Hacking Tools, the law!

Hacking tools' law goes from bad to worse
Written by Unity
Friday, 24 March 2006
Section 35 of the Police and Justice Bill, which amends the Computer Misuse Act in a poor effort to make the development and supply of 'hacking tools' illegal, has been debated at the committee stages of the Bill - for all of ten minutes judging by the amendments that have been tabled.

Our starting point for this is the original text of section 35(1):

A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3; or

(b) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.


This has now been 'Bleared' (as in Hazel) to read:

A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—

(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or

(b) believing that it is likely to be so used.'

Far from improving the legislation, which is ostensibly what standing committees are for, Hazel Blears has the singular distinction of making it substantially worse. Under the previous wording a software developer had to know that their software was designed as a 'hacking tool' or that it was intended for that purpose, now they only need to have intended it to be used for that purpose or BELIEVE it is likely to be used for that purpose.

It is axiomatic in software development that the programmer/developer is fully aware of the capabilities of the software they develop and, in the case of password auditing tools and other legitimate software that could be used by a hacker, of how it could be misused by people intent in gaining access to computer systems/data without authorisation. In short its nigh on impossible for anyone developing such software not to believe that it could be misused and therefore that it is likely to be used, somewhere along the line, for committing a criminal offence.

With Blears' amendment we've actually gone from a position where a sizeable proportion of an good system administrator's 'toolkit' could be illegal under this new law to one where it almost certainly will be illegal.

And how have the opposition responded to this?

They've suggested changing or for and at the end of (a), which would at least link what a developer believes their software may be used for with their intent but, in fact, makes the bit of about 'belief' entirely redundant.

Substandard doesn't come close to describing the Committee's handling of this matter.