The Police and Justice Bill 2006, which received Royal Assent last Wednesday, contains amendments to the Computer Misuse Act 1990 that alter the law surrounding the creation and distribution of 'dual use' software tools. These are tools such as nmap — a security scanner — which are primarily used by legitimate users and security researchers, but can also be used by hackers to scan networks for vulnerabilities.
The amendments to the law could potentially prohibit the downloading of such security tools, according to Malcolm Hutty, head of public affairs at the London Internet Exchange (LINX).
"We do have to have responsible software supply. However, [under these amendments] any form of download tool could be prohibited," said Hutty earlier this week. "The Government is inadvertently throwing the baby out with the bathwater."
Part 37 of the Police and Justice Bill amends section 3A, clause 2 of the CMA, and states: "A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence."
This will place serious constraints on the distribution of security tools, as the prosecution must only prove that the distributor believed it was likely that the tool will be used for hacking, even if this was not his intention, said Richard Clayton, a Cambridge University security expert. This would include malware researchers, ISPs and universities that host download tools, Clayton claimed.
Malware researchers could also be severely constrained by the new law because of the definition of "article", according to Clayton and Hutty. Clause 4 of section 3A states: "In this section 'article' includes any program or data held in electronic form."
The law is supposed to cover virus writing and hacking tools, but the wording of the law also covers the disclosure of software flaws, according to Hutty.
"In theory this covers the announcement of software flaws. The fear in the security world is that the legislation makes it possible for a vendor to come along and say that if security researchers are making [software-flaw] information available to the public, they must know it will be used to exploit software, as well as used for beneficial purposes," said Hutty. "The chilling effects on security research is a concern."
Clayton added: "If you approach a company and say you've found a problem, they can issue a writ to silence you. HSBC threatened to sue the Guardian [over reports of research by Cardiff University into HSBC's online banking authentication procedure]. This shows people are starting to think about going to the law to deal with bad news about security."
No comments:
Post a Comment