legislation:

The New Police and Justice Bill includes this gem of an amendment to Computer Misuse Act, which is intended to criminalise the development, distribution or possession of ‘hacker tools’:

3A

Making, supplying or obtaining articles for use in offence under section 1 or 3

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(2) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

(3) In this section “article� includes any program or data held in electronic form.

(4) A person guilty of an offence under this section shall be liable—

(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

(b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;

(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.�

The offences under section 1 and 3 are basically accessing computer systems without authorisation (hacking) and a revised offence of acts carried out with intent to impair the operation of computers, which extends the law to cover denial of service attacks as well as the old staples of hacks and viruses.

Of course as any techie will spot immediately, there are actually very few, if any, so-called hacker tools which don’t have completely legitimate and valid uses, which renders this particular part of the bill near enough useless.

For example, software which could be used to mount a illegal denial of service attack can equally be used legally to stress test a network.

Password crackers and decryption tools which can be used to gain unlawful access to computer systems and secure computer data can equally be legitimately used for password security auditing, network security testing and datafile recovery. Trust me, one the absolute banes of an IT support techs existence is the user who discovers how to password protect MS Office documents and then forgets the bloody password they’ve used on something important.

Bulk mailers, which can be used for legitimate, if irritating, marketing purposes can equally used to mount larrge scale spam attacks which clog up mail servers and act as a denial of service.

Only in rare cases, and only when the clear purpose of a piece of software is destructive, as in the cases viruses with a harmful payload, or perhaps certain types of covert surveillance software such as some trojans and occasional keylogger, could it reasonably be said that that a piece of software might fall foul of this new law.

The rest of the time, its not what the software does that makes it potentially unlawful, but what you do with it.

This is the equivalent of banning the production, sale and ownership of pencils because they could be used to write a poison pen letter - in short, the usual ill-thought out, ill-considered crap we’ve come to know and love as the hallmark of the Home Office’s efforts to tackling things they don’t understand.

License

This work is published under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 England & Wales License.