The too long arm of the law

Last year's case of Daniel Cuthbert determined that something as simple as checking for basic vulnerabilities on a website might be considered an offence. Having made a donation to a Tsunami appeal, he became concerned that the site he'd handed his credit card details to might be a fake, so he did some gentle probing. Cuthbert's checks set off the IDS, and he was later treated to the obligatory knock on the door.

Carrying this logic across to more conventional crime, if I suspect my elderly neighbour has left her door unlocked and test the handle, should I be convicted of attempted burglary? If not, why take a different approach to computer law?

One of the amendments to the Act, proposed in the Police and Justice Bill 2006, is that the possession or creation of "hacking tools" should be an offence. This is, in effect, an attempt to add a computer crime version of the traditional "going equipped" offence. It sounds rather straightforward – but for the troublesome fact that most tools require malicious intent to turn them into hacking tools. A point the Government's own independent advisory group made explicitly clear in its consultation report.

Unfortunately, the proposed changes do not mention intent. The idea that a guilty act must be accompanied by a guilty mind is a basic legal tenet.

If the law comes into force, legitimate users of such tools will face the difficult choice of either breaking the law or having their technical capabilities drastically reduced. Penetration testing will become pretty much pointless, as testers will be unable to use the same attack tools as criminals. Meanwhile, the real criminals will ignore it altogether.

The change required to the proposed legislation is simple: changing "or" to "and" would require that the use or creation of a tool would only be an offence if there were criminal intent. Of course, this still leaves intact the principle of "unauthorised access" that put Daniel Cuthbert in the dock.

If this trend carries on, I expect we will see many more prosecutions under the Computer Misuse Act, but of security consultants and innocent amateurs, not the real criminals.