[ISN] Lord battles government over cybercrime laws

Wed Jun 21 02:13:54 EDT 2006

http://news.zdnet.co.uk/internet/security/0,39020375,39276193,00.htm

Tom Espiner
ZDNet UK
June 20, 2006

Lord Northesk wants to protect IT pros and the police from 
criminalisation, and nail down the law covering denial of service 
attacks

Sweeping changes to UK computer crime laws have been proposed by a 
Conservative peer.

Lord Northesk is seeking to amend the Computer Misuse Act (CMA) 1990 
to give the police and judiciary greater "legal clarity" when dealing 
with computer crime.

The proposed changes would alter the law regarding launching denial of 
service attacks, the creation of tools that could be used for hacking, 
and bot attacks.

The UK government is currently trying to update the CMA through 
amendments in the Police and Justice Bill 2006, which will be debated 
in the House of Lords this week. Northesk has proposed amendments to 
the government's own amendments.

As it stands, paragraph 1b of Clause 41 of the Police and Justice Bill 
would make it an offence to release a computer tool that is "likely to 
be used" in a computer offense. As reported last month, experts are 
concerned that the government's proposals would have criminalised IT 
and security professionals who make network monitoring tools publicly 
available or who disclose details of unpatched vulnerabilities.

Northesk's amendments, if passed, would see this paragraph deleted. He 
believes that it could even criminalise the police, if they create and 
distribute tools for forensic investigation.

Northesk is pushing for the concept of recklessness to be introduced 
into the updated CMA. He is seeking to amend Clause 40 of the Police 
and Justice Bill so that malicious denial of service (DoS) attacks are 
criminalised by the CMA but legitimate political protests that slow 
down servers would not be.

"The key point in Clause 40 is the inclusion of recklessness and 
intention [in launching attacks]. With effective civil disobedience, a 
whole series of people petition online [which may cause servers to 
crash]. Under the current draft this form of legitimate protest may be 
denied," said Northesk.

"The purpose of the Clause 40 amendment is to address the fundamental 
issue that a lot of Internet activity - such as electronic civil 
disobedience - currently comes under CMA."

By introducing the issue of recklessness, Lord Northesk also hopes to 
protect the police themselves from prosecution. "With [establishing] 
recklessness there is no bar on forensic hacking," he said.

Northesk has also proposed modifying Clause 39 of the Police and 
Justice Bill so that Trojan horse software that inserts itself onto a 
system, allowing remote access by hackers, will be specifically 
covered by the law.

"The current text of the CMA doesn't deal with bot attacks — inserting 
software onto a machine that allows remote attacks," said Northesk.

The peer said he hopes the legislation will enable the police and 
judiciary to better tackle cybercrime, and provide the government with 
guidance in understanding it.

"I'm a great believer in legal clarity. Too often within government 
it's not properly understood that which is trying to be achieved. In 
the desire to future-proof legislation, they tend not to address 
problems that are sitting there because they are seen as difficult to 
understand," Northesk told ZDNet UK.