Last Wednesday, after some delays along the way, the Government finally passed an Act introducing a new "denial of service" offence, punishable by up to ten years in prison. The text of the draft bill, including the relevant wording, can be found here - see section 34 in relation to the offence for carrying out "unauthorised acts with intent to impair operation of computer".
As we have previously reported, the existing Computer Misuse Act had been widely criticised for being out of date and leaving loopholes for denial-of-service attackers to exploit, notably in the wake of the initial acquittal of David Lennon a year ago after he initiated the sending of millions of emails to an ex-employer. Though Lennon was subsequently sentenced to a two month curfew on appeal under the existing law, the Government has nonetheless pressed ahead with the change, which should address some areas of ambiguity.
The new Act also introduces an offence of "making, supplying or obtaining articles for use in computer misuse offences", which might catch for example anyone creating a virus and making it avaiable for distribution by third parties.
What does "making, supplying or obtaining articles" mean? The text of the bill states that you have to know it'll be used to offend or that you intend it to be used to offend; does, for example, a full-disclosure mailing list which posts details of how to exploit a security hole contravene this provision?
Posted by: Stuart Langridge | November 14, 2006 at 11:57 AM
Hey Peter,
When I saw the reference to you on Human Law: http://humanlaw.typepad.com/ I had to get in touch.
Check out my blog - a slightly different style, but you may recognise me from the shadows...
All the best,
Corporate Blawg
Posted by: Corporate Blawg | November 14, 2006 at 01:42 PM
The draft linked to is quite an old one, and I believe the text of those clauses has changed quite a bit since January. Irritatingly I can't find a more recent copy on either Parliament's or OPSI's websites. There's a somewhat more recent draft (bill 151, from July), though. The relevant bit is the new s.3A(2) of the Computer Misuse Act which reads,
"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, [the other CMA offences]"
So, for instance, if I offer up GCC on my website, in the knowledge that some of the people who download it may well be script kiddies who will use it to compile exploit code, am I guilty of the offence? It comes down to how "likely" is interpreted. Tony McNulty, a Home Office minister, wrote in a letter to an MP:
"the mere fact that manufacturers and suppliers know that a small percentage of their software are likely to be used to commit offences, does not mean that they are committing an offence, because in the vast majority of cases the software will not be used for criminal purposes and therefore they could not be said to believe that any individual copy was likely to be so used."
I don't know whether this assurance is worth anything (and in any case I might still be guilty of the offence if for some reason lots of script kiddies used my website but few legitimate users did).
An interesting comparison is with the bits of copyright law that prohibit certain "devices" (including software) which could be used to infringe copyright or remove copy-protection. s.24 of the Copyright, Designs and Patents Act requires such a device to be "specifically designed or adapted" for the infringing purpose, and for its distributor to "[know] or [have] reason to believe" that the recipient would use it in an infringing manner" before the distributor is infringing. s.296 applies only to devices whose "sole intended purpose" is the prohibited use. s.296ZB applies only to devices which are "primarily designed, produced or adapted" for the infringing purpose.
Since the Home Office did not put such a test into the new Act I presume that they in fact intend the new offence to cover "articles" which have substantial legitimate uses. Or they could just be incompetent, I suppose.
Posted by: Chris Lightfoot | November 14, 2006 at 11:52 PM