In the news last week, one of the headlines caught my attention. It was about the proposed expansion of the Computer Misuse and Cybersecurity Act. It was reported that obtaining hacking tools to commit crime, or the use of personal data that was obtained through hacks, will be criminalised under the proposed changes.
For people involved in IT security, the changes might come across absurd initially. In particular, examples given about hacking tools included malware and port scanners. We do acquire malware for analysis, and we do routinely use port scanners for a variety of purposes. Neither of these have necessary got to do with anything we’d consider illegal, though admittedly there could sometimes be grey areas.
By grey areas, I don’t mean that we are pushing the boundaries of what could be considered a crime illicit purposes, but that we agree there could be various interpretations of how those activities could be treated.
A big part of the new changes hinges upon the acts performed for the purpose of committing or facilitating a computer offence.
Phew. This means that the mere act of downloading, say, nmap
or other hacking tools, would not be a crime per se. These are mere tools, after all, and for purpose of analogy, other tools such as knives, could have completely legitimate purposes, nothing to do with committing crimes.
However, it’s still really strange. If a computer offence is, well, already a criminal offence, isn’t the crime already dealt with? Is it necessary for the mere use of the tools involved in committing the crime also be criminalised?
I’m no lawyer. Perhaps the government is thinking of simply have extra firepower to deal with various hacking crimes. That the end result being a crime they could prosecute isn’t good enough, they want to be able to deal with various other aspects of those activities to increase the weight of those crimes.
Is that necessary, and does that make sense?
After all, do you have to make it a law that the purchase of a knife for the purpose of murder is a criminal offence, when murder on its own is already dealt with by the law? Oh well, maybe someone can tell me, perhaps I’m unaware, that if purchasing a knife for the purpose of murder is in fact also a crime.
I understand there are certain prohibitions concerning the carrying of knives, of certain types, or other weaponry in public. Those seem to be fine, and perhaps makes sense out of public concern.
I’m particularly perturbed by that the examples of hacking tools given include very innocuous ones such as port scanners. While there are, indeed, other jurisdictions where port scanners have been debated over, and think generally it is understood that port scanners are no more harmless than knocking on doors in your neighbourhood. Knocking on doors, per se, is not a crime. Discovering that a door is unlocked, and then entering the private premises of your neighbours’ homes, that is more clearly running afoul of the law.
At best, the systematic knocking on all your neighbours’ doors might be considered a public nuisance. Do you make it a crime to knock on doors, if the purpose had been for trespassing on private property?
I’m a little concerned about where the Ministry of Home Affairs is going with these proposed changes.