It’s well over a year since the Government first brought forward their proposals to
make security research illegal crack down on hacking tools.
They revised their proposals a bit — in the face of considerable lobbying about so-called “dual-use” tools. These are programs that might be used by security professionals to check if machines were secure, and by criminals to look for the insecure ones to break into. In fact, most of the tools on a professionals laptop, from nmap through wireshark to perl could be used for both good and bad purposes.
The final wording means that to succesfully prosecute the author of a tool you must show that they intended it to be used to commit computer crime; and intent would also have to be proved for obtaining, adapting, supplying or offering to supply … so most security professionals have nothing to worry about — in theory, in practice of course being accused of wickedness and having to convince a jury that there was no intent would be pretty traumatic!
The most important issue that the Home Office refused to concede was the distribution offence. The offence is to
"supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]". The Home Office claim that “likely” means “more than a 50% chance” (apparently there’s caselaw on what likely means in a statute).
This is of course entirely unsatisfactory — you can run a website for people to download nmap for years without problems, then if one day you look at your weblogs and find that everyone in Ruritania (a well-known Eastern European criminal paradise) is downloading from you, then suddenly you’re committing an offence. Of course, if you didn’t look at your logs then you would not know — and maybe the lack of mens rea will get you off ? (IANAL ! so take advice before trying this at home!)
The hacking tools offences were added to the Computer Misuse Act 1990 (CMA), along with other changes to make it clear that DDoS is illegal, and along with changes to the tariffs on other offences to make them much more serious — and extraditable.
However, the relevant sections, s35–38, are not yet in force! viz: hacking tools are still not illegal and will not be illegal until, probably, April 2008.
The reason for this is that the Serious Crime Bill, which has just started its progress through the House of Commons after a moderately rough ride in the House of Lords, introduces a new offence of “being nice to criminals” (strictly it says, in Part 2,
"he does an act capable of encouraging or assisting the commission of an offence", it’s meant to catch people who hire fast cars to criminals for getaways…)
However, this new offence, which is expected to be brought into force in April 2008 (MPs permitting of course), will overlap with some parts of the amendments to the CMA (though not the hacking tools offences). Since it is considered to be bad form to have two offences for the same thing, this makes it necessary to amend the amendments (hence clause 57 [as presently numbered]).
In their wisdom the Home Office have decided that bringing the CMA amendments in now, and then amending them again, will be too confusing for everyone — so they’ve decided to wait and do everything all at once, which will be next April. So, in the interim, the tariff for unauthorised access remains at six months, the legal situation on DDoS remains confused, and the intentional construction of hacking tools is not yet a crime…
… hmm, except there’s provisions in s7 of the Fraud Act, which says
A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article (a) knowing that it is designed or adapted for use in the course of or in connection with fraud, or (b) intending it to be used to commit, or assist in the commission of, fraud.
So maybe a hacking tool constructed for fraudulent purposes is already illegal! But that would mean two offences for the same thing 🙁 so perhaps you need to find that lawyer to have a chat with after all !