Comments on: Security research may become a crime in the UK http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/ Security Research, Computer Laboratory, University of Cambridge Sun, 06 Jul 2008 12:07:19 +0000 http://wordpress.org/?v=2.5.1 By: Richard Kelsall http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-88 Richard Kelsall Sat, 25 Feb 2006 16:32:52 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-88 My reading of the Convention on Cybercrime document linked above is that it does not require signatory states to establish this criminal offence. Article 42 seems to be a get-out clause. We only have to criminalise the passwords in Article 6 1 a.ii. "Article 42 – Reservations ... any State may, at the time of signature ... declare that it avails itself of the reservation(s) provided for in ... Article 6, paragraph 3, ..." "Article 6 – Misuse of devices 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right: a the production, sale, procurement for use, import, distribution or otherwise making available of: i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5; ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. 2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system. 3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article." My reading of the Convention on Cybercrime document linked above is that it does not require signatory states to establish this criminal offence. Article 42 seems to be a get-out clause. We only have to criminalise the passwords in Article 6 1 a.ii.

“Article 42 – Reservations … any State may, at the time of signature … declare that it avails itself of the reservation(s) provided for in … Article 6, paragraph 3, …”

“Article 6 – Misuse of devices

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted
primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.”

]]> By: Stu Thomas http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-68 Stu Thomas Mon, 13 Feb 2006 21:50:47 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-68 I'm writing to my MP now!, I'd probably best not email him, sounds far too risky these days. Might be accused of spamming or something. 0 XOR 0 and Out. I’m writing to my MP now!, I’d probably best not email him, sounds far too risky these days. Might be accused of spamming or something. 0 XOR 0 and Out.

]]> By: Richard Clayton http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-64 Richard Clayton Sun, 12 Feb 2006 18:30:38 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-64 [phill] So who do you think is behind all this ? The <a href="http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm" rel="nofollow">Convention on Cybercrime</a> requires signatory states [and the UK has committed itself to signing] to establish criminal offences for the "production, sale, procurement for use, import, distribution or otherwise making available of" any "device, including a computer program, designed or adapted primarily" for the commission of hacking etc offences. However, crucially the Convention uses the phrase "committed intentionally and without right". In UK law we don't have the notion of "without right", but this is usually translated into a statutory defence, or the requirement for a wicked intent. However, the Bill, in its current form does not have either a defence or the requirement to show the intent to commit an offence. That's the main problem -- especially for security researchers who regularly construct tools to better understand vulnerabilities and their mitigation. [phill] So who do you think is behind all this ?

The Convention on Cybercrime requires signatory states [and the UK has committed itself to signing] to establish criminal offences for the “production, sale, procurement for use, import, distribution or otherwise making available of” any “device, including a computer program, designed or adapted primarily” for the commission of hacking etc offences.

However, crucially the Convention uses the phrase “committed intentionally and without right”. In UK law we don’t have the notion of “without right”, but this is usually translated into a statutory defence, or the requirement for a wicked intent.

However, the Bill, in its current form does not have either a defence or the requirement to show the intent to commit an offence. That’s the main problem — especially for security researchers who regularly construct tools to better understand vulnerabilities and their mitigation.

]]> By: phill http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-63 phill Sun, 12 Feb 2006 11:53:47 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-63 So who do you think is behind all this ? So who do you think is behind all this ?

]]> By: Ian http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-62 Ian Sat, 11 Feb 2006 19:11:17 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-62 Or should that be: It's an inclusive OR? Or should that be: It’s an inclusive OR?

]]> By: Ian http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-61 Ian Sat, 11 Feb 2006 19:09:39 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-61 Plea -- your honour it's an exclusive OR. Plea — your honour it’s an exclusive OR.

]]> By: Richard Bejtlich http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-60 Richard Bejtlich Fri, 10 Feb 2006 18:14:42 +0000 http://www.lightbluetouchpaper.org/2006/02/10/security-research-may-become-a-crime-in-the-uk/#comment-60 Hello, I just saw you launched your blog -- congratulations! Thank you for linking to mine. I found your blog because I am researching your a one year postgraduate conversion course, the Diploma in Computer Science, hopefully to be followed by the three year research PhD. Sincerely, Richard Hello,

I just saw you launched your blog — congratulations!

Thank you for linking to mine.

I found your blog because I am researching your a one year postgraduate conversion course, the Diploma in Computer Science, hopefully to be followed by the three year research PhD.

Sincerely,

Richard

]]>