<Disclaimer: I am not a lawyer>

It's been a long running saga, but the changes to the UK's Data Protection Act are now in force. Similar to the changes in German legislation, the creation, modification or supply of any tool or information that could result in unauthorised access to a computer is now explicitly illegal in the UK.

On top of the standard, and already well argued, debate concerning dual-use tools such as nmap, wireshark et. al. It has been suggested that the act could even go so far as making vulnerability research and disclosure illegal, even if no code or tools are developed. Think I better be careful what I post to EH-Net from now on.

When the good guys can't play the game, the bad guys will win by default.

just had a quick read of the actual statute, and to my relief there are "intent" clauses.

I am also NOT a lawyer, but having spent a while in the hobby lockpicking community I've done a bit of research on posession of locksmith tools etc.  These laws vary greatly depending on where you go, but in a majority of places, posession and distribution of lockpicks is only illegal if the intent to use to commit an offence is there.   i.e. if you are caught carrying picks, the court would take into account surrounding evidence - if you are a known hobby picker or have a locksmith licence it is considered not-illegal, however if you are caught at 2am at someone elses backdoor, then intent becomes an issue.  the same goes for non-specific tools - carry a screwdriver?  not a problem.  carry a screwdriver at 2am behind someone else's house?  intent rules in these cases.

the Police and Justice act says the following:



Note the necessity of intent.  I know it is still a potentially serious issue for legitimate ethical hackers like us, but pardon a bit of cynicism on my behalf if I say "the media sensationalises these things because going into the legal details doesn't make a good story.  it also gets a rise out of the people who read the article and take it at face value:  'oh noes every tool I use is going to be illegal the bad guys have won'.  which is certainly not the case.

The other thing to note is that (generally) laws are made but only tested in court where the first few cases define a precident - if the first few convictions under this law distinguish (which they should) between deliberate malicious intent and research/hoby or even miss-guided accident, then we'll know that the law isn't quite as dumn as the media portrays. (at least in this case).