Changes in the British Computer Misuse Act

Fri, 27 Apr 2007 09:40:57 GMT

I was following some blog posts when I stumbled upon an entry that talks about the changes introduced in the British Computer Misuse Act. I knew about these changes for quite some time now but I have always been thinking that as long as you stay on the good side of the fence you will be alright. I guess I was wrong. Here is a snippet from the act:

Making, supplying or obtaining articles for use in computer misuse offences

After section 3 of the 1990 Act insert "3A Making, supplying or obtaining articles for use in offence under section 1 or 3"

  1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—>
    1. knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
    2. intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
  2. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
  3. In this section "article" includes any program or data held in electronic form.
  4. A person guilty of an offence under this section shall be liable:
    1. on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
    2. on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
    3. on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. Police and Justice Bill

So what can I say? I guess George Orwell's 1984 novel is not that far from the reality. Britain has the highest number of surveillance cameras in the world. I think that Britain will become the first country in the world that will enforce installation of GPS devices in cars too. Now this? This is madness.

If we stop disclosing vulnerabilities, if we stop putting all that effort in our research, you will be the one to suffer. The situation today is only better because we enforce security to vendors who are often not keen on fixing whatever because that potentially could result in lost of revenue. You cannot ignore the security minded people who try to educate the society about the possible dangers.

Enough said. Make up your mind and do not forget that computer security community have been through a lot of troubles to be at the level it is today. That only benefits the society. That, keeps you safe.

/nul/nul
Seems like Germany/France adopted the same legislation... http://www.metasploit.org/archive/framework/msg01912.html
David KierznowskiDavid Kierznowski
Had some interesting feedback from Daniel on this when I brought it up as a discussion point last year, see: http://michaeldaw.org/news/news-021206/
DanielDaniel
Obviously I have a fair amount of experience with the CMA and fighting it in court and these changes are typical of the way the law was initially drafted and also in showing the knowledge of the people involved. Lets take an example of this CMA in action. Under the CMA, if you visit a website and enter your name and the site borks (ASP.NET error, JSP page throwing a wobbly, or something else) you have basically made the site do something it was not intended to do by the owner.
Doing the above can have you arrested and charged for causing a computer to perform an action that was not intended.
The CMA is a sorry state of the UK's approach to the web, rushed, confused and overall, bad for anyone using the web in the uk
pdppdp
I guess the main idea of CMA is look for someone to blame when it is required. If you happen to be the wrong person at the wrong time you get nailed for things you probably don't even understand. This way, companies can justify their loss across their investors. I wonder to what extent these changes will be applied.
DanielDaniel
"Heavily" is one comment from a friend at the seckret net police (a.k.a hi-tech crime unit) Thing is they have to be shown that they are doing something, but in reality they cannot catch the serious criminals as they have no clue, so it's the smaller cases which attract the headlines.
pdppdp
This is such a bad idea. So you are saying that the British Hi-tech crime unit will target security researchers just to prove that they are doing something? This is madness.
DanielDaniel
It will be interesting to see how they do this. As everyone says, they develop tools NOT meant to be used in a malicious manner, but how do you prove that? Lets use your XSS archive as an example: you never meant people to use it in a bad manner, but some idiot went and defaced a site and he admitted (ok sexist in a way, but Joanna and the rest of the female community out there won't mind me saying this i hope..) that he got the knowledge from pdp and gnucitizen.org. The archive has now been used in a malicious manner and you as the author are responsible, under this act* The key bits seem to be:
  • knowledge - ... supply any article- knowing that it is designed or adapted for use ...
  • intended use - ... for use in the course of or in connection with an offence ...
  • breach - ... offence under section 1 or 3 ...
yes you aren't UK based, so you have nothing to worry
pdppdp
actually, I am UK based but I am not British, which does not make that much of a difference... these changes apply to me as well and I heard that they will be implemented in all EU countries. One thing that I cannot see how it is going to work is that if someone compromises a network claiming that they did that through whatever tool... how that can be proved. I mean, yes, someone can say that they used XSSDB on GNUCITIZEN to perform the stunt but they cannot prove their statement.
DanielDaniel
Dinis did tell me you were, my bad, im blonde :p The first thing the coppers would do would be to take the machine he used and do some shitty forensics on it. Now if the perp didn't know he was being raided, it would be unlikely that he cleared his cache, wrote zero's to the disk and reinstalled, if that wasn't the case they would use EnCase (the gentlemans choice when in the police force) and get the forensic evidence of all traffic sent from that machine, If they really wanted to be anal, they could goto the ISP and request the logs. For all those who think that ISP's don't log traffic, haha err think again. Ever since the kiddy fiddlers started getting clever, ISP's have been under increasing pressure to conform. Then all they would need to do is join the dots.
sulemansuleman
i think all this will teach the robbers good