Wikileaks protest could carry two-year jail stretch

Balanced

I wonder if such people are also focusing on the source of the DDOS attacks against the wikileaks site? More transparent hypocrisy from those in power.

By Nodule on 10 Dec 2010

Careful with those scales there Nodule

"Such people" as who exactly? This is a qualified lawyer, asked a specific question: it's not a global update from the Red Team in some game of Capture the Flag.I wonder how many LOIC fakes there are out there already, ready for gullible armchair warriors to download, run - and find they're not attacking anything they actually thought they were attacking, at all...

By Steve_Cassidy on 10 Dec 2010

Lack of joined up thinking there fella

"“Under the Computer Misuse Act, it's an offence to obtain tools to assist in the commission of an offence,” Struan Robertson, legal director at law firm Pinsent Masons, told PC Pro. “Even if you don't actually commit an attack, you could still face prosecution and a sentence of up to two years.”"

You can download the tools and not assist in any illegal attacks, the tools can be used to test ones own servers & security. Prosecutors would have to prove they were used to assist an illegal attack. Mucho differenté there pal, stop scaremongering.

By Andy_1 on 10 Dec 2010

As someone who regularly is asked to sort out other peoples PCs I see lots of problems where teenage kids are given free reign of their parents Laptop and download everything and anything they feel like. It would be very easy to package a Trojan with this botnet software (not the clean LOIC code which is a valid project hosted on Sourceforge).

By milliganp on 10 Dec 2010

Laywer Talking Nonsense

This article is pure nonsense. This alleged eminent lawyer has failed to mention the very important caviats. As mentioned many times, downloawding LOIC is not illegal.

Using it for illegal activities is. The same can be said for most things. There is nothing illegal about buying a crowbar, using it to burgle property is.

What a pathetic scaremongering story.

By Manuel on 10 Dec 2010

Let's summerize reality

Downloading LOIC is legal.
Downloading LOIC with HIVE funtionality is legal.
Using either versions to test ones own systems or systems one has permission to test is legal.
Using either to to attack systems one does not have permission to attack is illegal.

By Andy_1 on 10 Dec 2010

Oops

Not sure why my comments appeared 3 times. Apols readers.

By Andy_1 on 10 Dec 2010

Laws

I'm no lawyer, but it is perhaps not as clear cut you might think.

The Computer Misuse Act 1990, under section 3A, states that:

(3)A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

By SMitchell on 10 Dec 2010

Who to listen to...

That's the conundrum. There are lots of laws which use simple posession as the only indicator of intent: including the knife crime stuff. See the stories about little old men with pen-knives in their gloveboxes being arrested during a traffic stop, because they are not "on their way to a job which demands a bladed implement". So who to listen to - unqualified advisers who tell you it's not illegal, or someone who is identified by their full name and company as a professional in the field. Hmm, tough one!

By Steve_Cassidy on 10 Dec 2010

Lawyers give opinions only...

Don't go around thinking Lawyers are perfect: remember Lord Goldsmith, Tony Blair's top lawyer, who said that it wasn't illegal to invade Iraq. It's been clearly shown since then that his opinion was led by political needs to support George Bush.

At the end of the day, lawyers give opinions only, and sometimes have an axe to grind depending on their politics. Otherewise why would you have lawyers acting for both prosecution AND defence? They can't BOTH be right!

By SwissMac on 10 Dec 2010

Twisted...

@Andy_1
It was one of the gaping holes in the law, when it was made.

It is illegal download the software.

It is illegal to attack somebody elses network with it.

It is legal to test your own network, but you've already committed an offence in downloading the tools to do the testing... :-S

By big_D on 10 Dec 2010

@SMitchell

That's the section I was thinking about too. That literally says if "obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3".

It seems to me that actually intending to or actually taking part in a DDOS attack is a critical part of the illegality of having a DDOS tool on your computer. "Mere possession" isn't enough - you have to possess with some sort of criminal intent.

Yeah, yeah, first we'll kill all the lawyers and all that but mere possession of data is a very, very low bar for criminal responsibility. This isn't child porn.

By steviesteveo12 on 10 Dec 2010

Fine point of syntax...

Steviestevo - the wording suggests to me that the intent-to-attack is in the mind of the SUPPLIER not the DOWNLOADER. So the "oh it's for testing" excuse doesn't hold water. Click on something identified as an attack tool and that, there, is the offence. Big_D has the net end eff4ect of this down absolutely right. Many precedents exist in such topics as firearms ("made safe" or not), dangerous dogs, etc. We might think they shouldn't - that's quite a different matter from telling people that in fact, they don't.

By Steve_Cassidy on 10 Dec 2010

Oh and I don't think there's any good reason to avoid illegality in protest: I could hardly claim to have a perfect record myself there. Break all the laws you want while protesting - what I object to is people who fudge the situation so that people think this protest is legal, and secondly, to people who think this *type* of protest actually does any good. Protesting (about wikileaks or tuition fees) seems to have attracted the wanton destructors, who show every sign of sinking the cause they claim to be supporting under the sheer weight of their stupidity.

By Steve_Cassidy on 10 Dec 2010

@Steve_Cassidy

Yeah, I was thinking about that but that seems to leave you in a bizarre state where, only in relation to computer misuse, for products with a legitimate use as well as a criminal use it is what something else thinks it is for and not what you got it for that matters for your criminal liability. Normally if a supplier thinks "yeah, that actually was a big knife - I think it's something you would stab people with" you can use them as a witness but they aren't the offence itself. There's a presumption against deprivation of liberty in the criminal courts and if we're asking courts to send people away for two years based on the criminal intent of somebody else I think it has rebut that presumption.

I think guns, dogs etc are different because there's no offence of possessing a dangerous program, there is just one of obtaining an article with a view to it being supplied for use to commit a couple of statutory offences (which is a really unwieldy sentence). If you're prosecuted for buying an unlicensed working gun or a banned breed of dog there's actually no question asked about what you're buying it for - you've already completed the offence by buying it.

I could see it being intended to cover buying a computer to hack the pentagon - illegal, buying a computer to do your homework - completely fine. That seems fairly reasonable to me, whereas it seems that in both cases the supplier wouldn't think it's for illegal acts and neither is actually illegal. That seems to create an absurdity.

By steviesteveo12 on 10 Dec 2010

Oh, It's absurd alright

But that doesn't grant anyone the right to misrepresent it as a legal activity. What they may be trying to say is "this shouldn't be illegal" or a variant on "I don't agree with the law": both constitue believing that the force of your opinion can magically protect you from prosecution. It can't.

By Steve_Cassidy on 10 Dec 2010

Get Facts Right

LOIC is open source software, easily and freely available.

It is not Illegal to download and use it. It is easily and has been used thousands of times legitimately with no criminal intent.

If you want to say it should be illegal because is can be used as a DDOI tool then that is a different issue.

IT is not illegal to download and use it.

By Manuel on 10 Dec 2010

why is it illegal to download the software, millions download software like Nessus, NMAP, wireshark backtrack without been illegal.

What about sites like Milw0rm or is that illegal?

Hope some some answers, Thanks

By patty on 10 Dec 2010

sorry about rubbsih english LOL

BTW ^ Someone

By patty on 10 Dec 2010

More careful reading needed...

"Even if you don't actually commit an attack, you could still face prosecution..."
- Struan Robertson, Legal Director, Pinsent Masons.

The word he used is *could* with a 'C' - not *would* with a 'W'.

Could = May, possibly, potentially.
Would = Will, absolutely, definitely.

It's a world of difference.

And for everyone saying it's not illegal, it's all nonsense, and the fully qualified senior lawyer from the large and respected law firm is talking out of his backside, I refer back to Steve Cassidy's point earlier:
What qualifications or professional knowledge of law do any of you have? Because if you're not lawyers, solicitors, barristers, magistrates, judges, (or anything similar) then all you're doing is giving an opinion based on what you WANT, not what actually IS.

If I get sick I go and see my doctor. My doctor is a fallible human and my doctor may be wrong about my health - but I trust his professional and experienced opinion on it rather more than my mate Bob's who lives down the road and doesn't seem to get ill very much...

Closer to home: How many people here have seen PC's buggered up by someone 'who knows a bit' about PC's?

By Mr_John_T on 10 Dec 2010

Clarification

While the purpose of some of these stories is perhaps to scaremonger there is is an erroneous belief by some commentators with respect to intent.
A standard for criminal law is usually that a guilty act (actus reus) must be accompanpied by a guilty mind (mens rea).
As one commentatot notes, owning a crowbar is not illegal - using it for violence is.
However, also remember that a specific law can set its own definition.
In the current example, The Computer Misuse Act has a specific section on intent, namely:
Section(2)The intent a person has to have to commit an offence under this section need not be directed at—

(a)any particular program or data;

(b)a program or data of any particular kind; or

(c)a program or data held in any particular computer.

Key phrase here is "need not be directed at".

Legal precedent sets precedent regarding intent unless a specific law overides that precedent.

In other words since you don't have to be in the process of attacking another computer, simply owning or downloading software is regarded by the law as intent.

You can't argue as a defence you didn;t intend to attackk anything since the Computer Misuse Act clearly states that intent is simply possession.

Also bear in mind that Acts of UK Law are specific. So for example if a law says you can't on a tuesday you can the rest of the week.

So in answer to why one thing is illegal and another not - the answer is that a different law applies.

Coming full circle there is one caveat to all this. Judges are not required to allow a law that in their legal opinion is nonsense.

You can pass a law that all people should be fines if they are not ten foot tall but a judge would not enforce it because it makes no sense.

It is very rare for this to happen (why they spend so much money on lawyers formulating laws). However, in the UK, however ill defined the seperation of powers is, judges still have the power to disregard a law if they regard it as wrong.
In this case, The Computer Misuse Act does seem to define intent as simply possession and this flies in the face of a millenuim or more requiring some greater proof of intent.
One can only hope

By simontompkins on 10 Dec 2010

Horse's Mouth award time

Simon, tell me you didn't type all that into the eeny weeny little comment box without a single edit!

By Steve_Cassidy on 10 Dec 2010

Comment box size

Steve - if you use the Chrome browser, you can resize that box to whichever size you like.

Interesting comments on this article, BTW.

Barry Collins
Deputy Editor

By Barry_Collins on 10 Dec 2010

You generally can't go wrong with advice like "this could lead to prosecution, watch yourself" so I think that Robertson really has a point here - this is rapidly becoming a very politicised issue and, frankly, given the size of the companies affected I think someone must be looking for blood.

I think if you're going to have a copy of a well publicised "hacking" (we can argue about the meaning of hacking too) tool on the basis that you're just testing something you need to have a seriously good reason and a fair amount of evidence to back up your story if you're going to rely on "just testing my own network" as your reason for having it.

I think, like most points of statutory interpretation, this really goes on a knife edge primarily about what "obtains any article with a view to its being supplied for use to commit… an offence" actually means. You can make sensible arguments for both sides (did parliament really intend to put people in jail for a third party's criminal intent? etc) but, and Steve_Cassidy is absolutely right about this, just because you can argue it doesn't mean that the judge is going to let you off.

By steviesteveo12 on 10 Dec 2010

Could / Would

In this case, with so many people downloading the software, you are liable to prosection, but with so many people to track, it is unlikely.

BTW, the big objections, at the time the law was passed, was that tools like Wireshark et al would become illegal, even for testing your own network!

It basically made the work / toolset of a security analyst or system administrator illegal!

By big_D on 11 Dec 2010

Lawyers know the law but not the digital world

@Steve_Cassidy

The lawyer will definitely be an expert on the law but he may be relatively ignorant of the actual software and the fact that there are legitimate uses for it.

I think many lawyers don't appreciate the tool can have legitimate uses so naturally describe it as illegal.

By longn on 11 Dec 2010

@longn

There are a lot of network utilities, which have legitimate uses, that have been made illegal by RIPA...

By big_D on 11 Dec 2010

Why would you download something you know is dodgy from someone you know is dodgy and then let it run on your system?
You might as well just put your bank details and credit card number up here now and leave it at that ;) Yeh, the real program has legit uses, but how do people know which version is real and which is corrupted with a trojan or three, how many people still fall for the "your computer is infected, download this free virus scanner now" pop-up..... This is just a crims wet dream people :)

By TiredGeek on 11 Dec 2010

could face up to two years in prison

Would these be the same jails where REAL criminals are being released early due to lack of space? Gotta get your priorities straight guys.

Remember, this is not a case of someone attacking a person (people are plentiful and easily replaced), nope, now they're threatening precious company profits.

This is serious!

By Lacrobat on 12 Dec 2010

Perhaps you'd have less to worry about if you downloaded the LOIC from the software creator's website as opposed to clicking a download link from an Anonymous representative's page that says "Download this tool and participate in our DoS attack". In the latter case, the intent of the supplier is clear as is the recipient's.

Also, downloading at a place of work where you have obvious network security responsibilities might be safer than downloading at home and if your job has nothing to do with computer security.

Of course, none of these factors can stop you being arrested and prosecuted under this law but it *may* help in your defence.

In the meantime, this law obviously needs clarification to allow legitimate security professionals to do their jobs without fear of arrest and prosecution.

By authentic8 on 28 Jan 2011