Daily Archives: 2007-12-31

Hacking tool guidance finally appears

When civil servants talk about “spring” they mean before Parliament rises in July and by “the summer” they usually mean “before the party conference season” in September. But it seems that when a minister tells a Lords Committee “the end of the summer” they mean the last day of December. Well it has been pretty cold recently, so I expect that concentrated their minds!

This “summer” event which can be reported today, is the publication of the Crown Prosecution Service guidance on what should be considered before bringing prosecutions under s3A of the Computer Misuse Act, when amendments to it come into force — probably April 2008 (for reasons that I discussed last July).

What is at issue is so-called hacking tools, and the problem arises because almost every hacking tool you can think of from perl to nmap is dual use — the good guys use it for good purposes, and the bad guys use it for bad. The bad guys are of course committing an offence, and the good guys are not … but the complexity surrounds “distribution”, if a good guy runs a website and a lot of bad people download the tool from it, has the good guy committed an offence?

The actual wording of the offence says "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]" and so we need to know what "believing that it is likely" might mean. Whilst the law was going through Parliament the Home Office suggested that “likely” would be a 50% test, and they promised to publish the guidance to prosecutors so we’d all know where we stood.

Anyway, that guidance is now out — and there’s no mention, surprise, surprise, of “50%”. Instead, the tests that the CPS will apply are:

  • Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
  • Is the article available on a wide scale commercial basis and sold through legitimate channels?
  • Is the article widely used for legitimate purposes?
  • Does it have a substantial installation base?
  • What was the context in which the article was used to commit the offence compared with its original intended purpose?

which after a good start using words like “primarily” and “deliberately” (which would have been a sensible law to have in the first place) then goes a bit downhill in that prosecutors don’t know the difference between “i.e” and “e.g.” and seem to think that software is generally sold (!), and rather misses the point of dual use by talking about using the tool in a different “context”.

Still, the “installed base” test should at least allow people to distribute perl without qualms (millions of users) — though do note that these are the tests which will be applied at the “deciding if you ought to be charged with an offence” stage, not the points of law and interpretation that the court will use in deciding your guilt.