Government issues guidelines in response to lobbying.
The British government has published a set of guidelines for the application of a law that makes it illegal to create or distribute ‘articles for use in computer offences’.
The piece of legislation in question was among several amendments to the Computer Misuse Act 1990 that were introduced into UK law in November 2006 as part of the Police and Justice Act. While the law is clearly intended to protect against the malicious use of hacking tools, many in the security industry are concerned that the broadness of the description contained in the clause could affect the use of many valuable utilities and techniques in security and malware research. A large number of the tools and techniques used by malware researchers can be deemed to have dual use – while in the right hands they are useful tools for research, in the wrong hands they can be used for malicious purposes.
The wording of the clause prohibits the creation, adaptation or use of any tool which could be used to breach security, whether the developer or user intends it to be or only believes it is likely to be. Some commentators have suggested that this could even be taken as far as to outlaw the use of web browsers, as a poorly protected machine could be accessed without the need for more devious software.
The government’s new set of guidelines come as the result of industry lobbying and address some of the concerns about these ‘dual-use’ tools.
The guidelines state that in order to prosecute the author of a tool it should be possible to show that it has been developed primarily, deliberately and for the sole purpose of committing computer crime (gaining unauthorised access to computer material). Other considerations the guidelines recommend to be taken into account are whether the tool is available on a wide-scale commercial basis and sold through legitimate channels, whether the tool is widely used for legitimate purposes and whether it has a substantial installation base.
While critics argue that open source tools are excluded from the category of items that are available on a wide-scale commercial basis, and that rapid product innovation will also result in items that fall through the net, the guidelines do represent a small step towards the clarification of the law – and it seems a little less likely that large numbers of the anti-malware community will end up behind bars, at least at this juncture.
The ban – along with other amendments to the Computer Misuse Act – is expected to come into force in May this year.
Posted on 05 January 2008 by
Virus Bulletin
Leave a Reply