If you read the full advice you’ll see that a Black Hat style conference might be very well advised to include a session on the requirements of the Computer Misuse Act — and to request that attendees sign a document saying that they will not contravene it.

Figleaf maybe, but training hasn’t been made illegal, it’s just that the Home Office wanted some charges they could use against peripheral players in an eCrime conspiracy and that meant wording that was far too broad for most everyone else’s taste (not that very much eCrime gets prosecuted at all — but that’s a different story).

I’m Ikuo Takahashi, lecturer of Utsunomiya University in Japan and lawyer in practice.

I’m specialised in Cyber Security law and have made some presentations at CyberSecurity Symposium in Japan.

In Japan,the author of P2P software”Winny” was prosecuted and there is disputes about such dual use “articles”.

Please refer to http://en.wikipedia.org/wiki/Winny

In my opinion,Kaneko’s activity is primarily assisting infringing copyright in this case. However usual security science scholar cannot distinguish the judgment scope.And there is actual chilling effect by ambiguous legal wording.

I think the above guidance is ambiguous and may have chilling effect on security research.

http://petitions.pm.gov.uk/pentest/

To sign the petition you need to be British citizen or an expatriate, in an overseas territory, a Crown dependency or in the British Armed Forces.

So I write a new improved vulnerability scanner. Can I circulate it around bugtraq for peer review? I doubt it! While I know it will be used responsibly by many people I also know that it will be used by some Bad Guys to find systems they can hack into.

The problem is how to avoid “believing that it is likely to be used to commit an offence”. If we create a tool and circulate it openly it *will* be picked up by someone and used to do bad things. Only the very naive could fail to believe that an openly distributed tool will not be used by the Bad Guys.

In the CPS guidance we see: “what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly”. This seems to imply that posting a tool openly risks a charge under Section 3A.

If it isn’t corporate it must be bad!

Would this make the browser supplier liable

No. Don’t be silly!

Does knowing of or allowing the functionality of the plugins make them liable

Not under this legislation. Note (once again!) that to commit an offence a software author has to have INTENT.

In summing up, it’s just plain stupid.

But I don’t think this is the real issue. As has rightly (and several times) been pointed out here, the real problem is the case where a “dual purpose” tool is supplied in good faith for what appears prima facie to be a lawful purpose and is subsequently used unlawfully – a situation over which the supplier has no direct control. I suspect that established principles wrt negligence will be brought to bear in assessing individual cases. However it may prove expedient to restrict distribution – e.g. not just post tools on the open web but require some kind of registration process before they can be obtained – and to include a EULA containing a “lawful use” clause in the package. Maybe these would be good moves anyway – in any case they are not onerous to implement and could hurt no-one.

It is easy to panic when guidance (and indeed legislation) such as this is put in place, and I myself argued against the supply clause from the start, but in the real world the CPS is very unlikely to suddenly reach out and prosecute thousands of responsible researchers. Neither have the CPS the remit or the resources to trawl the web looking for “suppliers” to prosecute. Some of those who indiscriminately distribute proof of concept code for unpatched vulnerabilities may fall into the net, depending on the perceived resultant exposure. And maybe that’s a good thing.

If I, as a software engineer, write something that the powers that be, dislike this act can be used to stop me with even the threat of prosecution.

If you write the code then the test is what your intent was. Please note that this article is about the issues that arise around distribution where the wording does not include intent.

Oh, and there are laws about selling knives, there is for example an age test.