Change to Computer Misuse Act worries researchers

Universities and researchers are concerned that wording in the amended Computer Misuse Act could criminalise legitimate IT security activity.

Although generally welcomed by the IT community, especially for criminalising Denial of Service (DoS) attacks, the new law which modifies the 1990 act could put developers of some software tools or even those warning of security flaws at risk of prosecution.

The new Act will make a person guilty of an offence "if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, [a hacking offence]".

Richard Clayton, a security researcher at Cambridge University explained: "A lot of tools are used legally for good purposes but they could also be used for bad. It is also possible that someone who publishes warnings about security flaws could be prosecuted."

For example problems for researchers could arise from the development of what are known as dual use tools. These are commonly used by IT security professionals to test security and it is not an offence to use them with express permission.

However, the worry is if hackers get hold of legitimately developed tools for their exploits, the developers could be prosecuted.

"Development of tools such as nmap, which are used by security professionals to check if a network is insecure or not, can also be used for malicious purposes. Now the Home Office has decided it is up to the distributors of these tools to decide if the people getting them are the good guys and the bad guys," Clayton said.

He is scathing of putting this onus on the industry and the way these developers are meant to police these tools.

"The Home Office says developers could be committing an offence if they believe that more than 50 per cent of users are going to be bad guys. It is an unreasonable way to assess the risk. People who are risk averse are going to back away from this research," he said.

He said he was already aware of Universities getting "extremely twitchy" about running courses this year on computer security and ethical hacking.

"How can a professor assess if a first year undergraduate is going to use the knowledge for good or bad? They are also concerned about running paid-for short courses," Clayton warned.

Another fear is that the wording in the new law could be stretched to apply to published security alerts explained Clayton. The word "article" is defined in the Act to include "any program or data held in electronic form".

"The wording makes the law very grey. People are worried that even publishing information about a vulnerability in a piece of software's security which is then used by the bad guys to launch an attack might qualify as an offence," said Clayton.

He said this could allow software companies to block publication of their products' flaws.

However, Paul Wood, chief information security analyst at security company MessageLabs was less concerned and did not feel there was a risk to researchers.

"There is just more onus on the developer to be more responsible. So called ethical hackers, whatever that means, just need to tighten up their act and only discuss vulnerabilities in their own communities," he said.

Meanwhile Clayton and other security researchers are waiting for the Di rector of Public Prosecutions to publish some guidelines.

"We look forward to seeing these as soon as possible," he said.