When coding becomes a crime

The situation worries security professionals. If looking for flaws is a crime, even if you don’t intend to use the vulnerability for personal gain, it leaves many researchers in a legal grey area – despite many software firms, including Google, offering rewards to people who find ways to crack into products such as Chrome.

When coding becomes a crime

Good intentions aren’t a legal defence, even in the UK. Our computer security laws are dictated primarily by the Computer Misuse Act 1990, which forbids accessing a computer without permission.

In the wake of the Indian Ocean tsunami, a UK security expert, Daniel Cuthbert, made a donation to a charity website that was raising money for the victims. When he received no confirmation, he conducted two tests on the site’s directories to try to verify its authenticity, but his actions prompted an alert, and the police were called in. He was fined £400 and told to pay £600 in costs, but even the judge appeared to find the whole process ridiculous.

“For whatever reason, Cuthbert intended to secure access, in an unauthorised way, to that computer,” said judge Quentin Purdy. “It is with some considerable regret that I find the case proved against Mr Cuthbert.”

UK bans hacker tools

Computing laws are intentionally wide to give authorities flexibility to keep up with changing technologies, and they’ve recently been extended to make it an offence to create and trade in tools that could be used for malicious purposes.

There’s always a lot of concern about new computing legislation, because you don’t want to criminalise the entire IT industry

“There’s been an amendment to our computer-misuse legislation in the UK that has brought in something that people were quite concerned about, whereby it became an offence to either make, supply, obtain or buy ‘articles’ used for hacking,” says Mark Watts, a partner at law firm Bristows. “It’s very broad – if somebody was providing passwords, pin numbers or data that would be useful to a hacker, that in itself is an offence.

“There’s always a lot of concern [about new computing legislation], because you don’t want to criminalise the entire IT industry, and ‘supplying an article’ is very broad,” he says. “If someone worked out that if you insert a certain sequence of numbers or a code into a computer, phone or game machine and stuff happened that the machine isn’t supposed to do, it would count as a hack. Providing those details would in itself be an offence, whether it was for fun or for money.”

It isn’t only the person using a tool who risks prison – such as one 22-year-old who was handed an eight-month suspended sentence for using a readily available program to steal other people’s Steam passwords – but also the person who made it.

If you write a penetration-testing tool and your code is used by someone else, you’re just as guilty as the person committing the hack. “If the intent of the code writer could be characterised as ‘for the purpose of gaining access to a program or data’ – it doesn’t have to be a specific program – that person could be guilty of this kind of offence,” says Watts.

That’s problematic, as many otherwise innocent applications can be used for malicious purposes. Take Free Keylogger, a website-monitoring application available for download from a UK site. Aimed at worried parents, spouses and companies, it boasts that it protects children from paedophiles and is almost impossible for a non-expert to spot, as it records all keystrokes and websites visited.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos