UK Law May Criminalize IT Pros

An anonymous reader writes "More worrying news from the UK. This time, a bill meant to fight cybercrime may make it illegal to use or make available network security tools available, just because they could be used by hackers." From the article: "Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law. 'Perl is almost universally used on a daily basis to permit the Internet to function,' said Clayton. 'I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offense under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable.'" A note that this is equally confusing but separate from yesterday's story about the UK government wanting private encryption keys.

Do I see a pattern?

From the country that criminalized privacy [slashdot.org]:

Let's convict Perl users.

I also heard that something called TPC or TCP is widely used by hax0rs to pwn remote servers. Wait till the UK Government can get their hands on it...

No shit.

And I thought it was getting bad here in the U.S.

I guess a written constitution does have some utility.

Re:Do I see a pattern?

So basically IT security experts can't test their own networks? I'm sure that will go a long way towards making the Internet more secure! Yeah I see a pattern, it's called ineffective and ignorant legislation... it seems to be quite popular these days.

Re:Do I see a pattern?

> From the country that criminalized privacy:
>
>Let's convict Perl users.

First they came for the COBOL programmers, and I was silent,
Because ADD KEYSTROKES TO SYNTAX GIVING OBFUSCATION was always lame.
They they came for the BASIC programmers, and I was silent,
Because I considered GOTO harmful,
Then they came for the C++ programmers, and I was silent,
Because I could still write FORTRAN in any language,
Then they came for the Perl programmers, and now the only way I can win an obfuscated programming contest is to write it in APL.

(First they ignore you, then they fight you, then they mock you, then they come for the Brainf*ck programmers and their heads explode.)

it's the nature of these tools

Just as these tools are useful diagnostic tools they are also handy tools for commiting crimes as described under this proposed law. That's the nature of networks and tools to manage them. To deem these tools and availability of such a crime because they could be used to commit a crime is insane.

This is akin to the recent proposal that all encryption key owners make their keys available to law enforcement. The expected eventual end result will be cautious users relinquishing valuable resources with criminals holding the trump card. This too is insane.

So, when an administrator gets the call to investigate what appears to be suspicious behavior, where do they go to troubleshoot the problem? Heck, peel away all the layers of this onion and it wouldn't be surprising to find hackers are behind this... get the government to suspend priveleges using FUD, and run rampant over the network infrastructure.

There is a hint of sanity from the article:

People who distribute networking vulnerability scanning tools such as nmap or Nessus could also be caught up in part (b), Clayton warned.

"The effect will be that people will stop offering these tools on their sites. Why should the only place to fetch Perl and nmap be from hacker sites in Eastern Europe, where the risk is that they carry Trojans? This makes the Internet less safe," argued Clayton.

I only hope the government will listen to that reasoning.

Re:it's the nature of these tools

I only hope the government will listen to that reasoning.

You obviously have not had any experience of the UK government. "Listening" and "reason" are not concepts governments in general are familiar with, and especially not the present UK government.

Re:it's the nature of these tools

Oh, they are quite familiar with listening.

Re:it's the nature of these tools

It's like outlawing chainsaws because they can hurt people, or forks and knives, etcetera. Some countries/areas already outlaw certain knives while allowing other, potentially just as deadly knives (chef's knives) to be carried around.

That's not to say, c

Re:it's the nature of these tools

Some countries/areas already outlaw certain knives while allowing other, potentially just as deadly knives (chef's knives) to be carried around.

This is easy to break down. It's all about one thing - the next election. Perception is huge, and instead of governing for the common good, people govern for the incumbant good.

Take knives for example. Giant chef knives have the perception of being used to cook yummy food. Crazy blade shape dragon jewel encrusted lock blade half-the-size-of-chef-knives type knives carry the perception of being used only to harm others.

So lawmaker X decides to latch on to that perception and propose a bill that outlaws the greater of the two perceived evils and then brag about how he is a champion of the people come next election cycle.

This is one thing term limits are meant to stay off... to whatever effectiveness. Point is, outlawing "hacking" tools like this is simply a grab for the spotlight. Who cares if the details are ironed out. See, the likelyhood is it won't make it out of committe, but come election time, Mr. X can say "I proposed a bill that would have made it safer to surf the internet, but my opponent Mr. Y (a former network admin, but we won't mention that) STOOD AGAINST this potentially LIFE SAVING measure!!"

Politics, pure and simple.

Re:it's the nature of these tools

I think the issue is that Perl code can be classified as a form of encryption.

Re:it's the nature of these tools

If you replace the software with guns, you will begin to understand the position of those who want the right to bear arms (modifications have been made).

This is akin to the recent proposal that all gun owners give their guns to law enforcement. The expected eventual end result will be cautious users relinquishing valuable resources with criminals holding the trump card. This too is insane.

Can guns kill people? Sure they can, but so can many other things that the typical person owns (knives, drills, cars). Guns are also tools, and used well they can be of great help. Many families in my area (Montana) rely upon guns for hunting to support their families (cheap meat). Unfortunately, hunting rifles fall into the category of a "sniper rifle" which comes under attack as an unnecessary weapon. And do not underestimate the value of having a weapon for self defense.

Re:it's the nature of these tools

Hmmm, I have to respectfully disagree. Guns are made to be able to kill, whether in self-defense or not. This proposed law is more like outlawing surgeon's knives because Jack the Ripper (supposedly) used one, never mind that surgeons use them to save lives; network tools are used to hack networks but are also used to secure them. That's the most apt comparison I can think of.

Re:it's the nature of these tools

There is a presupposition in your statement that all killing is (equally) bad. Much of the world doesn't agree with this opinion. There are also far more categories than "self-defense" and "other". Again, there seems to be an implication with you associating "gathering food" and "murder" which I think much of the world would take issue with, as well.

Re:it's the nature of these tools

This story is ridiculous! It is implying something totally different from what the law actually states in order to attract horrified readers. I bet the website is getting massive amounts of hits at the moment, but lets look at what the bill actually says:

"A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article --
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used."

This is a common-sense sense law which recognises software for what it is: a tool. It looks almost identical to the law which applies to other tools capable of being used to commit offences, i.e. knifes, hammers, axes, pieces of wood etc.. You don't see the police arresting people who use these, unless they use them to commit (or attempt to commit) a crime, so why would they suddenly arrest anyone who writes a pearl script?

I think it is good to see a government finally recognising software like the useful tool it is, but one which (like most tools) can be intentially misused to cause harm.

Re:it's the nature of these tools

The problem is part b. As TFS said, Larry has to know that evil h4xx0rZ are likely to use Perl as part of their attacks. Therefore, he's guilty under part b of the proposed law.

Re:it's the nature of these tools

Except that the law in this case does not make any distinction between the primary use for a given piece of software, and the possible uses of the software. If the author believes that the software will be used to do something illegal at some point in the future -- which is pretty much a given for any general-purpose piece of software (compilers, operating systems, scripting languages, libraries) -- then creating that software would earn the author a criminal sentence. Perhaps they wouldn't choose to apply it that way, but there is no way to be sure. They certainly could choose to do so, under the current wording of the law, and that is what worries people (myself included). I would rather not see programming become a heavily regulated and licensed profession.

Disclaimer: IANAL

Re:it's the nature of these tools

I guess if you're making stuff that you believe is -likely- to be used to break the law, you have a certain level of responsibility to try and make sure it doesn't. For example, I've refused on an occasion to write software for someone because of how it wa

Using Perl Should Be A Crime

... Or at least forcing someone to debug it should

Re:Using Perl Should Be A Crime

Come on now, that joke is getting really stale.

Seriously, who can't tell at a glance what this does just isn't paying attention:

#!/usr/bin/perl
                        +
                       @A=
                      (25,0
                     );@B=(0
                    ,24   +0)
                   ;@C=( 49,24
                  );@X=($")x(40
                 +9)         ;@_
                =(@X,       $/)x(
               25);$_[     $A[1*1]
              *50   +$A   [0]   ]=q
             /./;+ $_[$B [1*1] *1*50
            +$B[0]]=qq/./;$_[$C[1]*50
           +$C                     [0]
          ]="."                   ;@X=(
         $C[0*0]                 ,$C [1]
        );1   *1*               1*1   *1;
       while (394>             (join $",@_
      )=~y/.//){do{           $R=3*rand;@X=
     (((         int         (($         {(A
    ,B,C)       [$R]}       [0*0]       +$X[0
   ])/2+.5     )),int(     (${(A,B     ,C)[$R]
  }[1   *1]   +$X   [1]   )/2   +.5   +0)   ))}
while $_[$Z =$X[1 ]*50+ $X[0] +0]=~ /\./; $_[$Z
]=".";+system$^O=~/[wW]in/?"cls":"clear";pr int@_}

Perl bug report

There is a bug in your program, in the last line "print" has been printed as "pr int".

See, Perl isn't hard to debug at all!

Well then...

Let's ban the English language because you can discuss crimes with it.

Re:Well then...

Then the criminals will use other languages

Hey Senor Bob, Let's robbo el banko!

Want to reduce crime?

If there were no laws there would be no such thing as crime. To reduce crime, we should remove laws, not add more.

This is great news for India!

This sort of news is great for nations like India, Singapore and Malaysia. The more the Western world places completely unnecessary and unjustifiable limits on its use of such technology, the better off the non-Western nations are.

A strong economy, and the higher quality of life it may bring, depends heavily on innovation and progress. That is clearly being hindered by those who support such legislation. Companies won't be able to take advantage of the productivity gains one gets from using the technology that may be restricted.

In the end, it comes down to a matter of freedom. Those nations who are now free to innovate will do so, and will eventually prosper. Those who seek restrictive legislation over free innovation will see their wealth and standard of living decline rapidly.

Re:This is great news for India!

I see this as a situation where the governments in places like India let the people have a little freedom for a while to get the economy going, and then fall back into government control

This may be what is currently happening in the US as well. The gov't g

Doesn't make sense...

To compare this to another industry:

Person 1: Hi, I make hammers, would you like to buy one? You can use them to "hammer" nails into things, really quite nice for building houses and such.

Person 2: Wow, this is nice. I'll take one!

Law: Woah woah woah! Hold on right here... This "hammer" you got here... yeah well that can be used to bash someone in the head, so... it's now illegal, you'll have to come with me now. That's right, hands behind your back.

I've never understood the idea that because a tool can be used to commit a crime, that it inherantly makes the tool evil.

Re:Doesn't make sense...

I've never understood the idea that because a tool can be used to commit a crime, that it inherantly makes the tool evil.

Welcome, fellow NRA member.

Re:Doesn't make sense...

Welcome, fellow NRA member.

The express purpose of guns, with the exception of hunting rifles, is to shoot people. (Hint: you don't use handguns or automatic weapons to hunt deer.) Many people buy these guns for their ability to shoot people, even if they *

Re:Doesn't make sense...

"The express purpose of guns, with the exception of hunting rifles, is to shoot people."

There are three incorrect assumptions here:

1) Historically, all guns were developed as a result of warfare. Most of the long range hunting rifles owe some of their deve

Re:Doesn't make sense...

"I am shocked that people think it is ok to break in a house."

Great. I am very impressed with your shock. I am amazed by your shock. Oh wait a minute you are shocked at a straw man never mind. Did anybody say it was OK? Besides you I mean.

"If someone break

Re:Doesn't make sense...

I've never understood the idea that because a tool can be used to commit a crime, that it inherantly makes the tool evil.

Maybe not evil, but overly dangerous. I bet most NRA members would agree that owning a tank, bunker-buster or bazooka should be illega

Illegal Tools

I suppose crowbars and hammers should be outlawed, too, since they can be used for burglary.

Shitty Government.

This is more sensationalist shit like the story about the RIPA. The law isn't very effective because the police can't force you to hand over keys that are used only to ensure the integrity of messages. This basically means that stuff like SSL, SSH and Zimmerman's Zphone are safe against seizure.

I submitted a story on this but obviously the Slashdot editors care more about exciting headlines than the sober truth. I wrote an essay in 2003 and you can read it here [ckwop.me.uk].

I've not read the act but I can already guess how useless it will be. The short and long of it is that it is very tough indeed to prove beyond reasonable doubt that someone that you put the software there. Believe me I know, I was a witness in a Child Porn case. The defence won because when we found the content we didn't follow CPS guidelines in the data recovery method.

Even worse, a hackers machine can look very much like a hacked machine. Hackers, after all, use one machine to get to the next. How are you going to prove they aren't the innocent bystander - BEYOND REASONABLE DOUBT.

Yet more time wasted by an incompetent government that can't even deport convicted foreign criminals.

Simon.

Make computers illegal!

Computer hackers tend to use computers to commit computer hacker crimes. The link between hackers and computer systems is enhertiently intrinsic, therefore banning the use and ownership of computer systems would greatly reduce computer crime!

Re:Make computers illegal!

http://www.google.com/search?hl=en&lr=&client=saf a ri&rls=en&q=define%3A+inherently&btnG=Search [google.com] Ok, I cant spell. Gas me.

It's easier to fight the tool than the person

Leftist leaders even more than right wing leaders tend to have a hard time accepting the fact that you can do bad things with different tools. They also have a hard time blaming the person for their use of it. Conservatives do it with drugs by blaming the drugs for the armed robbery to feed the habit. Leftists do it with weapons. It's easy to blame a drug, a gun or a scripting language for a crime. It allows you to not be "judgemental" toward a person who is just an asshole. Neither side likes to admit that these things are totally the person's fault, derived from some inner flaw in the person's character that causes them to get high and rob, shoot to murder someone or hack to steal a person's money.

Re:It's easier to fight the tool than the person

You're right, it's the current "politically correct" culture we live in. You don't want to be judgmental, you don't want to "discriminate", don't want to hurt anyone's feelings you know.

Sorry, but I'll call a spade a spade. If you're a jerk, then you ar

Bans Nmap Too

TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 [parliament.uk] seems to bear that out. As author and maintainer of the Nmap Security Scanner [insecure.org], I am more than a little concerned.

I'm certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don't want to become like Dmitry Skylarov [wikipedia.org] the next time I give a presentation in England. And even if (as I would expect) the rest of the world ignores this, it could have a chilling effect on important security tools and research from U.K. citizens. Think of all the good research and tools that David Litchfield from London (NGS Software [ngssoftware.com]) has brought us. And my London friend Hoobie brought us the free Brutus password cracker [hoobie.net], which appears to be prohibited by this bill.

The good news is that this is just a proposal. So I would join the chorus in urging our British friends to make their voice heard against this silly bill.

-Fyodor
Insecure.Org [insecure.org]

Re:Bans Nmap Too

TFA also states that "People who distribute networking vulnerability scanning tools such as Nmap or Nessus could also be caught up in part (b), Clayton warned.". A quick reading of section 41 seems to bear that out. As author and maintainer of the Nmap Sec

Re:Bans Nmap Too

It's not just a proposal. It's more than halfway into law:

It was passed by the House of Commons earlier this month, and will be considered by the House Of Lords over the next couple of months

Once again we must rely on the Lords to stop the knee-jerk stupidity of the Commons foisting more draconian laws upon us. Let's hope they continue to do their job.

criminalizing possession

Criminalizing the mere possession of something just because it could potentially be used in a crime is pretty stupid. Until you do something that actually harms someone, where's the crime? "Innocent until proven guilty" remember? Just because someone has means, and could find opportunity, doesn't mean he has motive to commit a crime. Don't you need all three? Mens rea, anyone? All these sorts of laws do is make criminals out of normal, honest, otherwise-law-abiding people.

Until you stab someone, your knife is just a useful cutting tool. Until you shoot someone, your gun is just a useful self-defense and hunting tool. Until you crack something, your network analysis software is just another tool. There is nothing inherently bad/evil about them. Merely possessing them does not twist a normal person into a psychopathic criminal.

Anyone else think we'd have better lawmakers if we plucked some names at random from the phone book?

"Innocent until proven guilty"

Sorry innocent until proven guilty is obsolete.

They found it was inconvenient to prove someone did something before punishing them.
Much easier to simply accuse and punish, how else can they prosecute thought crime.

Seizure and liquidation of the property of

What is going on in the UK?!

I'm a United States citizen. While I am horrified about what's been going on currently in the US, it doesn't really suprise me, given our history as the self-appointed Savior of Europe after WWII, defender against communism, the Vietnam war, etc.

With our two-party political system, both parties have to pander to their base, which, to simplify a lot, is socialists for the Democrats and facists for the Republicans. Now that the republicans are in ascendancy, I'm not surprised that corporate power is going unchecked, and those who don't believe in government are unable to govern competently. After 9/11 burst our bubble that oceans would protect us from what's going on in the rest of the world, and the fact that we're waging a 'war on terror' that will never end, I'm not surprised that people would become fanatical and fall in line behind a militaristic administration.

However, what the hell is going on in Great Britain that gives political cover for this radical infringement into the rights and privacy of the people? Didn't the U.K. defeat Facism that threatened to overrun the country? Hasn't the UK been fighting terrorism from Ireland relatively sanely for decades? Doesn't the parliamentary system give *some* power to other policital groups which are somewhat left-leaning?

Re:What is going on in the UK?!

This may sound a little partisan and controversial, but the problem is basically Tony Blair.

Since coming to power, he's increasingly become a control freak.

He's emasculated the house of lords, under cover of "reform", while seemingly trying to block the option (favoured by many MPs) of a largely-elected house of lords (because a largely-elected second chamber would be a legitimate "check and balance" on his authority, as compared to a set of nominated place-men). (See for example here [guardian.co.uk]).

He's also marginalised parliament - his government carries out the minimum of "debate" there now, merely using it as the place to anounce previously-decided policies. There was a big fuss recently, little reported, about the government trying to pass a law allowing them to change legislation at will, without any debate at all, under cover of "reducing red tape" (see here [timesonline.co.uk].

Even within the cabinet, he seems to fire anyone who seems remotely a threat or who disagrees with him in any way (with the exception of Gordon Brown, the chancellor (and probably the next Labour leader), who is powerful enough to be left alone).

Since he's been prime minister, there have been dozens of crime bills, making hundreds of new criminal offences (e.g. see here [telegraph.co.uk].

He's increasingly making noises about the criminal justice system being "out of touch" (i.e. not automatically just doing what he says), in a seeming bid to further curtail their powers. For what he's already achieved, see, for example, here [telegraph.co.uk].

He himself is becoming increasingly irrational and out-of-touch to the extent where his party are starting to think of him as a liability, let alone what the country now thinks of him. The more out of touch he gets, the determined to get his own way he becomes. He's done a lot or damage to this country's constitutional processes, a lot of damage to its reputation (via Iraq), and the sooner he goes, the better.

from the UK

I grew up in the 70s in London when the IRA were fairly routinely blowing stuff up. At no stage did anyone suggest compulsory ID to deal with this. Mainly the bins were taken off the trains and eventually a 'ring-of-steel' (meaning police checkpoints at increased presence) around the City Of London (our Wall St). Then somehow by the end of nineties we had become the most surveilled people on Earth.

Post 911 the talk of terrorism never went away. And then 7/7 came along and the paranoia and suspicion just went sky-high. Now we too lived in a country where any change of law could be carried off with the mere mention of the T-word. (Either that or the other one, the P-word, the Glitter-crime). This year Blair has is own little version of the Patriot act coming into force, one where he can issue laws without recourse to Parliament as long as they don't include tax increases or a prison penalty greater than 24 months.

Electronic sniffers are be trialed on a few parts of the underground smelling for explosive traces and there is a scheme in planning for a countrywide network of number plate recognition cameras recording all vehicles on a gigantic DB. Most London Transport users use RFID (oyster) in replacement for the old tickets and all this data is recorded. We will have RFID national ID soon at a cost of around £90 per person, compulsory. I could go on but here's a link or two to go on with.

http://www.no2id.net/ [no2id.net]

http://www.indymedia.org.uk/en/ [indymedia.org.uk]

So, as Orwell (real name: Eric Blair) predicted, we really are heading for a BB state. It's obvious that the UK is the USs puppy dog and we are in the 'endless' war just as long as you are. Really the UK is just another state of the USA. Maybe even quite a powerful and important one at that.

There is a saying in England "Watch America that's what here will be like in 10 years time" - now it seems we've just about caught up or even exceeded what's going on in the US.

Unless I'm mistaken...

...in both Britain and the US, laws phrased the way this is are usually construed such that, in order to commit an offense, the person making, distributing, etc., an article would have to have the intent or belief that that particular instance would or was likely to be used for criminal purposes. It wouldn't outlaw, e.g., making a software tool with the belief (or even near-certain statistical knowledge) that, among all the users, some number of them would use it illegally.

That's not to say its not still overly broad, unnecessary, chilling, etc., even so, but the idea that it amounts, if enforced across the board, to a ban on Perl on the basis that the creator knows that someone, somewhere is likely to end up using them illegally is probably greatly overstated. At least, as I understand things.

Seems to me...

...that a good way to fight this would be for every single government IT worker to follow this law TO THE LETTER! "Sorry boss... can't do that anymore... here's why." When the lawmakers can't get their email and have their security breached because their own people didn't have the tools to do the job, maybe they'll see some sense. And, of course, if they fire you because you wouldn't do something illegal, that's probably a big settlement coming your way...

Re:Bits are TEH EVAL!

We can't get rid of all the bits! Are you mad??

I say we just outlaw those hideously dangerous 1's, and let us keep the safe, agreeable, non-pointy 0's.

Re:Bits are TEH EVAL!

But small children will choke on 0's.

Won't someone PLEASE think of the CHILDREN????!!??

Re:Compilers and Debuggers?

I recomend you read the essay The Right To Read [gnu.org] for a possible future.