Police and Justice Act 2006
Introduction
The Police and Justice Act 2006 has amended the Computer Misuse Act 1990 under the section called 'Miscellaneous Part 5 Computer Misuse amendments'. Sections 35 -38 Police and Justice Act 2006 will amend the Computer Misuse Act 1990 when in force. The Act was given Royal Assent and accepted into UK law on Wednesday 8 November 2006. (The Act is not fully in force as of Ron Barker 13:10, 25 March 2007 (BST))
Executive Summary
Clause 39 doubles the maximum jail sentence for hacking into computer systems from five years to ten years.
Clause 40 the intent of this clause is to make Denial-of-service attacks illegal. This was needed as the old law did not make clear whether DoS attacks were an offence. The new clause clarifies this grey area and makes it clear that they are an offence. Lord Northesk has succeeded in introducing the issue of recklessness into the clause during the Lords Committee stage, fixing the worries experts had with this clause.
Clause 41 is a bad piece of legislation and it should be removed. This clause intends to ban the development, ownership and distribution of so-called "hacker tools", which is troubling as it does not make allowances for security personnel who must have ways of testing the security of systems. Its technical equivalent of some one who does not know any thing about the building industry but knows sledge hammers are being used to break down doors banning the production, owning and selling of sledgehammers. (Note: A person will only be guilty of an offence if he ‘intends’ or ‘believes’ the article/s will be used to commit or assist in the commission of an offence under sections 1-3; or if he obtains any article with a ‘view to its being supplied’ for use to commit, or to assist in the commission of, an offence under section 1 or 3.)
Clause 42 the only problem with this clause is that attacks, probes, etc that started before the commencement of this bill but are still on going are not covered by this bill.
The amendments to the Computer Misuse Act have become law in the United Kingdom, having passed the Lords Committee stage of the UK legislative process More info on the Amendments tabled, as part of the Police and Justice Act 2006.
The Amendments
Increased penalty etc for offence of unauthorised access to computer material
This used to be clause 33, then clause 36 and is now clause 39
- (3) A person guilty of an offence under this section shall be liable—
- (a) on summary conviction in England and Wales, to
- imprisonment for a term not exceeding 12 months or to a fine
- not exceeding the statutory maximum or to both;
- (b) on summary conviction in Scotland, to imprisonment for a term
- not exceeding six months or to a fine not exceeding the statutory
- maximum or to both;
- (c) on conviction on indictment, to imprisonment for a term not
- exceeding two years or to a fine or to both.
The maximum jail sentence for hacking into computer systems doubles from five years to ten years.
Unauthorised acts with intent to impair operation of computer, etc
This used to be clause 34, then clause 37 and is now clause 40
The clause replaces section 3 of the Computer Misuse Act 1990. The current section 3 makes unauthorised modification of computer material an offence, for which the penalty for conviction is imprisonment for a maximum of five years or a fine or both.
- 3 Unauthorised acts with intent to impair operation of computer, etc.
- (1) A person is guilty of an offence if—
- (a) he does any unauthorised act in relation to a computer; and
- (b) at the time when he does the act he has the requisite intent and
- the requisite knowledge.
- (2) For the purposes of subsection (1)(b) above the requisite intent is an
- intent to do the act in question and by so doing—
- (a) to impair the operation of any computer,
- (b) to prevent or hinder access to any program or data held in any
- computer, or
- (c) to impair the operation of any such program or the reliability of
- any such data,
- whether permanently or temporarily.
- (3) The intent need not be directed at—
- (a) any particular computer;
- (b) any particular program or data; or
- (c) a program or data of any particular kind.
- (4) For the purposes of subsection (1)(b) above the requisite knowledge is
- knowledge that the act in question is unauthorised.
- (5) In this section—
- (a) a reference to doing an act includes a reference to causing an act
- to be done;
- (b) “act” includes a series of acts.
- (6) A person guilty of an offence under this section shall be liable—
- (a) on summary conviction in England and Wales, to
- imprisonment for a term not exceeding 12 months or to a fine
- not exceeding the statutory maximum or to both;
- (b) on summary conviction in Scotland, to imprisonment for a term
- not exceeding six months or to a fine not exceeding the statutory
- maximum or to both;
- (c) on conviction on indictment, to imprisonment for a term not
- exceeding ten years or to a fine or to both.”
The intent of this clause is to make Denial-of-Service (DoS) attacks illegal. This was needed as the old law did not make clear whether DoS attacks were an offence. The new clause clarifies this grey area and makes it clear that they are an offence. When a court cleared a teenager last November on charges of sending five million emails to his former employer, because the judge decided that no offence had been committed under the Act, the need for this amendment became obvious. Interestingly on May 11 2006 the Court of Appeal has ruled that a judge was wrong to throw out the case of a teenager accused of crashing a mail server with millions of emails. Read case report Director of Public Prosecutions v Lennon [2006] EWHC 1201 (Admin) (11 May 2006)
On the 23rd August 2006 he pleaded guilty to breaking the Computer Misuse Act and was sentenced at Wimbledon Youth Court to a two month curfew. He must also wear an electronic tag.
A remaining worry is that the amendment is loosely worded, raising the question of whether linking to a site from a very popular site such as Slashdot, thereby generating a huge spike in traffic, could come under the terms of this law. This is not far fetched, as on more that one occasion people have written legal letters after having their web site pointed to by Slashdot.
UPDATE: Lord Northesk has succeeded in introduce the issue of recklessness into this clause during the Lords Committee stage. Solving the issues with this clause.
Making, supplying or obtaining articles for use in computer misuse offences
This used to be clause 35, then clause clause 38 and is now clause 41.
This clause inserts a new section 3A into the Computer Misuse Act 1990
- Making, supplying or obtaining articles for use in offence under section 1 or 3
- (1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—
- (a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or
- (b) believing that it is likely to be so used.
- (2) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
- (3) In this section “article” includes any program or data held in electronic form.
- (4) A person guilty of an offence under this section shall be liable—
-
- (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
- (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;
- (c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.”
This clause intends to ban the development, ownership and distribution of so-called "hacker tools", which is troubling as it does not make allowances for security personnel who must have ways of testing the security of systems. The clause does not handle "dual use" software that could be used for legal things but could also be used to do things that are harmful. Spy Blog points out that a web browser can be used to break into a poorly configured system. Does that mean making and supplying web browsers should be illegal? Likewise, password crackers (or password recovery tools), are not properly covered in the proposed legislation.
As an analogy, consider that while a knife or a hammer may be used as an offensive weapon, and as such may well be prohibited from being carried in public, they are generally legal in a chef's kitchen or a carpenter's workshop. It is also perfectly legal to make or adapt such physical tools in a factory or workshop.
This clause would prohibit the manufacture, copying or sale of dual-use software tools and utilities, even in a legitimate software company such as Microsoft.
Lord Northesk is the current hope for this clause being fixed. As it stands, paragraph 1b would make it an offence to release a computer tool that is "likely to be used" in a computer offence. He proposes removing this paragraph. With out this amendment experts are concerned the clause will criminalised IT and security professionals who make network monitoring tools publicly available or who disclose details of unpatched vulnerabilities.
In the parliament committee stage after the second reading Lynne Featherstone MP took this clause under her wing, which prevented it from being made even worse.
The current Home Office line appears to be a balance of probabilities argument, that a court decide whether it is more likely than not each individual instance of the article will be used to commit an offence, ie the offence is only committed if it will be used criminally more than legally.
Transitional and saving provision
This used to be clause 36, then clause 39 and is now clause 42
This clause makes transitional amendments for provisions of the Bill that amend the Computer Misuse Act 1990 so as to provide that the amendments do not apply in relation to offences committed before the coming into force of the amendments or acts done before that time.
The only problem with this clause is that attacks, probes, etc that started before the commencement of this bill but are still on going are not covered by this bill.
Implementation
The Police and Justice Act 2006 (Commencement No.1, Transitional and Saving Provisions) (Amendment) Order 2007
Statutory Instrument 2007 No. 29: This Order, which came into force on 15th January 2007, amends the Police and Justice Act 2006 (Commencement No.1, Transitional and Saving Provisions) Order 2006 to provide for the commencement on 15th January 2007 of the additional consequential amendments set out in paragraphs 9, 10 and 62 of Schedule 14 to the Police and Justice Act 2006.
The following provisions of the Act came into force on Royal Assent (i.e. on 8 November 2006):
- Section 43(2) to (6) (which sets out the circumstances in which a commencement order bringing into force section 43(1) (designation of United States of America) is to be made).
- Paragraph 6 of Schedule 13, (which sets out the circumstances in which a commencement order bringing into force paragraphs 4 and 5 of Schedule 13 (extradition barred by reason of forum) is to be made).
- Paragraphs 7(3)(a), 14 and 15 of Schedule 2 (and paragraphs 47, 49 and 59 of Schedule 14) (which amend the Police Act 1996 so as to abolish the National Policing Plan and provide for the Secretary of State to issue strategic policing priorities, and make consequential amendments).
- Paragraphs 24 to 26 of Schedule 2 (and paragraphs 34 and 39 of Schedule 14), (which enable police authorities to appoint additional deputy chief constables with the approval of the Secretary of State, and make consequential amendments).
- Repeals in Schedule 15 that are consequential on any paragraph in Schedule 2 or Schedule 14 brought into force on Royal Assent, and section 52 in so far as it relates to those paragraphs or repeals.
- Part 6 (with the exception of section 52 and Schedules 14 and 15, except as specified above).
The remaining provisions of the Act will be brought into force by means of commencement orders made by the Secretary of State or, in appropriate cases, by the Scottish Ministers or the National Assembly for Wales.
More Quotes
Graham Smith, a partner at law firm Bird and Bird in London and author of "Internet Law and Regulation," said
- "We already have what is probably the most broadly drafted and all-encompassing anti-hacking legislation in the entire world," "I've always been of the view that what is required is a willingness on the part of the prosecution to bring cases."
Unauthorised acts with intent to impair operation of computer, etc
Read literally, and taking into account the express prohibitions on amending/reverse engineering of software that appear in virtually every commercial software licence, this clause could potentially become the equivalent of provisions contained in the US Digital Millennium Copyright Act. This makes it illegal, in the United States, to bypass or disable copy protection systems on computer software, DVDs, CDs, etc. This interpretation would, of course, depend on an organisation such as the Federation Against Copyright Theft bringing a successful test case in the High Court, resulting in a precedent permitting this clause to be interpreted in just such a way.
Section 37 of the Bill expands on the 1990 Act's existing provisions to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge." Previously, Section 3 of the 1990 Act only prohibited unauthorised modification of computer programs or data. Section 1 of the Act dealt with unauthorised access (i.e. hacking).
Ideally the government should amend clause 34 in line with the provisions covering denial of service attacks set out in the Computer Misuse (Amendment) Bill that was introduced by the All Party Internet Group.
Making, supplying or obtaining articles for use in computer misuse offences
"As far as I can see, this looks a complete dog's breakfast of a clause as it fails to consider that many so-called 'hacker tools' have perfectly legitimate uses," writes Dave Lambert, who runs the Talk Politics blog.
Liberty Central: With Blears' amendment we've actually gone from a position where a sizeable proportion of an good system administrator's 'toolkit' could be illegal under this new law to one where it almost certainly will be illegal. .... Substandard doesn't come close to describing the Committee's handling of this matter.
EURIM: ... the same tools may be used for both criminal and legitimate purposes. PDF The need is to find wording akin to that in Section: 25, sub-section: 1 of the 1968 Theft Act regarding “going equipped”, which some say already covers such tools, unless used from the miscreant’s “place of abode”. The objective is, however, not to prosecute amateur script-kiddies but to disrupt the growing “trade” in producing and distributing tools that have limited legitimate use and are more commonly intended to support computer-assisted extortion and fraud.
Spy Blog has a good summary of the current state of this clause.
The relevant Standing Committee D 7th session proceedings from 28th March 2006 are now online.
Lord Northesk, a Conservative peer, said that an amendment to the Police and Justice Bill 2006 will potentially create a situation where the police would have to prosecute themselves.
- "Bodies like the Serious and Organised Crime Unit (SOCA) need to do forensic hacking as part of their investigations. If they are creating hacking tools they know full well they'll be used for hacking," "I will definitely be seeking to change it," "The Home Office is in enough trouble already, so the thought of them enacting a law to stop the police doing their job is extraordinary."
Northesk said he had support in the House of Lords to change or even abolish the controversial provision.
Notes
What is really needed is the replacement of the Computer Misuse Act in its entirety. To do that the All Party Internet Group would have to find the time and the money to do a full consultation, a full regulatory impact assessment and get government backing.
It's a truism among security practitioners that there is no security in obscurity -- in other words, that a system is made less secure if you keep its workings and failings secret. It's only by the disclosure of failings that systems can be improved, and this disclosure also lets users of security systems make good decisions about whether a given system is adequate. If your bike lock can be picked with a ball-point pen, don't you want to know that?
Links
People
Tom Harris MP (Labour) MP for Glasgow South, is the man most responsible for this part of the bill in that he managed to get it Government Support for it which is why the clauses where included in the Police and Justice Bill.
Lynne Featherstone MP LibDem, the lead MP for LibDems on this bill.
Nick Herbert, the lead Tories on this bill.
The Earl of Northesk put forward a Private Member's Bill to amend the Act in 2002 banning DOS attacks; but like most Private Members' Bills, it failed. He is has publicly said he will fight against clause 38 calling the clause "pure idiocy" and "absolute madness".
Richard Clayton, was the specialist adviser to the All Party Internet Group APIG when they held an inquiry into a possible revision of the Computer Misuse Act Inquiry. You can jump straight to the final report. It's a pity the APIG were not allowed to draft the amendments that went into the Police and Justice Bill 2006.
Documents
- Liberty Central influences the "computer hacking tools" amendment in the the Police and Justice Bill Kudos to Unity at Talk Politics and the Liberty Central website for bringing some small measure of sense to the attention of the Liberal Democrat Home Affairs spokesperson, Lynne Featherstone, who tabled an Amendment during the Commons Committee stage consideration of the controversial Clause 35 of the Police and Justice Bill, which seeks to amend the obsolete, pre-internet Computer Misuse Act 1990.
- Police and Justice Bill 2005 - Standing Committee D - virtually no "debate" planned for the amendments to the Computer Misuse Act 1990 - update - new Government amendment to "hacker tools" clause
- Cumulative effect of the Computer Misuse Act amendments in the Police and Justice Bill 2006, the Identity Cards Bill 2005 and the Terrorism Bill 2005
- Clause 35 and computer hacking Lynne Featherstone MP
- Clause 35 is a dogs breakfast
- Denial of Service: I Told You So, part 22
- Liberty Central - Briefing Notes – Police and Justice Bill, sections 33-36
- Liberty Central - 'Hacking tools' law goes from bad to worse
- Liberty Central - Code is not a crime
- techdirt - UK Looks To Make Denial Of Service Attacks Illegal -- But Does It Go Too Far?
- EURIM - The only controversy is over Clause 35 because the same tools may be used for both criminal and legitimate purposes. PDF The need is to find wording akin to that in Section: 25, sub-section: 1 of the 1968 Theft Act regarding “going equipped”, which some say already covers such tools, unless used from the miscreant’s “place of abode”. The objective is, however, not to prosecute amateur script-kiddies but to disrupt the growing “trade” in producing and distributing tools that have limited legitimate use and are more commonly intended to support computer-assisted extortion and fraud.
- Complexities in Criminalising Denial of Service Attacks PDF - This document was written in the Autumn of 2005 at the request of the Legal Subgroup of the Internet Crime Forum in order to better inform the discussion about the issues that arose when considering how to criminalise denial of service attacks on the Internet. Representatives of the Home Office participate in the Legal subgroup and they were able to consider its contents whilst preparing the amendments to the Computer Misuse Act 1990 that were put forward in the Police and Justice Bill in January 2006.
Press
- 2009-01-04 - The Times - Police set to step up hacking of home PCs
- Author: David Leppard
- Summary: The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant. The move, which follows a decision by the European Union's council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives "a coach and horses" through privacy laws.... Richard Clayton, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state. ... Police might also send an e-mail to a suspect's computer. The message would include an attachment that contained a virus or "malware". If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect's home and hack into his or her hard drive using the wireless network.
- 2008-01-02 - The Register - UK gov sets rules for hacker tool ban
- Summary: The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called "hacking tools". The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won't be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.
- 2007-12-31 - Light Blue Touchpaper - Hacking tool guidance finally appears
- Summary: Good analysis of the publication of the Crown Prosecution Service guidance on what should be considered before bringing prosecutions under s3A of the Computer Misuse Act, when amendments to it come into force — probably April 2008.
- 2007-08-10 - OUT-LAW - Lords call for ethical hacker protection and security-breach notification law
- Summary: The Government must stop changes to an anti-hacking law criminalising the work of security researchers, a House of Lords Committee has said. If it does not, internet security could become an even bigger danger because 'ethical hacking' will be illegal. The Lords Science and Technology Committee has produced a report on internet security which says that recent changes in the law make keeping the internet safe harder than ever. "Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act," said the report. The Committee said that Home Office minister Vernon Coaker MP had promised to clarify the law to exempt researchers in the coming weeks." "We welcome the Minister’s assurance that guidance on this point will appear later in the summer, but urge the Crown Prosecution Service to publish this guidance as soon as possible, so as to avoid undermining such research in the interim," it said.
- 2006-11-22 - The Register - Computer Misuse Act could ban security tools
- Summary: Publishing software flaws now an offence? The new Police and Justice Act, published today, could criminalise legitimate IT security activity. There are fears among security experts that changes it makes to the Computer Misuse Act will make it illegal to distribute some vital tools. ... "This applies particularly to dual use tools like nmap, which security professionals use to check if a network is insecure or not and which the bad guys use to scan for insecurities to then attack it," said Richard Clayton, a member of digital rights group the Open Rights Group and a security researcher at Cambridge University. "Distributors of this have to decide if the people getting it from them are the good guys or the bad guys."
- Note: Also published in Out-law.com Computer Misuse Act could ban security tools
- 2006-11-21 - Out-Law.com - Computer Misuse Act could ban security tools
- Summary: The new Police and Justice Act, published today, could criminalise legitimate IT security activity. There are fears amongst security experts that changes it makes to the Computer Misuse Act will make it illegal to distribute some vital tools.
- 2006-11-12 - The Register - UK bans denial of service attacks
- Summary: A law was passed last week that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison.
- 2006-06-26 - silicon.com - Lord: 'We need better cyber crime laws'
- Author: Tom Espiner
- Summary: experts are concerned the government's proposals would have criminalised IT and security professionals who make network monitoring tools publicly available or who disclose details of unpatched vulnerabilities. Northesk's amendments would see this paragraph deleted, if passed. He believes it could even criminalise the police, if they create and distribute tools for forensic investigation.
- Note: Also covered in ZDNET Lord battles government over cybercrime laws
- 2006-06-07 - Network World - Analysts eye revamp of U.K. cybercrime law
- Author: Jeremy Kirk
- Summary: The U.K. government is proposing changes to an existing law that it says will bolster the ability to prosecute hackers and put them in prison longer -- but analysts question whether the moves will constrict an explosive growth in costly cybercrime.
- 2006-05-25 - ZDNet - Lord vows to fight cybercrime laws
- Author: Tom Espiner
- Summary: The Home Office has admitted it is 'considering the precise legal balance' of its updates to the Computer Misuse Act, after experts warned that it could criminalise IT pros. A proposed UK law has been heavily criticised by Lords and senior security experts, who say it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking.
- 2006-05-22 - silicon.com - IT pros criminalised by CMA update?
- Author: Graeme Wearden and Tom Espiner
- Summary: IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.
- 2006-05-22 - ZDNet - It's time for the Government Misuse Act
- Summary: The ill-thought-out addition to the Computer Misuse Act could make criminals of large swathes of the IT industry. But it is the lawmakers who should really be on trial
- 2006-05-19 - ZDNet - UK law will criminalise IT pros, say experts
- Author: Graeme Wearden and Tom Espiner
- Summary: Security experts fear that the UK government is on track to outlaw the supply of network security tools, and even scripting languages such as Perl
- 2006-03-13 - BBC - How to legislate against hackers
- Author: Bill Thompson
- Summary: Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. Understanding the difference between a security tool, used to probe networks looking for holes that can be patched, and a hacker toolkit, used to probe networks looking for holes that can be exploited, is as much one of intention as implementation. We should be wary of laws which require judges to look into the mind of the accused, and not only because every philosopher of mind tells us that such access is impossible.
- 2006-03-13 - IT Week - Law changes promise more jail time for hackers
- Author: David Neal
- Summary: Under the Police And Justice Bill, the maximum sentence for unauthorised access to IT systems or data would be increased to 10 years, up from the current five years. Home secretary Charles Clarke detailed the plans in the Commons last week. The changes would also make denial-of-service attacks illegal, closing a current loophole in UK law.
- 2006-03-08 - OUT-LAW - Broad support for cybercrime update
- Summary: Covers all the clauses.
- Notes: Recommend reading very well written by legal firm. Also provides a list of links that may be worth following.
- 2006-03-07 - BBC - Tougher hacking laws get support
- Summary: Both the Tories and Lib Dems have backed government measures to increase penalties for UK computer hackers.
- 2006-03-07 - All Headline News - Popular U.K. Bill Would Give A Hacker 10 Years In Prison
- Author: Matthew Borghese
- Summary: The new laws will make hacking a U.K. computer punishable by 10 years in prison.
- 2006-02-21 - Computer Weekly - Computer Misuse Act amendment could criminalise tools used by IT professionals
- Author: Bill Goodwin
- Summary: Paul Simmonds, chief security officer at ICI, said he would be concerned that the new legislation could lead to "over-zealous or misinformed" prosecutions of legitimate security specialists. "This appears to be a poorly thought-out clause," he said. "There are plenty of legitimate uses for software that may help a hacker." The NCC Group, which provides penetration testing services to businesses, said the proposals looked badly drafted.
- 2006-01-26 - The Register - Home Office pushes tough anti-hacker law
- Author: John Leyden
- Summary: 'Hacker tool' ban proposal provokes derision, The bill would double the maximum jail sentence for hacking into computer systems from five years to ten years, a provision that will classify hacking as a more serious offence and make it easier to extradite computer crime suspects from overseas.Denial of service attacks, something of a grey area under current regulations, would be clearly classified as a criminal offence under amendments to the 1990 Computer Misuse Act (CMA) proposed in the bill.