Cumulative effect of the Computer Misuse Act amendments in the Police and Justice Bill 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005
This is still one of the very few UK blogs which has bothered to comment on the wretched Police and Justice Bill 2006, especially on the the Miscellaneous Part 5 Computer Misuse amendments to the Computer Misuse Act 1990.
We were hoping to read some online expert commentary and discussion on the detailed implications of this Bill on IT Security and Privacy issues, but either our search engine query skills are lacking, or, yet again, it seems to be down to us, by default, to try to stimulate a bit of intelligent discussion on this topic.
As is typical for the Home Office, they do not appear to have bothered to produce a Regulatory Impact Assessment of the Computer Misuse clauses of the Police and Justice Bill.
There does not appear to have been any private thought or public consultation about the cumulative effect on IT Security and Privacy issues of the combination of the Police and Justice Bill, 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005.
The Police and Justice Bill clauses 34 to 36 which amend the Computer Misuse Act are:
- 33 increased penalty etc for offence of unauthorised access to computer material - Prosecutions of any sort, let alone convictions for "unauthorised modification", under the exisiting Computer Misuse Act, run at fewer than 20 a year i.e. they are rarer than prosecutions for murder. Increasing the penalty will do nothing for deterrence of crime, but it does lead to some unjust and stupid "double jeopardy" risks in combination with other legislation.
- 34 Unauthorised acts with intent to impair operation of computer, etc - This is utterly inadequate to protect us from Denial of Service attacks, and suffers from the classic problem of not defining accurately what is a DoS attack, and what is negligence, or is overselling of a Quality of Service Agreement or is simply normal unforseen peak demand for a commercial or public service i.e. normal congestion or queues.
- 35 Making, supplying or obtaining articles for use in computer misuse offences
- This is utterly inadequate to protect us from computer malware such as viruses, trojan horses , password sniffers etc.. It does not bother to distinguish between the "dual use" software tools such as a web browser, or a computer scropting or programming language, or network analysis or security vulnerability testing tools, or to give any exemptions to the "possession" or "obtaining" of such normal, common items. Either this will be completely unenforcable, or it will have a chilling effect on legitimate IT security defence research in the UK.
- 36 Transitional and saving provision - It is hard to imagine how the Home Office could botch the clause dealing with the commencement of the above clauses, but they have managed to do so due to their fondness for all embracing wording such as "every". They do not appear to have considered that they are providing an exemption for "slow burn" Denial of Service attacks e.g. a "bot net" which is currently growing, or stealthy reconnaisance probes or virus malware which is currently spreading at the moment, or denial of service attacks which continue for a long period of time and which will still be attacking systems, if and when these clauses pass into law.
- Sneakily and unobviously, there is also text within the portmanteau Schedule 13 Minor and Consequential Amendments which illogically , and without expanation of what the Home Office is trying to achieve, amends the Criminal Damage Act 1971 and also amends Section 2 and repeals Section 11 of the Computer Misuse Act 1990
The main clauses 33 to 36 run to only two an a half pages in this Bill,.
Contrast this with the detailed procedures and alternative scenarios which the very same Bill goes into, for a single minor amendment, designed to prevent the police from having to return child porn images back to the owners of computers etc. which they have seized. This Schedule 11, runs to over 7 pages !
Surely something as important to national security, personal liberty and privacy and the national economy as Information Technology Security and Privacy deserves its own full Bill, which could then deal with these complicated issues properly ? Instead these clauses are tagged onto the end a complicated Bill, the main purpose of which is the controversial proposal to combine various Police forces together, and which will therefore which will soak up the limited attention span of politicians and journalists.
Thiere is a distinct danger that Parliament will not even debate these Computer Misuse Act amendment clauses, as they are tagged on in the Miscellaneous section at the end of the Bill.
It should be noted that these woefully inadequate computer misuse clauses were not even authored by the Home Office itself, but have been cut and pasted from the failed private members Bill, the Computer Misuse Act 1990 (Amendment) Bill presented in April 2005, by Derek Wyatt MP, the chairman of the All Party Parliamentary Internet Group (APIG).
APIG seems to be at least partly funded by lobbyists Political Intelligence, on behalf of for the Internet Service Provides Association (ISPA), This UK trade body have even awarded their "internet hero" award to APIG for lobbying for the useless Denial of Service attack clause.
An ISPA spokesperson said, “The All Party Parliamentary Internet Group received this award for its recommendations to amend the Computer Misuse Act (CMA) to further protect individual websites and the infrastructure of the Internet against the threat of distributed denial-of-service (DDOS) attacks.”
Presumably this is why there is neither any protections for Domestic Consumers and Business Customers in these clauses, nor any Corporate Liability nor criminal penalties for IT Security or Privacy specific negligence nor anything to do with Quality of Service issues.
The cosy relationship between the Home Office and vested financial interests in the telecomms and internet industries is not serving the public interest of domestic or business consumers in general, who the Home Office usually fail to bother to consult on these issues. They do not appear to even have bothered to consult the independent industry regulator Ofcom, and, a mentioned before, there is no sign of a Regulatory Impact Assessment of the costs of these measures on to the public and private sectors.
There is no announcemnet of any increase in skilled manpower or training budgets for the Police to be able to actually enforce these new amended laws, presumably the Home Office assumes that this will somehow happen by magic.
The increase in penalties from 5 to 10 years in prison for unauthorised modfications to computer data, for any and all "computers" is far too general a penalty, especially as prosecutions, let alone convictions, for such offences in the UK have been rarer than for murders.
If there is so little enforcement and prosecution, then changing the maximum penalty does nothing to prevent the crimes in the first place.
These clauses also needs to be seen in context with the now renamed to Clause 29 Tampering with the Register etc. under the controversial Identity Cards Bill 2005 which also sets up to a 10 year prison penatly (and / or an unlimited fine) only for National Identity Register connected computer systems (not just the NIR itself, but evey other private sector or other government department system which is authorised to connect to the Home Office's systems),and which also, in a vague and stupid way seeks to cover Denial of Service attacks on the NIR
Surely would be unjust and unfair to have two Acts of Parliament , creating two distinct criminal offences, each providing a separate penalty of up to 10 years in prison, which would both apply at the same time, to the same criminal attack on the National Identity Register ?
"Denial of Service Attacks" are not even as well defined in this clause 34, as in the Earl of Northesk's private members Bill the Computer Misuse (Amendment) Bill 2002 which sought to stimulate debate on this topic back in 2002.
It is not at all clear when such Denial of Service attacks would fall under the Computer Misuse Act as amended by the Police and Justice Bill, and when they would be classed as "terrorism", or "acts preparatory to terrorism".
The controversial definition of terrorism in the Terrorism Act 2000 section 1 includes
"2 (e) is designed seriously to interfere with or seriously to disrupt an electronic system."
which will be compounded by the possible life sentence for "acts preparatory to terrorism" (where "terrorism" is defined as per the Terrorism Act 2000) under the controversial Terrorism Bill 2005 clause 5 Preparation of terrorist acts also currently going through Parliament.
The combination of the Police and Justice Bill 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005 show that the NuLabour government and the Home Office ministers and bureaucracy, are simply not up to speed with IT Security and Privacy issues, do not have a clear idea of what they are doing, and are producing a hodge podge of vague criminal law which will do nothing to deter criminals or terrorists, especially those based overseas.
These Bills if passed, will , however, criminalise and demoralise law abiding IT security experts here in the UK, who are trying defend us against such attacks, whilst doing nothing to tighten up the Government and Corporate ITsecurity and privacy abuses which put the consumer and the general public at risk.
On past performance, we have no confidence that there will be any detailed Parliamentary scrutiny of these badly draughted and fragmented Bills, either in the House of Commons, or even in the House of Lords, which will correct and amend the cumulative effect on IT Security and Privacy issues
Comments
I'm no 'expert' but I just read this:
"(a) to impair the operation of any computer,
(b) to prevent or hinder access to any program or data held in any computer, or
(c) to impair the operation of any such program or the reliability of any such data,whether permanently or temporarily."
The 'b' definition seems fine. If I prevent access to someone else's computer without their permission...
But the 'C' definition - impair, seems somewhat vague when combined in all...
You need to:
- Be aware that the access is unauthorised
(But am I ever "authorised" on the Internet?)
- Have pre-knowledge that what I do will cause the above stated effect
But couldn't it be argued that by changing a wikipedia article, for example, to something incorrect - thus reducing the "reliability of any such data", you'd be criminally convictable?
--------------
But all of the above isn't the point, read this:
"A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a)knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or
(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3."
Wait one second... If I supply any article which can be adapted to commit a crime I can be jailed?!
So for example if I found an exploit and posted some source code, that's jail time for me?
Or if I wrote an article on discovering buffer-overuns I could be jailed...
Or if I wrote a *tool* to discover buffer-overuns?
Just how far reaching is this law?
Posted by: Manip | February 27, 2006 1:03 PM
These new clauses do nothing to clarify "intent" or the question of what is and what is not "authorised" on the Internet, failings of the Computer Misuse Act which have been repeatedly pointed out over the years.
The words "any" and "data" mean that this law could also be used to snoop on your private email or other electronic correspondence, "to see if it is a hacking tool or virus" without getting a warrant signed by the Home Secretary under the Regulation of Investigatory Powers Act.
Will people whose computers get infected with virus or trojan or spyware malware be prosecuted ? Will they have to try to prove their innocence, rather the usual burden of proof being placed on the prosecution ?
Posted by: wtwu | February 27, 2006 2:51 PM
Way back in 1990 as a hapless student I did an essay on what was then the Computer Missuse Act, and made similar criticisms of it. At that time the number of people convicted of crimes, such as spreading viruses or hacking into other computers, in the UK was zero. In my essay I said that the motivation was good, but the enforcement was inadequate or non-existent.
I totally agree that it should be a crime to write malware, stuff which screws up peoples computers deliberately, steals files, or spies on people without their knowledge or consent. However, effectively enforcing the law in this area is difficult. To defend against automated attacks you need automated defences - a kind of digital immune system. Entire armies of specially trained police officers working around the clock aren't going to solve this kind of problem, or at best will only convict a handful of the worst offenders. Humans work at a very slow speeds. Computer viruses and hackers/crackers work at electronic speeds.
In summary I think this is a technical problem, not one which can be legislated away simply by declaring it "banned".
Posted by: Bob Mottram | February 27, 2006 3:38 PM
Agree the definition of DoS is hopeless. See my commentary at http://blogscript.blogspot.com/2006/01/denial-of-service-i-told-you-so-part.html .
Posted by: Lilian Edwards | March 14, 2006 11:33 AM