London software testing news UK


Security testing tools and UK law

Posted in Acceptance testing by testing in London on January 5, 2008

From Heise Security 

The UK Crown Prosecution Service (CPS) has published its guidance (PDF file) for prosecutors and caseworkers on the amendments to the Computer Misuse Act 1990. These amendments, enshrined in the Police and Justice Act 2006, have proved highly controversial since they were first mooted. Under the amended Act, the legality of tools that have both legitimate and malicious uses becomes open to question. In particular, the provisions covering the creation and supply of computer security tools, (section 3A), have been widely criticised by the security community as counterproductive.

An offence is created of supplying tools that are “likely to be used” in contravention of the Act. This has always been a questionable issue – how (short of possessing a crystal ball) a supplier can be expected to have foreknowledge of the future intent of a potentially one-time customer. Indeed the original section was suspended subject to review last April, largely on the basis of such concerns.

Sadly the CPS guidance, far from clarifying the matter, at first sight seems likely to increase the confusion. It offers examples where there is little or no ambiguity (e.g. the production or supply of “malicious scripts or software designed to enable modification of television set top boxes”). But it apparently fails to address the hugely important grey area of security testing tools that by definition can also be exploited maliciously. The resulting ambiguity has aroused significant criticism, although some commentators seem to be taking a rather literalist approach in their interpretations of the guidance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: