As a UK-based creator of "hacking tools", I have more than a passing interest in the new amendments to the Computer Misuse Act. These have been on the statute book for over a year, but have not yet come into force. The new law makes it illegal to supply software "believing that it is likely to be used to commit an offence".
Burp was downloaded 10,483 times last month. Were all of these used for lawful purposes? I would say it is absolutely certain that some people who download Burp use it unlawfully, and the same goes for any other popular security tool.
The arguments about "dual use" software are well worn, and scarcely need repeating. The same tools that are used by criminal attackers are also used in legitimate security testing. Demonstrating what attackers can do helps people to defend against them. Blanket restrictions will only penalise the good guys.
The same situation exists in many other domains which, being more familiar, do not invite such ill-considered legislation. Kitchen knives can be used for chopping food or for stabbing people. Manufacturers know that it is likely that some of their products will be used unlawfully. But we don't ban the production of kitchen knives - we just make it illegal to stab people.
The British Crown Prosecution Service has this week published its guidance on the new law, which responds to the preceding objections. The guidance notes the existence of a "legitimate industry" producing software "to test and/or audit hardware and software". This software may have a "dual use" and so prosecutors need to ascertain that a suspect has a criminal intent.
How can this be done? The following factors are relevant, says the CPS:
- Does the distributor have in place robust and up to date contracts, terms and conditions or acceptable use polices?
- Are users made aware of the Computer Misuse Act and what is lawful and unlawful?
- Do users have to sign a declaration that they do not intend to contravene the CMA?
- What thought did the suspect give as to who would use the software; for example, was it circulated to a closed and vetted list of IT security professionals or posted openly?
- Has the software been developed primarily, deliberately and for the sole purpose of gaining unauthorised access to computer material?
- Is the software available on a wide scale commercial basis and sold through legitimate channels?
- Is the software widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
This is a weird set of considerations, several of which can be trivially complied with by any criminal wishing to cover themselves. Some of the other factors apparently assume that "good" software must be sold commercially and widely used, and hence presumably that small-scale, freely distributed tools are "bad".
The function of CPS guidance is not to determine what is legal, but rather to advise prosecutors who to pursue. Taken together, the law and guidance leave a huge amount of discretion within the legal process. The net of literal illegality is cast very widely, and prosecutors are told to ask a set of vague questions about an individual's intentions when deciding whether to take action. In other words, everyone producing hacking tools is criminalised, and it will be up to prosecutors which people they don't like the look of. Most legal processes involve some discretion, but too much can be a bad thing, particularly when the parties involved don't really understand the subject matter. Would you like to take your chances against the British judge in a computer crime trial who asked lawyers to explain what a website is?
I don't plan to stop distributing or updating Burp any time soon. This is clearly a crap law, but I'm guessing that prosecutions will be rare, and that I'll be some way down anyone's target list. Oh, and keep it legal, kids.