Uncertain law leaves penetration testers in limbo – Part 3/4

This is the third part of a series of articles.  The second part can be found here.

Harmonising national laws

Following the enactment of the Computer Misuse Act, the Council of Europe were well aware of the borderless nature of the internet, and the inherent problems of policing it, and began attempting to harmonise national laws relating to cyber crime.  In particular, they wanted to criminalise “the production, sale, procurement for use, import, distribution or otherwise making available of… a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed” when “committed intentionally and without right”.

The Computer Misuse Act 1990 was amended in a variety of ways, including a new s.3A, and, criminalised acts which should concern the penetration tester community:

1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence of unauthorised access to or modification of computer material;
2. A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence of unauthorised access to or modification of computer material;
3. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence of unauthorised access to or modification of computer material;

Criminalising IT security professionals

Those who use penetration testing, or ethical hacking, to identify security weaknesses are venturing closely to the activity of an unlawful hacker.  There is clearly potential for IT security professionals to have their activities criminalised.  A badly drafted contract with a client could result in you veering into unauthorised access and potentially a justifiable complaint to the police could follow. 

Furthermore, the production and distribution of software aids or toolkits for IT security work could also be deemed unlawful.  Many of the tools used by security professionals are commercially available products used in the load, penetration and network and resilience testing arenas.  However, the distinction between the lawful and unlawful use of such tools is a very fine line.  By their nature, they are used to access a computer system and therefore fall into the s.3A activity – one which carries a maximum sentence of two years imprisonment.

In fact, the definition is so broad – “supplying, or offering to supply, an article, believing that it is likely to be used” in an offence” – that many of those in the IT world are left close to statutory offences.  This is despite no actual criminality being present.

This section discusses the supply of “any article”.  Again, this is a broad term purposely used by Parliament.  It is used to describe software but is not restricted in that manner and could also describe a news article providing information alerting users to known security vulnerabilities in pieces of software. 

To be guilty, the person must “believe” that the article is likely to be used to hack.  The threshold of belief remains unclear and untested.  However, the section does appear to put the onus on manufacturers and distributors to decide whether they are supplying to legitimate users or likely criminals.  Publicly available security alerts should be more carefully drafted so as not to provide too much detail, allowing vendors to explain they did not believe the information was likely to be used to commit an offence. 

This is the third part of  an article that first appeared in PenTest magazine.  The remaining parts will be published on this blog on a weekly basis.