Previous Section Back to Table of Contents Lords Hansard Home Page

In effect, the provision, whether in the form of the current drafting or the amendment of the Minister, all but guarantees that the internet will be considerably less safe for UK users. That must be counterproductive and antipathetic, not only to the Government’s intention here, but also to their wider aspiration of making the UK the best place in the world for e-commerce.

It is also worth contemplating what benefit would accrue were the provision to be enacted. As a generality, the vast bulk of criminal and malicious activity will be caught by the first arm of the clause, subject to the test of intent. Presumably, therefore, the likelihood test is intended to apply in instances where the internet is seeded with harmful, or even malicious, code for potential onward use as an adjunct to hacking activity, perhaps by “script kiddies”—my noble friend is testing me here—“code monkeys” and the like. Without delving too deeply—thank goodness—into the psychology of such individuals, it is highly unlikely that the provision would either prove a deterrent for them or that, in reality, the offence could be adequately investigated and so prosecuted in practice. In sum, therefore, the provision will almost inevitably do much more harm than good.

In Committee, the noble Lord, Lord Bassam of Brighton, prayed in aid the Government’s adherence to the virtues of consultation. As he put it:

We do not doubt the sincerity of this. Nevertheless, given that my noble friend has not found a single IT professional prepared to endorse the Government’s proposition here throughout the two-odd years it has been under consideration, it would be helpful if the Minister could flesh out how the Home Office perceives the industry’s attitude towards it.

I am enormously grateful to my noble friend for his assistance with my speaking note. I hope it will enable the Minister to address the matter fully and I look forward to her reply. I beg to move.

Lord Dholakia: My Lords, I simply want to thank the Minister for the Government’s amendment. I do so because the Government have taken note of a number of anomalies identified by my colleague in the House of Commons, David Howarth, and the amendment is designed to put them right.

The Earl of Erroll: My Lords, I shall speak to this group, and particularly to my Amendment No. 129A. First, I thank the Government for taking into account some of the comments I made about the difference between making and inventing the tools, and supply and distribution of the tools, which is what they are trying to hit.

However, I am afraid that their amendment does not quite go far enough. It is a question of effectiveness and whether it works, and I am afraid to say that it will not. I reassure the noble Baroness, Lady Anelay of St Johns, that things like “script

10 Oct 2006 : Column 214

kiddies” are quite common terms in the industry. Phishing is a big worry at the moment; I was talking about it only last week.

The real problem probably stems from something we have just been talking about. I have just been at dinner with the Hansard Society in the Commons, talking about globalisation, regulation and a few other things. This is a typical example. We think we can regulate, but in a global, internet-based world we cannot. People can host these things abroad. They can host sites which will supply tools to allow you to do this, that and the other, and there is nothing we can do to prevent it. They will be hosted on servers abroad by foreign companies, and you cannot do anything about it. If they were hosted on British servers you could give them notice and tell them to remove them or even prosecute them if you were lucky enough.

Will it work? It will not, I am afraid. It is one of those things that sounds good but will do nothing. What it will do is cause a lot of trouble to large companies that supply perfectly legitimate tools to help people to carry out remote maintenance or use remote access. It will not help parliamentary staff because if someone supplies the tools to them, whereby they can shadow you working on your own terminal in Parliament and thereby help you solve the problem that you just got trapped in, those sorts of tools might be forbidden under the supply rule.

The Home Office response to this is: “Well of course we won’t chase the good guys. We won’t go after them. We are only after the bad guys”. The trouble with that is that it is all well until an enforcer trying to achieve some other aim threatens someone. I do not think that, as Parliament, we should be passing laws that give power to enforcement agencies to blackmail companies into doing other things for them because they know they can use something like this against them. It is too much of a blanket power.

Further, it is useful for penetration testing—for instance, people testing to see whether their company systems can be hacked. A typical example of this is phishing. Last week I was sitting next door to a chap called Gary McKinnon, who is the person the Americans are trying to extradite and put in jail for 60 years because he put post-it notes all over the Department of Defense systems. Five years ago he got into their systems because he thought it would be fun to see how good their passwords were. He ran a little program and discovered that a large number of people with Windows access had not bothered to use passwords. For the Department of Defense in America not to check that its stuff was moderately secure and that its senior people at least had passwords to prevent access is stupid. So he thought he would show them how stupid they were.

As a result of that Gary has got into hot water. I will not go into the merits of the case or whatever, but the department should have been using tools like this to ensure its own security was all right long before Gary got there. And so should we. However, it will make these things illegal and large groups, large banks and so on should be testing that their systems are secure. In fact Parliament should. But, under this

10 Oct 2006 : Column 215

provision, whoever supplies you with that tool to test that will be committing an offence. It is all very well to say, “They are the good guys, we won’t prosecute them”, but I do not think that is good enough. I have great trouble with laws that hand over powers to the enforcers and say, “It is at our discretion whether we are going to prosecute you”.

I stand very strongly on that, having seen and heard of many incidents where people have been told that unless they comply with something else there is an obscure rule and they can throw the book at a company for something else. I know that there will be efforts made at the European level to reverse this provision if we pass it in this form. I was informed of that by some international companies.

I would prefer to see the amendment of the noble Earl, Lord Northesk, go through and remove the provision altogether. I do not think it will do any good. It is a waste of time. It will not allow you to do anything effective against enforcing what you want. However, I believe that the Minister will not allow that. Therefore, I would suggest that you should either say “more likely than not” if that is what you mean. I suggested last time using the word “primarily”; this time I suggest using “principally”. We are looking at the objective of the people supplying or trying to sell these tools. If it is principally to sell it to the hacker community, I do not have a problem. In which case say so in the Bill. We know these things are likely to be used. If the Government mean that it is more likely than not, then they should say more likely than not.

I would like to push this issue at some stage. I know that there is only one more stage of the Bill. It concerns me greatly that we should leave the matter in this form. Therefore, I would like to hear what the Government have to say.

9.15 pm

Lord Bassam of Brighton: My Lords, I am going to read what the Government say and I will try to say it as best I can. I am pleased with the half vote of support from the noble Earl, Lord Erroll, and I am most grateful to the noble Lord, Lord Dholakia, for his customary courtesy and thanks for the amendments that we have tabled in this group. Although the noble Baroness, Lady Anelay, did not say that she was ever so pleased about what we were moving this evening, I thought that perhaps there was some grudging acknowledgement that we had recognised part of what the noble Earl, Lord Northesk, sees as a problem. Obviously, we will never satisfy the noble Earl, Lord Northesk. Sometimes, I would be worried if we did. However, I congratulate him on his continued persistence. By tabling amendments such as this, he makes us think much harder about what we are trying to do better to perfect the legal framework with which we try to cover the difficulties.

In general, we are pleased with the support for creating a new offence to cover those who make or adapt, supply or offer to supply articles—so-called hacking tools—intending that they be used to commit

10 Oct 2006 : Column 216

computer misuse offences. As I said, the debate is focused on how best we deal with those who deliberately make such articles available but whose state of mind falls short of intent, shall we say? The government amendment narrows the offence so that those who make or adapt those articles commit an offence only if they intend the article to be used to commit offences, rather than if they believe that it is likely that that is what they will be used for.

The amendment tabled by the noble Earl, Lord Northesk, goes further and would also exclude those who supply or offer to supply articles believing that they are likely to be used to commit an offence. The noble Earl, Lord Erroll, proposes that the new offence is amended to replace believing that it is “likely” with believing that it will “principally” be so used. The use of the term “principally” has similar difficulties associated with it to that which the noble Earl preferred in Committee, which was “primarily”. I am not sure that it is capable of legal definition. Clearly, I am not an expert in these matters, but it is not a word with which I am familiar as being used in statute to describe a particular state of affairs.

Such tools are increasingly sophisticated and damaging. They are increasingly available and increasingly used to commit crime. We cannot support the approach taken by noble Lords because we believe that it is important that the offence covers the supply of such articles for criminal use even beyond the narrow circumstances of criminal intent. We also believe that “principally” refers to the extent of the usage. In other words, some of the time, the article will be used for legitimate purposes but the person believes that it will be principally used for Computer Misuse Act offences. Whereas, in our view, “likely” reflects a belief that there is a strong possibility that the article will be used for Computer Misuse Act offences.

The Earl of Erroll: My Lords, does the Minister accept that, actually, the sort of tools that are used to test systems and gain remote access are normally used by hackers to gain access to systems illegally? All of them are very likely to be used for that purpose. That is the trouble. If the Government do not intend to catch all these tools, why does “likely” mean “more likely than not”? These systems will be used for that, whether you like it or not.

Lord Bassam of Brighton: Well, my Lords, that may well be the case, but I invite the noble Earl to consider that we are trying to write terminology into the Bill that has a proven track record of being tested in a court of law. That is very important. I do not know how the noble Earl can make that judgment about those tools being used primarily or only by hackers. I am not sure how he reaches that conclusion. In a sense, that is otherwise from this debate. That is his view, but I invite him to bear with me while I complete my commentary so that he can better understand where we are coming from.

As I said, having listened to the debate in Committee and to industry, we accept that it would not be reasonable in all cases for the manufacturer of

10 Oct 2006 : Column 217

a tool to be held responsible for its subsequent illegal use if they had no such intent. I have been persuaded that the circumstances relating to making or adapting a tool are often too far removed from the use of it for the person to form a solid belief in the likelihood of criminal use. However, the same does not apply to those who supply the articles believing that it is likely that they will be used to commit offences. As we discussed in Committee, “believing that it is likely” is a high test in practice; the prosecution would need to prove beyond reasonable doubt that the person supplying the tool knew that it would be used for unlawful purposes in most instances. We think on balance that that is the right, sensible and appropriate approach.

Obviously, those in the legitimate IT security sector make, adapt and supply these tools as part of their daily work. They rightly need the confidence that the new offence will be used appropriately—one might also argue proportionately—to ensure that their practices and procedures fall entirely within the law. The DPP will write and publish guidance on how the new offence will be dealt with, with particular focus on the factors that prosecutors will take into consideration in determining, in accordance with the code for Crown prosecutors, whether there is sufficient evidence to prosecute and whether it is in the public interest to do so.

Finally, we have made amendments to Clause 43 that make transitional provisions to ensure that the changes which the Bill makes to the Computer Misuse Act 1990 do not have an impact on offences committed before the Police and Justice Act comes into force.

A question was asked about the assessment made by the noble Earl, Lord Northesk, of the clause’s impact. The assessment, which was given ample voice by the noble Baroness, Lady Anelay, differs from ours. We have consulted industry members and the CBI on these provisions and have had no representations from them suggesting that the provisions will force them out of the UK market. In fact, the provisions will not criminalise general applications such as browsing, as it is used more legitimately than criminally. Therefore, no one could believe it likely that they will be so used. We have taken industry views into account and, as I say, have not received the sort of representations to which the noble Baroness alluded.

That said, I simply invite the noble Baroness to withdraw the amendment in the name of the noble Earl, Lord Northesk, and the noble Earl, Lord Erroll, not to move his amendment. I hope that they will accept the government amendments.

Baroness Anelay of St Johns: My Lords, I am grateful to the Minister for his considered response. I also appreciate the expertise of the noble Earl, Lord Erroll, but ask him to be a little cautious when using words such as “script”, “kiddies” and “code monkeys”. I read them out only because I had such confidence in my noble friend. I did not think he had put them there for a joke and assumed that they were real. He was right to draw attention to the fact that phishing should be of concern to all of us, and that

10 Oct 2006 : Column 218

we all have a duty with any file or detection device to ensure that our own computer networks are secure. Those of us in the House who use the internet are aware of the time taken to try to ensure that patches are provided at the right time to prevent the regular attacks on our systems being successful. It is a matter of concern for all, and it was that concern of the noble Earl, Lord Erroll, and my noble friend Lord Northesk which was the progenitor of these amendments. I shall certainly invite my noble friend to consider carefully the Minister’s response between now and Third Reading.

Lord Lawson of Blaby: My Lords, I apologise for intervening. I am concerned about how this wording will be interpreted. It is clear that anything—whether it be a fast motor car or what we are talking about in this debate—that can be used for a malign purpose is likely to be used by someone of evil intent for that purpose. The wording of the Government’s amendment is,

which means anything that is capable of being used. That goes much further than this House should be comfortable with. I hope that the government will therefore give it consideration. With this amendment, they seek to narrow the conditions, but they are not narrowing them at all. Another look at this is warranted. I apologise for intervening.

Baroness Anelay of St Johns: My Lords, that was a welcome intervention. It is precisely why my noble friend Lord Northesk felt that the government drafting could not be improved: he felt that it was so defective that one could not achieve the right result, so he wants to take out that section. I know that the noble Earl, Lord Erroll, was trying his best to find a better definition that could adequately deliver the safety of use for those properly using the tools—the good guys as opposed to the bad guys, as my noble friend put it.

I agree with my noble friend that there should be further time for consideration. I know that there is not much time between Report stage and Third Reading, but there will be one week and one day, which is more than there is occasionally. An e-mail will wing its way to my noble friend from me tomorrow, but I am sure that by the time this is on the internet at lunch time he will already be reading the results of our deliberations. I am sure that he will contact all of us to see what needs to be done betwixt now and time for tabling amendments at Third Reading next Tuesday. In the mean time, I beg leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Lord Bassam of Brighton moved Amendment No. 129:

10 Oct 2006 : Column 219

The Earl of Erroll had given notice of his intention to move, as an amendment to Amendment No. 129, Amendment No. 129A:

The noble Earl said: My Lords, I am not sure whether I am speaking at the right time, but now seems logical. The noble Lord, Lord Lawson, is right. I do not believe that the courts will interpret the word “likely” as meaning more likely than not, because it does not say that. This is trying to catch people advertising on the internet who say, “Here you are. Here are some great hacker tools. Why do you not download these?” The trouble is that people who are trying to supply—possibly without selling—a subsidiary company or part of a group things that will help to maintain, assist or test computer systems will be caught also by this wording. It is impossible to write something to maintain a computer system remotely or test the security of a computer system which can be used only for that purpose. Everything written for that purpose can be turned around by someone who wishes to use it for hacking. As the noble Lord, Lord Lawson, said, it will be used by hackers.

Therefore, the word “likely” means that everyone is prosecutable by the courts. I have heard people say, “They can look at what the Minister said”, but unless it is ambiguous there is no requirement to look at the parliamentary debate. The word “likely” is unambiguous. Therefore, I am afraid that the courts will find that the Government have a case just to say, “Well, we can prosecute you”. They do not even need to look. The intention behind this was not to prosecute the good guys. Nowhere in the Bill says that. Another sentence saying, “If you are a good guy, we won’t prosecute you”, would perhaps be all right. Between now and Third Reading, the Government need to think of something that means “more likely than not” or “the primary purpose” or something like that. Otherwise, I will come back with something at Third Reading myself.

[Amendment No. 129A, as an amendment to Amendment No. 129, not moved.]

On Question, Amendment No. 129 agreed to.

9.30 pm

Clause 43 [Transitional and saving provision]:

Lord Bassam of Brighton moved Amendments Nos. 130 and 131:

(a) subsection (2) of section 40, and (b) paragraphs 16(2), 22(2) and 26(2) of Schedule 15, apply”

On Question, amendments agreed to.

Baroness Anelay of St Johns moved Amendment No. 132:

Next Section Back to Table of Contents Lords Hansard Home Page