Computer Misuse Act guidance published

Whilst ORG was on holiday, the Crown Prosecution Service published long-awaited guidance on section 3A of the Computer Misuse Act, which comes into force in April 2008 and outlaws making, supplying or obtaining “hacking tools”. Back in 2006, when amendments to the Computer Misuse Act were discussed in Parliament, ORG echoed widely-reported concerns that the legislation was far too broad. The security community were especially alarmed that tools routinely used to test for vulnerabilities or to stress-test networks would be erroneously covered by the legislation.

The guidelines bring some good news for developers, in that the offence will not be triggered unless hacking tools are developed “primarily, deliberately and for the sole purpose of committing a Computer Misuse Act offence”. However, the trigger for distribution offences – whether the tool is “available on a wide scale commercial basis and sold through legitimate channels” – should cause alarm amongst open source advocates.

ORG Advisory Council member Richard Clayton has provided excellent analysis of the guidance at Light Blue Touchpaper, and you can read up on the issue on the ORG wiki.