Clause 35 - Making, supplying or obtaining articles for use in computer misuse offences
Police and Justice Bill
11:30 am
Lynne Featherstone (Shadow Minister, Home Affairs; Hornsey and Wood Green, Liberal Democrat)
I do not profess to be a computer expert or a computer hacking expert. I was contacted about the Bill by a constituent who is a computer security consultant, a visiting research fellow at the London School of Economics and an established expert on computer security. His remarks about the Bill have a serious bearing. He pointed out that the drafting is sloppy because it means that legitimate computer consultants could be breaking the law by using tools that are used for hacking, even if there are legitimate security reasons for using those same tools.
Obviously, many tools that are traditionally used by hackers are used by security consultants when checking a system to make it safe from hacking. For example, remote administration is used in many offices by IT staff to help with a malfunctioning computer. I have rung up, as I am sure that we all have, for help when it is needed and they effectively hack into systems to help us out. That is little different from the traditional trojan, which allows a hacker to open programs on a different computer.
The current wording states that the law will be broken by anyone who makes, supplies or offers a program that is designed for use for an offence under section 1 or 3 of the Computer Misuse Act 1990, or intends to use those programs to commit any of the same offences. Our amendment would change the “or” to “and” to ensure that an offence is committed only when there is possession and intent to use the programs for the purposes of hacking, and so a security consultant using them legitimately to check that a system is secure would not be caught by the drafting.
Out of interest, I was moving around the internet, so to speak, and we stand condemned as a Committee on both sides by computer experts. They describe our handling of the subject as substandard. They particularly find fault with the Government’s approach, and Government amendment No. 148 has the distinction of making that substantially worse. Under the previous wording, a software developer had to know that their software was designed as a hacking tool or that it was intended for that purpose. Under the amendment, they will need only to intend it to be used or believe that it is likely to be used for that purpose. It is down to their belief. Those in software development are fully aware of the capabilities of software. We do not know what we are talking about.
Although Liberal Democrat were admonished—albeit only slightly—we received the endorsement that our suggestion to change “or” for “and” at the end of paragraph (a) would at least link what a developer believes their software may be used for with intent, but make the other bit about belief redundant. Although the Government have tabled their amendment as a late entry to try to get it right, it would seem that the computer industry is still criticising their amendment. I would prefer them to stick to our amendment, which has at least a slight endorsement from the computer experts, who have clearly been chattering long and hard. Their view is that the Government should have made more of an effort to get it right in the first place.
The Government have had a long time to think about the provision. They have received reports from the all-party group on the internet and from the internet crime forum, which is a Home Office consultative body. I understand that the original wording was not set out in consultation with anyone, expert or otherwise. I do not think that either side comes out particularly brilliantly, but I am trying to amend our lack of knowledge.