The European Commission seems to be revisiting ground covered by the UK’s 2006 amendment to the Computer Misuse Act, attempting to criminalise certain acts relating to devices/tools used for committing offences against information systems. The problem is that many computer programs – for example for identifying vulnerable computers, monitoring wireless networks or testing password strength – can be at least as valuable to those trying to secure networks and computers as to those trying to compromise them. The only difference between legitimate and not is in the intention and authorisation of the person using the tool. The UK law recognised intent as a key factor in whether those making (s.3A(1)) or obtaining (s.3A(3)) tools were committing a crime, but not for those supplying tools to others (s.3A(2)). This resulted in the removal from the UK of at least one website listing tools and techniques for incident response teams.
First impressions of the Commission’s proposal aren’t very encouraging. In Article 7a the Commission seek to regulate items “designed or adapted primarily for the purpose” of committing offences. That formulation (which was discussed and rejected in the UK) assumes that the intent of the original designers or adapters (supposing that can even be determined) is what matters, not the intent of the person who supplies or uses the tool. Indeed it could even protect those who carry out attacks using tools designed for legitimate purposes – for example both ping and DNS have been used for highly successful denial of service attacks. This flawed wording of the Article is particularly odd, as Recital 9 has the better formulation of “’tools’ that can be used [my emphasis] in order to commit the crimes listed in this Directive”, recognising that tools themselves can have both good and bad uses.
More positively, Article 7 does specify that, in order to be a crime, the “production, sale, procurement for use, import, possession, distribution or otherwise making available” of such tools has to be done “intentionally and without right, for the purpose of committing” one of the offences defined in the previous articles. That does seem to limit criminality to those who intend to commit crimes – indeed Recital 10 (and in European law recitals are as much part of the law as Articles) is explicit that “this Directive does not intend to impose criminal liability where the offences are committed without criminal intent”.
In Recital 10 the Commission also gives helpful examples of non-criminal use of tools relating to “authorised testing” or “protection of information systems”; the draft report of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs proposes to further clarify the former to “testing in accordance with law” in order not to “undermine the effectiveness and practicality of selftests without criminal intent”. The Committee also proposes to amend Article 7 to so that mere possession is not an offence – “given the possibility to use programmes in dual forms, i.e. for legal as well as criminal purposes, the possession of a tool should as such not be punishable” – and “the purpose of the actions described in this article should only be punishable when it is clearly aimed at committing an offence”.
Both the Commission and the Committee therefore seem to have understood the issue of dual-use tools and be aiming for something much better defined than the UK’s crime of “suppl[ying] … any article believing that it is likely to be used to commit, or to assist the commission of, an offence under section 1 or 3” (CMA s.3A(2)). As I pointed out at the time that could both criminalise Microsoft’s issuing of patches (since it is well-known that those are immediately reverse engineered to facilitate attacks) and give authors the possibility of denying that they had any idea their products might be misused!
There is still debate and possible revisions to take place before this becomes European Law, so the important safeguards that are in the current text could still be lost, either in that process or in the transposition to national law. In the UK we should definitely be alert to it being used as a reason to enable our, significantly worse, version from 2006. Rather surprisingly it seems from the Government’s official database that the s.3A tools amendment of the Computer Misuse Act has never actually been brought into force!
[UPDATE: on further investigation, it seems that s.3A was brought into force on 1st October 2008, but I can’t find any reports of prosecutions in which it has been used]
