Police and Justice Bill

moved Amendment No. 178: Page 33, leave out line 24. The noble Earl said: This subsection was introduced as a government amendment in Committee in another place. Moreover, although some concerns were raised at that time, I acknowledge that there was consensus across the political divide that it should be inserted. In that sense, I draw no comfort whatever from the possibility of being a minority in objecting vehemently to the provision. It is profoundly flawed and coulddo untold damage to the IT community in the UK and conceivably even that beyond our shores. I shallendeavour to explain why. Before so doing, as with the previous amendments on DoS attacks, I willingly, although again guardedly, endorse and support the Government’s intention with the clause as a whole. We all know that, whatever its form, online hacking of IT systems with criminal or malicious intent is a modern scourge. Manifestly, therefore, due provision should be made to proscribe making, adapting, supplying or offering to supply so-called ““hacker tools””. I therefore find paragraph (a) eminently sensible and desirable. That said, I am fiercely of the opinion that the test that someone is guilty of an offence under the clause if he merely believes, "““that it is likely to be…used…in the commission of an offence””" is unnecessarily and dangerously broad, the more so because it is not in any way constrained by the expressions of intent contained in paragraph (a). As the Committee will be aware, the use and effectiveness of online activity is highly dependent on the work of anti-virus and IT security companies. Of necessity, they employ a variety of so-called ““hacking tools””, such as Nmap, which is used to probe for insecure machines online to see whether they respond, or the scripting language Perl, simply to test IT systems for vulnerabilities that could be exploited by those with criminal or malicious intent. In so doing, they can address discovered weaknesses, hopefully, before hackers can take advantage of them. Indeed, the patches and updates issued by the likes of Microsoft—of which I am sure Members of the Committee are only too aware—are a culmination of this process. Here, it is not a case of whether system administrators believe that such tools are ““likely”” to be used in the commission of an offence; they know full well that they will be—and, indeed, already are. Accordingly, in any interpretation of the paragraph, they lay themselves open to possible prosecution simply by doing their job. As an IT acquaintance has pointed out to me, this is akin to legislating to make use of a crowbar illegal on the basis that an individual would believe that it was ““likely”” to be used in the commission of burglaries. I do not doubt that that is not the Government’s intent; nevertheless, it is the implication of the drafting. I know of a number of IT professionals, some of whom are among the best in the country at what they do, who are sufficiently worried by the implications of the clause that they are actively considering abandoning their work in IT security or moving overseas. That would be disastrous, not only for our reputation for IT but economically. Consider, too, forensic hacking. Of necessity, law enforcement agencies use hacking tools to investigate crime; for example, to gain access to encrypted data. Again, it is not a case of ““belief”” that such tools could be used by a hacker, it is absolute certainty. Do we, therefore, conclude that an IT security company supplying hacking software to the police should be deemed to be committing an offence? Or, perhaps, the Government imagine that an individual constable hacking into encrypted data on a criminal’s computer could fall foul of paragraph (b). Patently, such situations would be absurd. I wonder, too, whether the Government have thought through this matter in the context of higher education. As the Committee will be aware, the syllabuses of many undergraduate computing degrees include hacking. In fact, in response to demand from the IT sector, the University of Abertay in Dundee has recently announced its intention to run, from the start of the next academic year in October, a BSc (Hons) undergraduate course in ethical hacking and countermeasures. But what would be the status of such educational opportunities if paragraph (b) were enacted? On the face of it they would be illegal, because students and professors would know, not merely believe, that the subject matter of their courses is ““likely”” to be used in the commission of an offence. Again, this would be perverse. I am of course aware of the Home Office’s view that the key to the provision is how the courts might interpret ““likely””. Indeed, it has circulated a letterto interested parties which makes this observation. It states that it "““boils down to the court deciding whether it is more likely than not each individual instance of the article will be used to commit an offence, i.e. the offence is only committed if it will be used criminally more than legally””." I apologise, but I deem that to be just gobbledygook. What happens where a tool is determined as being used legally and criminally in equal measure? How, in fact, would a court measure accurately such percentages of usage? Quite apart from that, and as with my criticisms in the previous grouping, is it not incumbent upon us as legislators, and indeed the Government, to imbue the law with as much clarity as possible? I could say much more, but I will not weary the Committee any further. I merely observe in conclusion that, in contrast to their efforts on DoS attacks, with paragraph (b) the Government are attempting major surgery where a sticking plaster will do. They are using a sledgehammer to crack a nut, the more so because paragraph (a) of itself bears down adequately, if not entirely, upon the activity that the Government wish to and should proscribe. In so far as that suggests incoherence in their approach to legislating on IT, I repeat my conviction that a wholesale re-write of the CMA is needed. In the mean time, I beg to move.