Previous Section Back to Table of Contents Lords Hansard Home Page

The noble Earl raised the prospect of a rewrite of the Computer Misuse Act 1990. We have consulted the industry, including the APIG, which the noble Earl mentioned, and others on this issue over two years. We concluded that the consultation did not highlight the need for a complete rewrite of the Act, but these changes reflect the issues that were raised as fruit of that consultation. I know that legislation in this field is an art of perfection for the noble Earl but we seek, as ever, to keep the industry well informed and well briefed on our thinking. We consult regularly, take on board the results of those consultations and try to reflect them where relevant in any necessary changes to legislation. I am very grateful for the noble Earl’s work on this. I accept that he will never be entirely happy and satisfied with what we are attempting to do, but I hope that he will feel reasonably content and that he will not press his amendment.

On Question, amendment agreed to.

[Amendment No. 172 not moved.]

Baroness Anelay of St Johns moved Amendment No. 173:

The noble Baroness said: I wish to speak to Amendments Nos. 173, 175 and 177. These are probing amendments that reflect concerns raised by the All-Party Children’s Group in its child impact statement.

Clause 39 amends Section 1 of the Computer Misuse Act 1990, and introduces new penalties for unauthorised access to computer material. Clause 40 amends Section 3 of the same Act and again introduces new penalties for an unauthorised act with intent to impair the operation of a computer. Clause 41 amends the same Act, introducing new penalties for making, supplying or obtaining articles for use under the previous sections.

The problem is that it is unclear whether these offences can apply to young people under 18; if so, they would not appear in the Crown Court. Therefore, the maximum penalty available in the youth court would be a two-year detention and training order. We have tabled this amendment because we and the all-party group would be grateful if the Minister could clarify the Government’s intentions on this matter. I beg to move.

The Earl of Erroll: When I saw the amendment I wondered what its purpose was since a lot of the relevant damage is done by under 18 year-olds who regularly try to disrupt computer systems for fun. They may start at the age of 10 or 12 playing around, then they learn a bit more, and then they learn a bit more at school. The thought that none of this would apply to under-18s was greeted with horror in some circles. I have discovered that it is a probing amendment on exactly how the matter will be dealt with in the courts, but I should like to make it clear that under-18s should not be exempted from responsibility for some highly destructive actions, because they are very often the perpetrators.

11 July 2006 : Column 609

Lord Bassam of Brighton: I am grateful to the noble Baroness for speaking to the amendments, but ultimately we cannot commend them to the Committee. We believe that criminal responsibility should apply as much online as it does in the physical world—I almost said the metaphysical world—but we do not believe that there is a need to treat Computer Misuse Act offences differently from other offences. Under-18s are capable of understanding the consequences of their online actions in the same way as they do their offline actions. I often think that they understand online consequences far more clearly than people of our generation. I ought to put in a disclaimer of sorts there, but having noticed my teenage children working online, that certainly is the case.

That said, any under-18s who commit an offence under these provisions would be eligible for a fine or warning if they admitted their guilt and it was their first or second offence, in which case the young person can be assessed to determine the causes of their offending behaviour and to identify a programme of activities to address them.

I hope that, having heard that explanation, the noble Baroness will withdraw the amendment.

Baroness Anelay of St Johns: As I made clear, this is a probing amendment to meet the requirements of the all-party group, to which the noble Lord’s comments will not come as a surprise.

The difficulty is that all of us have noted the Government’s split personality. On some occasions 16 to 18 year-olds are treated as adults but on other occasions they are treated as juveniles. On occasions such as this we are not sure exactly how they will be treated. I accept that those under 18 have every bit as much of a facility to use computers in an unwelcome way as anyone over 18. They know a heck of a lot more about it than I would do; not that I would want to learn how to misuse information technology—I leave that to the Government and their plans for ID cards. On that note, I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 39, as amended, agreed to.

4.30 pm

Clause 40 [Unauthorised acts with intent to impair operation of computer, etc]:

The Deputy Chairman of Committees (Lord Geddes): Before calling Amendment No. 173A, I must advise the Committee that if it or Amendment No. 174 is agreed to, I cannot call Amendment No. 175, due to pre-emption.

Lord Bassam of Brighton moved AmendmentNo. 173A:

11 July 2006 : Column 610

(a) he does any unauthorised act in relation to a computer; (b) at the time when he does the act he knows that it is unauthorised; and (c) either subsection (2) or subsection (3) below applies. (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; (c) to impair the operation of any such program or the reliability of any such data; or (d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done. (a) any particular computer; (b) any particular program or data; or (c) a program or data of any particular kind.”

On Question, amendment agreed to.

[Amendments Nos. 174 and 175 not moved.]

The Deputy Chairman of Committees: Amendment No. 176 is a joint amendment.

Lord Bassam of Brighton: My understanding is that our amendments cover the same ground, and as I advised the Committee, we had a suspicion that the amendment proposed by the noble Earl, Lord Northesk, was technically deficient. We would prefer our amendment to his, and I thought that the noble Earl was going to withdraw his.

The Earl of Northesk: The noble Lord, Lord Bassam, has failed to perceive that we are on Amendment No. 176, which is in my name and the Minister’s. If he does not want me to move it, I am quite content not to.

Lord Bassam of Brighton: The embarrassment is mine, and I apologise fulsomely to the Committee and to the noble Earl. I do have an excuse, but it would not be worthy of your Lordships’ Committee.

The Earl of Northesk moved Amendment No. 176:

“( ) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily”

On Question, amendment agreed to.

[Amendment No. 177 not moved.]

Clause 40, as amended, agreed to.

Clause 41 [Making, supplying or obtaining articles for use in computer misuse offences ]:

The Deputy Chairman of Committees: Before calling Amendment No. 178, I must advise the Committee that if it is agreed to, I will not be able to call Amendment No. 178ZA, due to pre-emption.

11 July 2006 : Column 611

The Earl of Northesk moved Amendment No. 178:

The noble Earl said: This subsection was introduced as a government amendment in Committee in another place. Moreover, although some concerns were raised at that time, I acknowledge that there was consensus across the political divide that it should be inserted. In that sense, I draw no comfort whatever from the possibility of being a minority in objecting vehemently to the provision. It is profoundly flawed and coulddo untold damage to the IT community in the UK and conceivably even that beyond our shores. I shallendeavour to explain why.

Before so doing, as with the previous amendments on DoS attacks, I willingly, although again guardedly, endorse and support the Government’s intention with the clause as a whole. We all know that, whatever its form, online hacking of IT systems with criminal or malicious intent is a modern scourge. Manifestly, therefore, due provision should be made to proscribe making, adapting, supplying or offering to supply so-called “hacker tools”. I therefore find paragraph (a) eminently sensible and desirable. That said, I am fiercely of the opinion that the test that someone is guilty of an offence under the clause if he merely believes,

is unnecessarily and dangerously broad, the more so because it is not in any way constrained by the expressions of intent contained in paragraph (a).

As the Committee will be aware, the use and effectiveness of online activity is highly dependent on the work of anti-virus and IT security companies. Of necessity, they employ a variety of so-called “hacking tools”, such as Nmap, which is used to probe for insecure machines online to see whether they respond, or the scripting language Perl, simply to test IT systems for vulnerabilities that could be exploited by those with criminal or malicious intent. In so doing, they can address discovered weaknesses, hopefully, before hackers can take advantage of them. Indeed, the patches and updates issued by the likes of Microsoft—of which I am sure Members of the Committee are only too aware—are a culmination of this process.

Here, it is not a case of whether system administrators believe that such tools are “likely” to be used in the commission of an offence; they know full well that they will be—and, indeed, already are. Accordingly, in any interpretation of the paragraph, they lay themselves open to possible prosecution simply by doing their job. As an IT acquaintance has pointed out to me, this is akin to legislating to make use of a crowbar illegal on the basis that an individual would believe that it was “likely” to be used in the commission of burglaries.

I do not doubt that that is not the Government’s intent; nevertheless, it is the implication of the drafting. I know of a number of IT professionals, some of whom are among the best in the country at what they do, who are sufficiently worried by the implications of the clause that they are actively considering abandoning their work in IT security or

11 July 2006 : Column 612

moving overseas. That would be disastrous, not only for our reputation for IT but economically.

Consider, too, forensic hacking. Of necessity, law enforcement agencies use hacking tools to investigate crime; for example, to gain access to encrypted data. Again, it is not a case of “belief” that such tools could be used by a hacker, it is absolute certainty. Do we, therefore, conclude that an IT security company supplying hacking software to the police should be deemed to be committing an offence? Or, perhaps, the Government imagine that an individual constable hacking into encrypted data on a criminal’s computer could fall foul of paragraph (b). Patently, such situations would be absurd.

I wonder, too, whether the Government have thought through this matter in the context of higher education. As the Committee will be aware, the syllabuses of many undergraduate computing degrees include hacking. In fact, in response to demand from the IT sector, the University of Abertay in Dundee has recently announced its intention to run, from the start of the next academic year in October, a BSc (Hons) undergraduate course in ethical hacking and countermeasures. But what would be the status of such educational opportunities if paragraph (b) were enacted? On the face of it they would be illegal, because students and professors would know, not merely believe, that the subject matter of their courses is “likely” to be used in the commission of an offence. Again, this would be perverse.

I am of course aware of the Home Office’s view that the key to the provision is how the courts might interpret “likely”. Indeed, it has circulated a letterto interested parties which makes this observation. It states that it,

I apologise, but I deem that to be just gobbledygook. What happens where a tool is determined as being used legally and criminally in equal measure? How, in fact, would a court measure accurately such percentages of usage? Quite apart from that, and as with my criticisms in the previous grouping, is it not incumbent upon us as legislators, and indeed the Government, to imbue the law with as much clarity as possible?

I could say much more, but I will not weary the Committee any further. I merely observe in conclusion that, in contrast to their efforts on DoS attacks, with paragraph (b) the Government are attempting major surgery where a sticking plaster will do. They are using a sledgehammer to crack a nut, the more so because paragraph (a) of itself bears down adequately, if not entirely, upon the activity that the Government wish to and should proscribe. In so far as that suggests incoherence in their approach to legislating on IT, I repeat my conviction that a wholesale re-write of the CMA is needed. In the mean time, I beg to move.

The Earl of Erroll: I shall also speak to Amendment No. 178ZA in this group. To be honest,

11 July 2006 : Column 613

Amendment No. 178, deleting the paragraph altogether, may be the best course of action, because the provision causes serious problems. I have had long conversations about this with several people from companies that will be directly affected by it. I thought that the Home Office might not be willing to remove the paragraph, so I tabled my slightly less extreme amendment; nevertheless, it may have its own problems, and it may be wiser to delete the paragraph altogether. This small but important amendment will have a serious impact on quite a lot of companies that currently write software that is perfectly legal and is extremely useful because it allows computers to be managed remotely. To give you a feel of the technology, the Parliamentary ICT helpdesk uses such software. If you have a problem, you can allow one of the helpdesk people to take control of your computer or to watch what you are doing on it and give you helpful advice. That would be a typical application where someone is remotely accessing your computer using the same tools as hackers would use.

People developing websites will have software that can download and install itself to monitor the mouse’s movements around the screen to see how people use the websites, where they hover and what they click on. These things, which sit in the background, are used by academics and developers to make websites more usable. We all know of websites—possibly even the parliamentary website—which could do with a little research in this direction. Such tools will almost certainly be made illegal by the proposal because they are exactly the sort of tools that hackers can use. Even if such tools were not principally designed for a hacker in the first place, hackers could easily modify bits of them, or use them, and it is extremely likely that they will do so; it is highly unlikely that they would not do so.

It is very likely that hackers will use these things. It is highly improbable that they will not. Unless my definition of “likely” is very different from that of the lawyers at the Home Office, I would prefer the dictionary definitions that I find to the ones that they may be trying to use.

The real trouble is how the courts will interpretthe word “likely”. In our courts, some very clever barristers will use very clever verbal gymnastics to twist the meaning of “likely” to suit their case. The case may be brought not against a large company that can afford very expensive barristers to defend it but against a small, one-man band, who may have written some software. For some reason someone who may be trying to gain commercial advantage reports him, or has a contact that can do something, and he may be unable to defend himself against a clever barrister in court.

I do not know whether “likely” implies that more people will use such tools for legal purposes than for illegal purposes such as hacking. How dothe courts establish that? As a result, after some discussion with people, I suggest “primarily”, which would be better. I am open to other ideas, such as that of our assiduous and articulate assistant to the Convenor of the Cross Benches, Julian Dee, who suggests “largely intended for”. A journalist on the

11 July 2006 : Column 614

train with whom I was discussing it this morning suggested “principally”. All these words have much to recommend them instead of “likely”.

The important thing is that they should convey the intention of Parliament better than “likely” in the mind of the lawyers. I support this approach because of the possibility that this might persuade the lawyers in the Minister’s department to change their minds, but I do not know whether this is likely or unlikely.

It has been suggested to me in discussions with the people behind “likely”—the Home Office—that the courts can use Pepper v Hart to look at the Minister’s response to these amendments to find out the intention behind Parliament’s inclusion of this word. The trouble is that the courts have to decide that it is ambiguous and I am not sure that it is at all ambiguous. I believe that it is highly likely that any of these tools will be used by hackers unambiguously.

Another approach would be to use a very ambiguous word. I will leave it to noble Lords’ imagination how you might make this phrase so ambiguous that the courts had to read the Minister’s statements. That would be an alternative, but is that likely to happen? Anyway, it is a bad way to make law.

I turn to a matter that I feel strongly about. In Roman law, I believe, one makes laws slightly general and the courts and the state decide how the law is to be interpreted and fill in the blanks later. But under common law—we are a common law country—basically you are allowed to do anything that is not expressly forbidden. Therefore, we define much more closely what is forbidden because it is important to make clear what companies are and are not permitted to do and not leave it to the courts to interpret later.

I have also spoken to someone who has close ties with the Commission and they do not like this at all either. Should we pass the measure in this form, there may be moves from Europe later in the yearto get it changed. International companies are sufficiently worried about this for lobbying to take place. With that, I look forward to hearing the Minister’s reply.

4.45 pm

Baroness Harris of Richmond: We agree with this amendment. As I understand it, under paragraph (b) a software developer will need only to intend his software to be used or believe it likely to be used as a hacking tool. I very much welcomed the fact that the noble Earl, Lord Erroll, explained his concerns about “likely”—a point with which we also agree.

Next Section Back to Table of Contents Lords Hansard Home Page