They Hate Us For Our Sockets! (UK’s Proposed Computer Crime Law)

Thomas Ptacek | May 19th, 2006 | Filed Under: Defenses

A proposed amendment to UK criminal law:

(1) A person is guilty of an offence if he makes, adapts, supplies, or offers to supply any article—

• (a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; or

• (b) believing that it is likely to be so used

I am clearly not a lawyer. And, I concede that this is a poorly worded law. And, I’m not a believer in criminalizing malware. If you are not prepared to accept these three statements, stop reading here.

Still with me? Great.

There are three ways to read this:

1. The government wants to criminalize the distribution of tools designed specifically to enable people to break the law. Example: credit-card sniffing bot programs should be illegal.

2. The government wants to assert an unprecedented new level of control over the way computers are used, in order to simplify the operational challenges of law enforcement. Example: encryption programs should be illegal.

3. The government, in mortal terror of all things technological, owing to the fact that lawmakers don’t even read Slashdot, is mindlessly lashing out at a threat it doesn’t understand. Example: programming languages should be illegal.

I come down on (1). I am deeply ambivalent about this aim. But I buy
that reasonable people could disagree about a law like this. From Saul Alinsky (who I really think indie startup geeks should read before Guy Kawasaki):

Communication for persuasion, as in negotiation, is more than entering the area of another person’s experience. It is getting a fix on his main value or goal and holding your course on that target.

So, as a thought experiment, in the wake of Blue Security, try this: what would you think about this law if the wording were tighter and the “offence” involved was specifically spam?

Maybe you’re still dead-set against it. I might be too! But there’s a rational conversation to be had here.

Let’s see where Slashdot comes down on it:

Equally, almost every hacker who commits an offense under section 1 or section 3 of the CMA will use Perl as part of their toolkit. […] Locking Larry up is surely not desirable.’

Wow. They’re trying to outlaw Perl. I might actually be for this law!

So clearly this Slashdot summary is crazy-talk. You could substitute the word “computer” for “Perl” here and the assertion would have exactly the same meaning. I’ll bet the +4 comments will set things straight:

• Heck, peel away all the layers of this onion and it wouldn’t be surprising to find hackers are behind this [here I stopped reading]

• If you replace the software with guns, you will begin to understand [here I stopped reading]

• This sort of news is great for nations like India, Singapore and Malaysia. The more the Western world places [here I stopped reading]

• They will criminalize Python first, because Python has more powerful event-based socket primitives than Perl

• I’m certainly not going to let anything as silly as some U.K. law stop me from distributing Nmap, but I also don’t want to become like Dmitry Skylarov [here I stopped reading]

• WTF are you talking about? Python doesn’t even have proper closures!

Here is my problem: “peel away the layers of this onion” and the only argument that the peanut gallery is really making is, “these guys don’t know enough about computers to write this law”. Well, that’s not a very strong argument, and it doesn’t make for a very interesting discussion. The real question should be, “is it a good idea for us to try to fight computer crime by attacking the supply chain of truly malicious tools?”.

If you get past that saying, “maybe”, then your next question is “how would you safely write such a restriction into law?”. Thinking of the law like a programming language: does “sell or offer to sell” do-what-we-mean better than “makes, adapts, supplies, or offers to supply”?

Here’s another problem: “outlawing nmap” doesn’t mean anything. For example, you’re aware of course that we are actually illegal in the state of Michigan:

(c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider.

This horrible, misguided, overreaching law has not stopped Sourcefire and ISS from selling to the big auto manufacturers.