|
Date: Tue, 14 Mar 2006 02:12:15 -0600 (CST) Subject: [ISN] How to legislate against hackers http://news.bbc.co.uk/1/hi/technology/4799338.stm 13 March 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. It makes many changes to the criminal law, but anyone considering writing a virus, hacking a bank system, launching a phishing or denial of service attack or installing some of the dodgier tools that can be used to 'test' network security should pay particular attention to clauses 33 to 36. These amend the 1990 Computer Misuse Act in line with recommendations made last year by the All Party Internet Group of MPs, and take on board Tom Harris MP's proposals from his recent private member's bill. If they go through then the maximum penalty for hacking will become 10 years for the most serious offences. The new act will also make it an offence to supply the software used to break into systems, and make it clear that denial of service attacks, where large numbers of requests are sent to a server, count as hacking. MPs from all parties have welcomed the changes, even though they do not much like the rest of the bill, and overall they seem an acceptable update of the original act. The All Party Internet Group has a reputation for being sensible when it comes to negotiating the interface between law and technology. In this case they refused to be bounced into proposing the sort of illiberal measures that often emerge when computer security and critical information infrastructure are being discussed. Lack of clarity I have been around long enough to remember the original Computer Misuse Bill back in 1990. It was proposed by a conservative backbench MP, Michael Colvin, and supported by the government at a time when viruses were spread by floppy disk and hackers used university systems to break into government and military installations. Mr Colvin knew little about computers or computing, and had proposed the bill as a result of lobbying after he came near the top in the ballot for private member's bills. Although it concerned computers and hacking, using a computer system without the owner's consent, it famously failed to define what a computer was. I pointed out to him that this would mean I was committing a criminal offence if I reprogrammed a video recorder at a friend's house without asking first, and he was happy to accept this. His argument was that the courts would not allow anything so foolish to proceed. He was right in his belief that the courts would be cautious about allowing prosecutions. However the lack of clarity in the act was almost certainly the reason why it was used so rarely in the last 15 years, since the chances of a defendant being able to wriggle out of a conviction are too high for it to be worth prosecuting. On the occasions when it has been applied rigidly it has sometimes produced results as bad as we feared it would. Law and knowledge Last October, Londoner Daniel Cuthbert was fined for probing a website set up to raise funds for victims of the Asian tsunami with a range of security tools after he failed to get a confirmation that his donation had been registered. The proposals in the new bill that deal with the possession of security software could easily be abused to make life difficult for researchers or those, like me, who want to understand what these tools do. Understanding the difference between a security tool, used to probe networks looking for holes that can be patched, and a hacker toolkit, used to probe networks looking for holes that can be exploited, is as much one of intention as implementation. We should be wary of laws which require judges to look into the mind of the accused, and not only because every philosopher of mind tells us that such access is impossible. Too few MPs really understand the issues at stake here. None on the front benches, apart perhaps from former computer consultant Stephen Timms, could describe why a port scan might be a legitimate activity or even, I suspect, what a network port is in the first place. And with the departure of Richard Allan from the House of Commons at the last election, Parliament lost its only serious programmer. This is a matter of growing concern. It is clear that the debate about the implementation of ID cards hinged on an assessment by MPs and peers of the technical arguments put forward on both sides, but few of those arguing were really competent to judge the issue. Complex issues This week I will be speaking at a seminar in London, organised by the Westminster eForum. We are talking about copyright and digital rights management and other issues which may well take up some serious parliamentary time in the next few years, especially when Andrew Gowers finishes his review of intellectual property law for the Treasury. Although it is reassuring that Derek Wyatt, one of the few MPs who does embrace the internet, is chairing, I suspect we will see few of his fellow members there even though this is another issue where technology and law are inextricably linked. MPs will argue that they are perfectly capable of being briefed on the most complex issues, but this assumes that they can get unbiased and comprehensible briefings. Some of the technical issues underlying ID cards, and DRM and computer crime may well not be amenable to this approach. So what are we to do? Do we let generalist MPs with no real comprehension of what they are doing make law based on the last piece of lobbying they received? We could call this the e-Lothian question, after the long-standing concern over letting MPs for Scottish constituencies vote on purely English matters even after the Scottish Parliament was set up. Perhaps we should limit voting on clauses 33 to 36 of the Police and Justice Bill to those MPs who can demonstrate that they have at least two e-mail addresses, know how to use an RSS reader and can download and install their own web browser. Somehow, I do not think they will go for it. Unless we recognise that MPs need a better understanding of technology we will continue to get bad law, just like we did in 1990. ----------------------------------------------------------------- Bill Thompson is a regular commentator on the BBC World Service programme Go Digital _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org