Security research may become a crime in the UK

Clause 35 of the new Police and Justice Bill will amend the Computer Misuse Act to make it an offence to make or adapt any article –

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence … ; or

(b) intending it to be used to commit, or to assist in the commission of, an offence …

This would be OK if the “or” at the end of (a) were replaced with “and”. As it stands, it looks like criminalising much of what we do here. Time to write to your MP?

7 thoughts on “Security research may become a crime in the UK

  1. Hello,

    I just saw you launched your blog — congratulations!

    Thank you for linking to mine.

    I found your blog because I am researching your a one year postgraduate conversion course, the Diploma in Computer Science, hopefully to be followed by the three year research PhD.

    Sincerely,

    Richard

  2. [phill] So who do you think is behind all this ?

    The Convention on Cybercrime requires signatory states [and the UK has committed itself to signing] to establish criminal offences for the “production, sale, procurement for use, import, distribution or otherwise making available of” any “device, including a computer program, designed or adapted primarily” for the commission of hacking etc offences.

    However, crucially the Convention uses the phrase “committed intentionally and without right”. In UK law we don’t have the notion of “without right”, but this is usually translated into a statutory defence, or the requirement for a wicked intent.

    However, the Bill, in its current form does not have either a defence or the requirement to show the intent to commit an offence. That’s the main problem — especially for security researchers who regularly construct tools to better understand vulnerabilities and their mitigation.

  3. I’m writing to my MP now!, I’d probably best not email him, sounds far too risky these days. Might be accused of spamming or something. 0 XOR 0 and Out.

  4. My reading of the Convention on Cybercrime document linked above is that it does not require signatory states to establish this criminal offence. Article 42 seems to be a get-out clause. We only have to criminalise the passwords in Article 6 1 a.ii.

    “Article 42 – Reservations … any State may, at the time of signature … declare that it avails itself of the reservation(s) provided for in … Article 6, paragraph 3, …”

    “Article 6 – Misuse of devices

    1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

    a the production, sale, procurement for use, import, distribution or otherwise making available of:

    i a device, including a computer program, designed or adapted
    primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

    ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

    with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

    b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

    2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

    3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.”

Leave a Reply to Ian Cancel reply

Your email address will not be published.