The UK Government recently put out a public consultation call for information regarding the UK’s Computer Misuse Act (1990). That’s the piece of legislation that says what you can and can’t do with computers. I decided to respond, and post what I had to say here, in case it ends up going unnoticed. And lets face it, this is Westminster we’re talking about. They don’t care what a random Scottish guy has to say about the way of things.
If you’re British and want to make your own response, the information to do so is here: https://www.gov.uk/government/consultations/computer-misuse-act-1990-call-for-information. The question numbers refer to the calls in the linked document.
Q1, 2: Context
In the context of higher education, my university currently runs a 1-semester module dedicated to the CMA and other laws that relate to computers (such as data protection laws, investigative powers). This is somewhat tedious but does provide a valuable insight into how strict the law is.
Other modules, such as those that deal with ethical hacking and network security need to have very strict protections (using dedicated VMs for example) so that any students don’t accidentally run afoul of the CMA while they are conducting their studies.
Overall, I think that the way the CMA is presented (from my own experience) in an educational context it does come across as somewhat of a barrier where there is a lot of red tape. For students that may want to go into computer security, being told that you need explicit, ideally written, permission before attempting any research comes across as rather archaic and off-putting.
A change of attitude regarding ransomware
Currently there is a rampant problem of ransomware. A ransomware group attacks a company, by encrypting the disk contents of said company, and the company are forced to pay a fee to recover their files. Many companies currently pay (either out of pocket, or claiming on cyber insurance) to unlock their files as this is the easiest and quickest means to recover files. But this reinforces the effectiveness of the “business tactic” the attackers are using and makes it a profitable business.
Proposal: Make it illegal for companies, or cyber insurers, to pay ransoms to attackers
Upside: It would become unprofitable for ransomware groups to attack victims in the UK if there is no legal way for their victims to pay. Thereby reducing the incentive to attack in the first place.
Downside: Companies that do not have rigorous backup strategies would lose their data. So, the government ought to provide additional training / guidance for business on how to conduct effective backups strategies. The increased threat of losing data could also be a way to encourage businesses to invest in backups.
I argue that negligence towards computer security that leads to breaches (especially from mid to large companies that do have the resources to work on it) should be considered, if not misuse of computers, some kind of criminal negligence.
Consider Dark Patterns used to undermine the law as computer misuse
Under surveillance capitalism, many large companies (often overseas in America or increasingly china) use surveillance capitalism to make their profits. If they inform users of how they will use customer data, and get clear informed consent, this is all legal. However, some companies use “dark patterns” or other methods of obfuscation or confusion to trick users into agreements that they may not have made were they properly informed.
Proposal: Companies or individuals that use dark patterns to trick or mislead users should be held accountable
Upside: It would incentive providers of technologies to be more upfront about how their services operate. It would also help to rebalance the relationship between the public and actors who store data on them.
Downside: Defining what legally constitutes a dark pattern is incredibly tricky, and there is the danger of government overreach into freedom of design and expression. So further consultation would be necessary.
Question 5 specifically deals with “future areas”. One emerging future area is AI, and the use of algorithmic approaches to the state of the art where previously a human would have been present at every step. I do not have any specific proposals for this, but some questions worth considering:
- Say a malicious actor sets up an AI that probes for security flaws and in doing so causes damage. Who is at fault? The actor that set up the AI, the original author of the AI, or the AI itself? My intuition would be the actor that set up the AI, but is the law clear on this?
- If there is a flaw in an AI, is abusing that to commit a crime considered computer misuse? For example, an attacker uses a flaw in a computer vision system to make an autonomous car crash itself. Who is at fault? The attacker, manufacturer of the car, manufacturer of the AI? The attacker if obviously at fault, but do the others share some of the blame? Is the law clear on this?
- Currently machine learning algorithms tend to be unexplainable (research into such algorithms that can “explain” the conclusions they come to is ongoing). Should the law require that AI in critical systems (that affect lives or livelihoods) be able to explain their conclusions? That would make things safer, at the cost of slowing down progress.
Protections for “White-hat” security researchers:
Right now, there is currently a major flaw in the CMA in that if a security researcher acting in the best of interests discovers a vulnerability in a security system, before seeking explicit permission to do so, they are breaking the law. This should not be the case as it means currently there is a big barrier to entry as any security researcher first has to contact an organisation to get permission, and only then can they start to look for security bugs. And any organisation that does not like having security flaws pointed out to them can take a security researcher acting in the best of interests to court.
Proposal: Allow security researchers who are acting with the best interests of other parties in mind the right to look for security flaws / bugs without fear of persecution.
Upside: More security researchers can look for bugs without fear of persecution if the other party they are investigating is not receptive to such ideas.
Downside: Some nefarious hackers may try to use this as a defence if they are caught, so the law would need a rigorous definition of what constitutes a “white-hat” / “blue team” / “good guy” hacker / activities.
The right to bypass & discuss DRM, Technical Protections and Anti-Tamper technology
DRM is a means that publisher originally intended to protect against copyright theft. However, in recent years this has expanded far beyond the initial meaning, leading to situations where software and hardware are “protected”, making it illegal for researchers or hobbyists to investigate, modify or repair the inner workings of technology. Under some interpretations of DRM rules, even discussing or sharing information is considered a breach of the law. This makes for a very hostile environment when it comes to investigating technology. As more technology becomes embedded, such as the Internet of Things, researchers having the right to bypass DRM becomes increasingly important.
Proposal: Assert the right to investigate, bypass and freely discuss DRM or other technical protections
Upside: Researchers would be able to see past DRM and de-obfuscate parts of technology to identify security flaws. They would not need to fear repercussions if they wanted to share these ideas with others in the community. They may also be able to offer “patches” or repairs for DRM-encumbered products which contain vulnerabilities.
Downside: This would undermine efforts to use DRM to protect against copyright theft. However due to such fallacies as the “analogue hole” and the rampancy of internet piracy despite existing DRM protections, the assertion that DRM was ever useful in the first place is questionable.
EULAs & Terms of Service
Related to all this is the use of terms of service and end user license agreements which also may preclude a safe environment for security researchers. The law ought to supersede any such texts that prohibit proactive security research.
It is difficult to comment on the reach of jurisdiction. The global nature of the internet means it is extremely easy for an attacker to commit a crime in the UK while being located abroad. Or even to commit a crime in the UK, from the UK, but using a proxying service to appear from abroad.
In recent times there have been instances of children or young adults committing crimes through computer misuse. I would suggest that sentencing towards these be lenient. As I noted at the start of my reply, university courses that deal with computer science will dedicate time to teaching the law. But democratisation of computer science and hacking education means many new hackers will not take the traditional paths and may miss such education.
If it is simply a question of probing, hacking, we should not needlessly punish people who offer enormous potential to the ethical hacking community, should we give them training in the “right” way of doing things. However, intent to cause harm should still be investigated and prosecuted accordingly.
I have heard in reporting on legal cases (not necessarily just the CMA) that one outcome is for an offender to receive a computer ban. In today’s world that seems incredibly unjust, as life without using computers would be tiresome and difficult. Everything from banking, accessing government resources to finding a job increasingly requires computers. Even communicating over the phone may require the use of a pocket-sized computer. I would propose that we ensure that no future offenders receive computer bans, given that computers may be necessary to their healthy reintegration in society.
Protections for users of encryption
I am seeing a lot of government vocalising about the dangers of encryption and how some criminals use it to hide from the law. However, encryption, the ability to secure files and communications, is a cornerstone of modern computer security. Any attempt to undermine encryption using “backdoors” for government or law enforcement agencies would totally undermine the security of the system in question.
Proposal: Ensure that people maintain the right to use encryption unhindered (without government backdoors, weakening) to secure themselves from bad actors
Upside: Normal users of technology would be safe against the possibility of attackers abusing any government backdoors, as there would not be any backdoors.
Downside: Law enforcement may have a harder time getting access to specific sets of encrypted data. However traditional investigative methods and investigation of unencrypted metadata would still allow for tracking down criminals.
Q16-17: International Best Practice