Crimes bill targets hackers, DoS attacks

[InfoSec News <isn () c4i org>]

http://www.idgnet.co.nz/webhome.nsf/UNID/269577935B2CD8B0CC256AAD00811EB6!opendocument

Averill Parkinson and Bernard Woo
Auckland
27 August, 2001

The select committee report on the Crimes Amendment (No 6) Bill has
proposed two new sections to the bill with significant implications
for all web users. The first new section is targeted at denial of
service attacks. The second targets the creation, distribution and
possession of "hacking software".

There is no doubt that there should be laws to cover these situations.
The questions that need to be answered are whether the proposed
sections are adequate and whether they go further than necessary.

New section 251(2)(c) is designed to deter denial of service attacks.

In doing so it casts a very wide net. The section requires the
"interferer" to recklessly or intentionally, and without authority,
cause any computer system to deny service to any authorised users or
to fail. The section is broadly drafted and may, in Techlaw's view,
cover less culpable cases.

Have you ever received an email with a virus attachment? Opening a
virus-infected email attachment without virus checking, resulting in
the virus being transmitted to every person in your address book,
could be construed as reckless. The argument here is that every net
user should be aware of viruses, especially with the front-page
coverage they receive, and by not taking steps to ensure they do not
propagate them, the user is acting recklessly.

However, for some people, this may seem to be taking the concept of
"responsible use" too far. If this were the effect of the new section,
every user would need to obtain and keep updated a virus checker as a
pre-condition to internet use.

In Techlaw's view, it is unlikely that a nave or ignorant web user
would be found to have acted recklessly. It is, however, possible that
a person with a high level of understanding of the risks, such as an
ISP, could be found liable.

The second addition is Section 252, which introduces a new offence
that the select committee says is the crime of "being in possession of
'hacking' programs or other information in circumstances that show an
intention to use it to commit a computer crime".

While this may seem like a worthwhile amendment, there are a number of
issues arising out of the precise wording used.

First, what constitutes a "hacking" program? You and I are probably in
possession of a "hacking" program at present or have been in the past.
The proposed definition is "any software or other information that
would enable another person to access a computer system without
authorisation". This sounds like many useful network administration
tools.

Second, the words "other information" are included in the definition.
Although it has been commented that this would include the
unauthorised distribution of passwords or digital certificates, it
could include information on sites that attempt to educate people
about hacking from a prevention perspective. Often there is little
difference between the information on these sites and those that
contain instructions on how to implement "hacks". The information that
they provide could be more than useful in the commission of a crime.
One possible solution is that the courts will look at the intention
behind the mounting of the material, and therefore find that mounting
of "prevention" sites is not a criminal activity.

The third issue is that the new section refers to software or other
information used or able to be used for "the commission of a crime".
Unlike the select committee report, "crime", as used in the section,
is not limited to "computer crime". Is the definition limited to
unauthorised access crimes or does it means crime in general? If it is
crime in general, the distribution, creation or possession of software
for purposes other than "hacking", for example, file transfer or
copying software (which could be used for copyright crimes), could
fall within the section.

The select committee has introduced these new sections at a late
stage. There is no formal opportunity for public submissions.
Techlaw's concern is that new crimes may be passed without the
necessary weighing of competing interests, for example, rights of
"fair use" of copyright versus the property rights of copyright
holders.

A reasonable opportunity for public debate should be available before
such potentially far-reaching crimes are introduced.



Parkinson is a partner and Woo is a law intern in Clendon Feeney's
technology law team. This article, together with further background
comments and links to other web sites, can be downloaded from
www.clendons.co.nz. Questions and comments can be sent to Averill
Parkinson.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.