Derek Conway (Old Bexley & Sidcup, Conservative)

With this it will be convenient to discuss amendment No. 60, in clause 35, page 30, line 18, leave out ‘or’ and insert ‘and’.

Lynne Featherstone (Shadow Minister, Home Affairs; Hornsey & Wood Green, Liberal Democrat)

I do not profess to be a computer expert or a computer hacking expert. I was contacted about the Bill by a constituent who is a computer security consultant, a visiting research fellow at the London School of Economics and an established expert on computer security. His remarks about the Bill have a serious bearing. He pointed out that the drafting is sloppy because it means that legitimate computer consultants could be breaking the law by using tools that are used for hacking, even if there are legitimate security reasons for using those same tools.

Obviously, many tools that are traditionally used by hackers are used by security consultants when checking a system to make it safe from hacking. For example, remote administration is used in many offices by IT staff to help with a malfunctioning computer. I   have rung up, as I am sure that we all have, for help when it is needed and they effectively hack into systems to help us out. That is little different from the traditional trojan, which allows a hacker to open programs on a different computer.

The current wording states that the law will be broken by anyone who makes, supplies or offers a program that is designed for use for an offence under section 1 or 3 of the Computer Misuse Act 1990, or intends to use those programs to commit any of the same offences. Our amendment would change the “or” to “and” to ensure that an offence is committed only when there is possession and intent to use the programs for the purposes of hacking, and so a security consultant using them legitimately to check that a system is secure would not be caught by the drafting.

Out of interest, I was moving around the internet, so to speak, and we stand condemned as a Committee on both sides by computer experts. They describe our handling of the subject as substandard. They particularly find fault with the Government’s approach, and Government amendment No. 148 has the distinction of making that substantially worse. Under the previous wording, a software developer had to know that their software was designed as a hacking tool or that it was intended for that purpose. Under the amendment, they will need only to intend it to be used or believe that it is likely to be used for that purpose. It is down to their belief. Those in software development are fully aware of the capabilities of software. We do not know what we are talking about.

Although Liberal Democrat were admonished—albeit only slightly—we received the endorsement that our suggestion to change “or” for “and” at the end of paragraph (a) would at least link what a developer believes their software may be used for with intent, but make the other bit about belief redundant. Although the Government have tabled their amendment as a late entry to try to get it right, it would seem that the computer industry is still criticising their amendment. I would prefer them to stick to our amendment, which has at least a slight endorsement from the computer experts, who have clearly been chattering long and hard. Their view is that the Government should have made more of an effort to get it right in the first place.

The Government have had a long time to think about the provision. They have received reports from the all-party group on the internet and from the internet crime forum, which is a Home Office consultative body. I understand that the original wording was not set out in consultation with anyone, expert or otherwise. I do not think that either side comes out particularly brilliantly, but I am trying to amend our lack of knowledge.

Derek Wyatt (Sittingbourne & Sheppey, Labour)

May I reassure the hon. Lady? I had a ten-minute Bill on the Computer Misuse Act 1990, based on the all-party group on the internet’s inquiry, which was almost a Select Committee-style inquiry.

The provision has the approval of the whole computer industry, so I am fascinated that the hon. Lady has picked up on groups of people on the internet who do not like it. We have worked with the industry   for the past two and a half years to get it right. Moreover, we have worked with the Home Office and with the industry’s approval. We have been in and out of the Home Office and worked on the clauses and their interpretation. Last week, I was with some of the team who were trying to understand better how we could tweak and rephrase things. I am absolutely confident that we have got it right. If I did not think that, I would say so.

I applaud the way in which the Home Office has worked with MPs from all sides over the past few years on this tiny piece of legislation. It repeals the 1990 Act—imagine what a computer looked like in 1990—and will be the best piece of legislation, I believe, in the world. It beats what America or Australia are trying to do. The hon. Lady should have more confidence in the way in which hon. Members on both sides of the House have worked on the issue, including on the Government amendment.

James Brokenshire (Hornchurch, Conservative)

My understanding is that the clause is intended to implement, in part, the Council of Europe’s cybercrime convention, which was established in 2001, as we heard. As the hon. Member for Sittingbourne and Sheppey (Derek Wyatt) stated, agreement on creating appropriate provisions to deal with such protections has been long coming.

Cybercrime afflicts us all in our daily work, with its cost to business and our economy. The ease of conducting one’s affairs is significantly impaired if one discovers that one’s computer has a virus and all the information on it is lost. That can damage a person’s personal affairs or, if they rely on a computer system to support their business, their ability to continue trading. I therefore welcome the thrust of clause 35 and the preceding clauses.

However, I do not necessarily agree with the linkage that the hon. Member for Hornsey and Wood Green mentioned in relation to her amendment No. 60. I take her amendment more to be an attempt to seek clarity for the industry, so that it knows that legitimate computer programmers, carrying out their ordinary business of merely supporting computers, but without any intent to help a computer hacker damage computer systems in this country or abroad, will not be penalised or fear that their actions may inadvertently result in their committing a criminal offence, unless there was some intention or even recklessness on their part.

It was interesting that Government amendment No. 148 was moved formally. I hope that the Minister clarifies the rationale behind the change. It was interesting to hear from the hon. Member for Sittingbourne and Sheppey that the proposal had been debated for some time, to give the industry that assurance, so it is perhaps a little surprising for a further change to come through at this late stage. The amendment clearly changes the emphasis behind the original drafting, which referred to a person

“knowing that it is designed or adapted for use in the course of or in connection with an offence under section 1 or 3”.

I can understand that the breadth of that provision required some tightening up, hence the Government’s amendment.

It is interesting that the new wording suggested in proposed new section 3A(1)(b) of the 1990 Act refers to a person

“believing that it is likely to be so used”—

in other words, so used in the performance of a crime under section 1 or 3 of that Act. I have some questions about that, although I respect the hon. Gentleman’s comments about the industry feeling comfortable that the provision provides the protections.

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

It is not for me to speak for the Liberal Democrats, but I think that my hon. Friend should recognise that perhaps amendment No. 60 was based on the Bill’s original wording, which the Government have recognised is defective. I suspect—although I hope to catch your eye later on this, Mr. Conway—that Government amendment No. 148, so ably tabled by the Minister for Policing, Security and Community Safety, gets around that problem.

James Brokenshire (Hornchurch, Conservative)

As always, I am grateful to my hon. Friend for his interventions, which help us to gain clarity. I agree and understand that the Government’s amendment was, perhaps, in response to the amendment that the hon. Member for Hornsey and Wood Green tabled to gain that clarity. I am sure that we will discover more when the Minister, the right hon. Member for Salford (Hazel Blears), gives some detail on the background to the case—and I would not dream, of course, of creating a new constituency for the right hon. Lady, as she so kindly created a new one for me.

The issue is gaining clarity on the new wording, and the new test set out in proposed paragraph (b) of

“believing that it is likely to be so used”.

There are two tests: the belief that an article is likely to be so used, and the intention that provision is intended to cover. What proof would be required to show that somebody thought that the article was likely to be used to commit an offence? What test would the prosecutors adopt? We need clarity on the extent and ambit of the provision to ensure that it catches those people who are reckless with the coding or other tools that they create to facilitate the perpetration of cybercrime—a serious and increasing crime that all of us must deal with.

The legislation must provide that protection, but it must not catch people who seek legitimately to provide in the ordinary course of their business services to the computer community. I hope that we can gain satisfaction on that point. It is important to have provisions on the statute book that seek to address this important issue.

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

With regard to the point made by my hon. Friend, the county of Brokenshire is much more attractive than the county of Blears, but as you, Mr. Conway, were not present when that exchange took place, I had better move on.

I have the greatest regard for the all-party internet group, which I co-chaired with the hon. Member for Sittingbourne and Sheppey. If there have been three years of close liaison with the Home Office, however, I am concerned about why Government amendment No. 148 has been tabled only at the very last moment and after the Liberal Democrats—far be it from me to praise the Liberal Democrats for surfing the internet and looking at Computer Weekly or whatever magazine they read avidly—suggested it. I welcome the amendment and I can reveal to the Government Whip, the hon. Member for Enfield, North (Joan Ryan), that we shall not vote against it. However, we would have voted against proposed new section 3A(1) of the 1990 Act as it stands.

If I remember correctly from my law degree, which I completed a long time ago—I have never practised law either—there must be something important called mens rea: a guilty mind. There has to be a guilty mind or intent. Mere possession of something without the intent to commit a crime is not an offence in English common law. The situation has now been rectified. Under subsection (1) as it currently stands, a crime could have been committed without a guilty mind or intent, which is plainly wrong. That is why it is welcome to see Government amendment No. 148, which deals with

“intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or ... believing that it is likely to be so used”.

I hope that the Minister will explain. She has had three years of detailed negotiations, during which the hon. Member for Sittingbourne and Sheppey has been constantly coming in and out of the Home Office and banging on her door. I dare say that she has constantly been going to Norman Shaw, North to seek advice from the hon. Gentleman, who is so respected as chairman of the all-party internet group. Why is it that despite all that intimacy, if I may use that word, Government amendment No. 148 has suddenly emerged only now, at the very last minute? It is a mystery.

The hon. Member for Hornsey and Wood Green (Lynne Featherstone) was right to raise the issue that hacking tools are often used by computer technicians to rectify problems. I have been very stressed since Monday morning, when I switched on my desktop computer in Norman Shaw, North only to get an error message and find that I could not access my programmes, my e-mail or anything else. Fortunately, I have another computer. I phoned extension 2001 and eventually managed to speak to an intelligent life form, although it took a little while, as we know happens with extension 2001.

Derek Conway (Old Bexley & Sidcup, Conservative)

Order. The hon. Gentleman’s travails are deeply fascinating to the Committee, but we have to get back to the amendment under consideration.

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

As ever, I accept your guidance, Mr. Conway. Mr. Graham Lugton, who I suspect is in my room this very moment, might be using that software.

Stephen Pound (PPS (Rt Hon Hazel Blears, Minister of State), Home Office; Ealing North, Labour)

Wiping your history, I hope.

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

The hon. Gentleman says from a sedentary position that my hard drive might be being wiped out. I fear that that may be happening, although I am told that it is not. My point is that Mr. Lugton might have in his briefcase—quite legitimately, in my opinion—software to enable him to hack into my hard drive to rectify the situation and get my computer working again. Under proposed new section 3A(1) of the 1990 Act, he would be committing an offence.

If the Bill is enacted as it stands, without Government amendment No. 148, I can imagine entire columns of people being removed from the parliamentary ICT service. Some would argue that our computers might work better, but that might go off the subject, so I will not test your patience, Mr. Conway. Nevertheless, it is a clear demonstration that one might need to possess that sort of software to do actions for good rather than for ill.

James Brokenshire (Hornchurch, Conservative)

My hon. Friend has clearly set out the case for such protections. I hope that his hard drive has not been wiped during his absence in Committee. Does he also accept that it is important to have a further offence, not just involving an intention—for instance, the creation of a tool that could be used in cybercrime—but requiring an additional test? I appreciate that that might be difficult. Perhaps the Minister will clarify it. What if someone is reckless or says, “I didn’t intend it specifically to be used,” although a factual trail shows that that was the practical end effect?

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

My hon. Friend makes an interesting point. Government amendment No. 148 refers to

“believing that it is likely to be so used.”

That creates a duty of care. The Minister will probably strengthen or endorse the amendment by stating that there is a duty of care to ensure that the software does not fall into the hands of those who might use it unlawfully.

The issue is important, and it is right that magazines have identified it. I assume that it was Computer Weekly—[Interruption.] It is in fact the Liberty Central website, with which I am not familiar. Nevertheless, we welcome the fact that Liberty Central has identified the issue. Given the constant liaisons, night and day, and at weekends, between the chairman of the all-party internet group and the Minister, and the fact that the Home Office is so dependant on the hon. Member for Sittingbourne and Sheppey for the very workings of government, I am shocked that it has taken so long for the Government amendment to arrive. Nevertheless, despite its belated appearance, I welcome it.

Lynne Featherstone (Shadow Minister, Home Affairs; Hornsey & Wood Green, Liberal Democrat)

I am delighted that amendment No. 60, which was tabled very early, has had such a positive effect on the Government that they have tabled their amendment. We broadly welcome it; it is much better than we thought it might be. There was a danger that an offence would unintentionally be created in respect of a whole range of computer experts, so that they would be illegally hacking unintentionally. I am glad if our amendment flagged up that point to the Government.

I am no expert in these matters, and I have listened to advice from a wide range of sources. I will give to the hon. Member for Sittingbourne and Sheppey the document I printed off the internet on the independent inquiry into Britain’s democracy. I believe that its writer knows what they are talking about and is an expert in computers.

We broadly welcome the Government amendment, and I am glad that I was able to raise this issue by tabling our amendment.

Hazel Blears (Minister of State (Policing, Security and Community Safety), Home Office; Salford, Labour)

Clearly, this is an important area, as the hon. Member for Hornchurch (James Brokenshire) outlined, and it also enables us to implement our various responsibilities under European legislation.

One of the things that the Serious Organised Crime Agency is set up to do is ensure that we can intervene further up the chain when offences are committed—to do much more prevention work and disruption work around areas such as cybercrime. Often, the products involved are available on the internet and can be easily downloaded by end users. This is the important question: how do we get to the manufacturers and suppliers of such internet tools, which can be put to such devastating effect in terms of denial of service? The hon. Member for Lichfield talked about the possibility of his hard drive being wiped out completely. I think all Committee members support the intention to ensure that we can disrupt such crime, which is an increasing problem.

We must also seek to draw the line in the right place, so that we prosecute and bring to justice the people who are working with the intention of disrupting computers, but do not prosecute people who are carrying out legitimate activity. My officials tell me that the clause has been contentious because it is felt that, as drafted, it could criminalise legitimate penetration testers, vulnerability testers and the wider IT security industry. I am sure that there is a perfectly proper definition of what is a legitimate penetration tester, but I will leave that to the cybercrime industry.

Like the hon. Member for Hornsey and Wood Green, I am not an expert in this area, but I am keen to ensure that our law enforcement agencies have the powers that they need to protect the community.

Michael Fabricant (Whip, Whips; Lichfield, Conservative)

I rise to ask a question, not on the subject of penetration, but about the Department of Homeland Security in the United States. It, too, recognises the potential for cyberterrorism, such as a sustained attack on a Government or on the utilities in a country in order to cause breakdown. The United   States has put huge resources into countering such an attack. Is the Home Office taking cyberterrorism seriously and are similar resources being devoted to establishing a similar protection not only for Government computer systems and police computer systems, but for our national utilities?

Hazel Blears (Minister of State (Policing, Security and Community Safety), Home Office; Salford, Labour)

I am sure that the hon. Gentleman is aware of the counter-terrorism strategy, CONTEST, which has four strands—to prevent, pursue, prepare and protect. One of the most important areas is protecting the country’s essential national infrastructure. That relates not only to computer areas, although they are important, but to the various installations that provide the very fabric of life in our country. We are therefore constantly aware of the need to prepare as best we can.

The hon. Gentleman spoke about the influence of my hon. Friend the Member for Sittingbourne and Sheppey in this area. First, I am grateful to my hon. Friend for the work that he has done as chairman of the all-party internet group; he has liaised not only with Members of Parliament, but with industry, in order to bring us some expertise. It is right that Departments should be open to discussions and seek to draw in whatever information they can, and I am grateful to him for his role in that.

I can tell the hon. Member for Lichfield that we constantly have discussions with industry. Computers, the internet and the use of information are part of a fast-moving world. It is not a matter of coming late to the party, but an attempt to refine and get the balance right. That is the reason for the amendment.

Derek Wyatt (Sittingbourne & Sheppey, Labour)

I reassure my right hon. Friend and the hon. Member for Lichfield that a significant private event happened in Washington in February, in which the Government were represented by the secret services and Departments. It considered the very issue that the hon. Gentleman raised. I reassure him that our contribution was substantial; in fact, it was much better than that of the homeland security people in America.

Hazel Blears (Minister of State (Policing, Security and Community Safety), Home Office; Salford, Labour)

That is very reassuring.

I agree with the hon. Member for Hornsey and Wood Green that the new offence to be inserted into the Computer Misuse Act 1990 under clause 35 goes rather wider than originally intended. As drafted, the offence could inadvertently have caught people testing the resilience of their own systems. We explored the approach suggested by the hon. Lady, but it set too stringent a test. If the two limbs of the offence needed to be fulfilled in order for an offence to be committed, it could be difficult to prove the commission of the offence.

The formulation that we have come up with in amendment No. 148 aims to achieve the same outcome as the hon. Lady suggested, but sets it out in a better way. First, we have the limb of clear intent. The hon. Member for Lichfield’s law degree stands him in good   stead: there needs to be mens rea. I am pleased to say that his memory has not been wiped. The second limb is that it should be believed

“likely to be so used”.

That is a recklessness test, but a subjective one. If the hon. Member for Hornchurch cast his mind back to our recent debates on the Terrorism Bill, he will realise that we have a similar formulation. The test is similar, but it takes us a little further, so that people who believed that the article was likely to be used in that way would be guilty of an offence. That has a deterrent effect

It is important that people who believe that an article is likely to be used to disrupt systems illegally should not be making it or supplying it. The word “likely” is pretty well known in our legal system, and is not completely open; it is a matter for the courts to decide. Before deciding whether a person is guilty of an offence, a court must take into consideration whether he knew that the tool would probably be used or was expected to be used to commit an offence—that is the kind of sense that the court will consider, but it clearly depends on the evidence. The offence is a criminal offence, so it has to be proved beyond reasonable doubt. Courts will consider the surrounding circumstances, but they are pretty familiar with the meaning of likelihood.

I believe that we have drawn the line in about the right place to send out the clear message to people who make and supply programs that can cause devastating damage not to do so, but not to criminalise legitimate software developers. I note that the hon. Member for Hornsey and Wood Green said on her website—we Ministers surf the net too—that despite her valiant efforts at our last sitting,

“Hazel was stony ground as per usual”,

and refused to move. I hope that she Lady will agree that today, I have been amenable, that I have listened and been flexible, was open to persuasion and came forward with an amendment that will achieve the outcome that she wants. I hope that she will reflect that in the next entry on her website.