UK Crown Prosecution Service publishes Computer Misuse Act guidance
The UK Crown Prosecution Service (CPS) has published its guidance (PDF file) for prosecutors and caseworkers on the amendments to the Computer Misuse Act 1990. These amendments, enshrined in the Police and Justice Act 2006, have proved highly controversial since they were first mooted. Under the amended Act, the legality of tools that have both legitimate and malicious uses becomes open to question. In particular, the provisions covering the creation and supply of computer security tools, (section 3A), have been widely criticised by the security community as counterproductive.
An offence is created of supplying tools that are "likely to be used" in contravention of the Act. This has always been a questionable issue - how (short of possessing a crystal ball) a supplier can be expected to have foreknowledge of the future intent of a potentially one-time customer. Indeed the original section was suspended subject to review last April, largely on the basis of such concerns.
Sadly the CPS guidance, far from clarifying the matter, at first sight seems likely to increase the confusion. It offers examples where there is little or no ambiguity (e.g. the production or supply of "malicious scripts or software designed to enable modification of television set top boxes"). But it apparently fails to address the hugely important grey area of security testing tools that by definition can also be exploited maliciously. The resulting ambiguity has aroused significant criticism, although some commentators seem to be taking a rather literalist approach in their interpretations of the guidance.
In dealing with the concept of "likelihood" of misuse, the dominant exculpatory criterion seems from the guidance to be that of mass market penetration: is the item available on a "wide scale commercial basis"? Is it "widely used" for legitimate purposes? Does it have a "substantial installation base"? This is of course irrelevant to many real world situations, as security research tools (and particularly exploit demonstrations) can be highly specialised and even ephemeral, and in many cases their distribution will be by intent limited. However, the CPS informed heise Security that "newly developed legitimate tools with a small distribution base will be dealt with by prosecutors on a case by case basis, looking at the use that is being made of them and whether the article has been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)."
In the context of the "supply" offence it would appear from the guidance that the onus is on suppliers to ensure the legitimacy of the use their customers make of the tools, in effect making them proxy policemen before the fact - a scenario at worst not far removed from "Minority Report". It also seems that the burden of proof could come to rest on suppliers to demonstrate that they have taken due care to fulfil this obligation by, for example, provision of "robust and up to date contracts, terms and conditions and acceptable use policies" and obtaining from customers signed declarations that they will not contravene the Act. heise Security asked the CPS two specific questions concerning this apparent burden on suppliers:
- what are the expectations of the CPS concerning the means available to the supplier to assess "likelihood" of misuse to a level of confidence that is likely to exonerate the supplier in event of subsequent misuse by a third party?
- what are the expected effects of section 3A and the guidance on information sharing between security professionals about vulnerabilities and exploits, recognising that the sharing of exploit demonstration code plays an intrinsic part in the collaborative effort of such professionals?
The CPS declined to answer these specific questions, stating "we ... do not feel it is appropriate to continue to discuss how we might prosecute an amendment which has yet to come into force and will be further interpreted by a judge in his directions to a jury, and by defence teams". However a CPS spokesman told heise Security "we would stress that CPS legal guidance is not a rigid set of rules to which our lawyers must adhere, but assistance they can use in assessing whether an offence may have been committed. Further advice is always available from specialist CPS policy officials and, if necessary, independent experts." The guidance therefore would not appear to have statutory force, neither would its precise wording have any legal standing. It is also likely, according to the CPS, to be revised in the light of prosecutions under the Act.
The publication of this guidance has clearly reopened the controversy that has accompanied the 2006 amendments to CMA since their very inception, but bearing in mind that the CPS has to date been quite frugal in applying the existing Computer Misuse Act, it seems unlikely that there will be a sudden boom in unreasonable prosecutions. More likely there will be a period of gradual clarification while the realities get thrashed out once Section 3 comes into force (probably in August 2008).