First published: 31st January 2008
The Crown Prosecution Service in the UK has published guidelines about how courts should interpret the updated Computer Misuse Act, which includes the controversial offence of "making, supplying or obtaining articles" for use in other offences, in other words, controlling "hacking" tools. Security professionals pointed out the difficulty of categorising tools as good or bad, and the implications this would have for the "good guys" when the law was proposed. The guidelines will greatly influence how the courts apply the law once it comes into effect.
The guidelines do specifically mention that there is a legitimate industry concerned with computer security that "generates 'articles'" for testing and audit purposes, and that prosecutors should ascertain whether there was criminal intent. Under supplying, or offering to supply, the guidelines advise considering the following factors to determine the likelihood that the article would be used for illegal purposes:
- Was it developed primarily, deliberately and for the sole purpose of committing an offence?
- Is it available on a wide-scale commercial basis and sold through legitimate channels?
- Is it widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context of its use compared to its intended purpose?
These factors rule out the most ridiculous potential mis-applications of the law. For example, Perl, or the text-editor used to create a malicious Perl script, would not be considered 'articles' because they were not built for that sole purpose, they are widely used for legitimate purposes, and may have a substantial installation base. Makers of general-purpose programming languages and editors can probably rest easy in the knowledge they will not be prosecuted if their tools are used for illegal purposes.
However, creators of more specialised tools should be more worried, particularly if they release the tool as open source. Why does commercial sale affect the likelihood of a tool being used for crime? What is a legitimate channel? Is a web-sale more or less "legitimate" than a shop sale? When the installation base is calculated, is it determined for the particular version in question, or all versions of the tool? For example, the popular Nessus tool releases new plugins to paying users seven days before they are released for free. The paying users are, undoubtedly, a much smaller installation base than the free users, does this affect the likelihood of Nessus being used for illegal purposes, and therefore open the developers to prosecution in the UK?
The guidelines strongly discourage Full Disclosure - publishing a description of a security vulnerability with a code example of how to exploit it would open the author to prosecution - the code example would clearly have the intention to subvert the security of the vulnerable system. In the past, some developers have refused to acknowledge or fix vulnerabilities, saying that they are "only theoretical" and "not practical" until a researcher has provided a working code example. It seems to be very unwise to do this in the UK now, so we can expect a negative effect on the security of common products.