.

UK Data Protection Act

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Nov 14, 2008 7:07 am

UK Data Protection Act

<Disclaimer: I am not a lawyer>

It's been a long running saga, but the changes to the UK's Data Protection Act are now in force. Similar to the changes in German legislation, the creation, modification or supply of any tool or information that could result in unauthorised access to a computer is now explicitly illegal in the UK.

On top of the standard, and already well argued, debate concerning dual-use tools such as nmap, wireshark et. al. It has been suggested that the act could even go so far as making vulnerability research and disclosure illegal, even if no code or tools are developed. Think I better be careful what I post to EH-Net from now on.

When the good guys can't play the game, the bad guys will win by default.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Fri Nov 14, 2008 9:25 am

Re: UK Data Protection Act

Well obviously this will prevent the bad guys from getting ahold of the tools, so the good guys won't *need* to have access to them any more.
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Fri Nov 14, 2008 11:38 am

Re: UK Data Protection Act

just had a quick read of the actual statute, and to my relief there are "intent" clauses.

I am also NOT a lawyer, but having spent a while in the hobby lockpicking community I've done a bit of research on posession of locksmith tools etc.  These laws vary greatly depending on where you go, but in a majority of places, posession and distribution of lockpicks is only illegal if the intent to use to commit an offence is there.  i.e. if you are caught carrying picks, the court would take into account surrounding evidence - if you are a known hobby picker or have a locksmith licence it is considered not-illegal, however if you are caught at 2am at someone elses backdoor, then intent becomes an issue.  the same goes for non-specific tools - carry a screwdriver?  not a problem.  carry a screwdriver at 2am behind someone else's house?  intent rules in these cases.

the Police and Justice act says the following:

Making, supplying or obtaining articles for use in offence under section 1 or 3

(1)A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.



Note the necessity of intent.  I know it is still a potentially serious issue for legitimate ethical hackers like us, but pardon a bit of cynicism on my behalf if I say "the media sensationalises these things because going into the legal details doesn't make a good story.  it also gets a rise out of the people who read the article and take it at face value:  'oh noes every tool I use is going to be illegal the bad guys have won'.  which is certainly not the case.

The other thing to note is that (generally) laws are made but only tested in court where the first few cases define a precident - if the first few convictions under this law distinguish (which they should) between deliberate malicious intent and research/hoby or even miss-guided accident, then we'll know that the law isn't quite as dumn as the media portrays. (at least in this case).
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Nov 18, 2008 4:12 am

Re: UK Data Protection Act

Nick,

mostly I agree with you, I find it very unlikely that we are going to see stories where 'admin for X arrested for passing copies nmap and wireshark to colleague'. However, the creation and possession of exploits and penetration frameworks are a different matter, especially with the 'limited' knowledge of the legal profession in these areas, and are equally vital to security professionals.

Even with the intent aspect of the clauses I feel uncomfortable performing any activity where the legality of the actions can be decided after I have committed the act. I'd feel a lot happy with a firm yes or no beforehand. I don't fancy being one of the test cases, regardless of outcome I don't think I could afford the legal fees.

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software