The Police and Justice Bill starts its Committee stage in the House of Lords tomorrow, Tuesday 20th June 2006.
As with all Home Office Bills these days, there is much to occupy their Lordships with, which the Commons failed to sort out properly.
There are a few Amendments tabled regarding the controversial changes to the Computer Misuse Act 1990 in Clauses 39 to 41 of the Police and Justice Bill, especially the one dealing with the question of "belief" in the new "hacking tools" offence:
Clause 39THE EARL OF NORTHESK
172 Page 32, line 10, leave out from beginning to "subsection" in line 11 and insert—
"(1) In the Computer Misuse Act 1990 (c. 18) ("the 1990 Act"), section 1 is amended as follows.
(2) In subsection (1)—
(a) in paragraph (a), after "computer" insert "or to enable any such access to be secured",
(b) in paragraph (b), after "secure" insert "or to enable to be secured".
(3) For"THE BARONESS ANELAY OF ST JOHNS
THE VISCOUNT BRIDGEMAN
173 Page 32, line 13, after "person" insert "aged 18 years or over"Clause 40
THE EARL OF NORTHESK
174 Page 32, line 25, leave out from beginning to end of line 2 on page 33 and insert—"3 Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc
(1) A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.
(2) This subsection applies if the person intends by doing the act—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer;
(c) to impair the operation of any such program or the reliability of any such data; or
(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.
(3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in subsection (2) above.
(4) The intention referred to in subsection (2) above, or the recklessness referred to in section (3) above, need not relate to—
(a) any particular computer;
(b) any particular program or data; or
(c) a program or data of any particular kind."
This amendment really does not make much difference to the Government's exisiting wording regarding Denial of Service attacks. Either way this clause will be unenforcable in practice.
What is the quantitative defintion of "impair" or "hinder" ? By exactly how much and for how long, does a computer system have to be slowed down for a criminal offence to have been committed ? Why should the often overhyped "normal" performance claims of manufacturers or service providers actually be believed without independent certification ?
It is utterly ridiculous to try to encompass the differences between malicious Denial of Service attacks, with incompetent or simply under specified systems experiencing normal traffic surges and congestion.
Who exactly is going to write and honour immutable Service Level Agreement contracts whiich exactly quantif , for example Internet "performance" or data transfer speeds, under all circumstances ?
The complicated problem of Denial of Service attacks need a Bill of its own, with many caveats and exemptions, not merely a few lines appended to a much larger Home Office Bill dealing mostly with changes to the administration of the Police .
The Earl of Northesk even introduced a Computer Misuse (Amendment) Billl back in 2002 in order to stimullate debate on this topic.
THE BARONESS ANELAY OF ST JOHNS THE VISCOUNT BRIDGEMAN 175 Page 32, line 26, after "person" insert "aged 18 years or over"THE EARL OF NORTHESK
176 Page 33, line 6, at end insert—
"( ) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily"THE BARONESS ANELAY OF ST JOHNS
THE VISCOUNT BRIDGEMAN
177 Page 33, line 7, after "person" insert "aged 18 years or over"
Probably the most important of these Lords' Amendments is the this last one:
Clause 41THE EARL OF NORTHESK
178 Page 33, leave out line 24
Line 24 currently reads as:
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or
(b) believing that it is likely to be so used.
This is the controversial sub-clause which threatens to criminilise all competent IT systems administrators and telecommunications network operators, operating system software developers, IT security specialists etc.
All of these people know and believe that the tools they use or develop or modify every day, for legitimate purposes, could be used, and are being used to "commit" or to "assist in the commission" of unauthorised computer access or denial of service attacks.
It would be bettter still if the amendment also removed the phrase "assist in the commission" from the Clause 41, because it is far too broad and catch all . The web browser software you are probably using to read these words can easily be used to "assist in the commssionon" of these computer misuse crimes, so you, dear reader, will also be criminalised by this Bill if it passes unamended.
If the Government does not accept this amendment by Lord Northesk, it will result in severe economic damage to the economy of the United Kingdom:
Either our IT systems and networks will no longer be secure, because they will not be able to be tested properly by their legitimate operators, or such systems and network operations functions and jobs will have to be moved overseas.
Don't know if you saw today's JCHR report on scrutiny of the bill? It's at http://www.publications.parliament.uk/pa/jt200506/jtselect/jtrights/186/18605.htm#a3
They don't seem unduly worried by any of it.
Tuesday's Committee stage did not get as far as these Computer Misuse Act amendments.
There are another two time slots scheduled for the Lords' Committee stage of the Police and Justice Bill on Tuesday 4th and Thursday 6th July 2006.