Security Experts Ask UK Government To Roll Back Old Computer Abuse Law That Harms Security Research

from the thirty-years-is-several-lifetimes-ago-in-computer-years dept

The US government passed the Computer Fraud and Abuse Act in 1986, years before computers became something everyone had at home and carried around in their pockets every day. The CFAA had a purpose, but its value declined as computing advanced. The abuse it was written to address tended to take a backseat to abuses of the law by prosecutors and private companies to punish people for discovering security flaws or using technology in ways some people never expected.

The law has done more harm than good, criminalizing security research and providing a handy weapon for private companies to deploy against those who point out their security holes.

The same thing has been happening in the UK, thanks to a law that is only four years younger than the justifiably despised CFAA. As Matthew Field and Gareth Corfield report for The Telegraph, security experts are asking the incoming prime minister to put this ancient computer abuse law out of everyone’s misery.

Companies representing Britain’s £10bn cyber defence sector have asked Rishi Sunak and Liz Truss to rewrite the 30-year-old Computer Misuse Act, which they said is no longer fit for purpose.

The signatories include the Internet Services Providers’ Association, which represents BT, Virgin Media and Sky, London-listed cyber security company NCC Group and Ciaran Martin, the former head of Britain’s cyber security agency.  

Passed in 1990, the Computer Misuse Act was written to address misuse of an early digital voicemail system. Like the CFAA, it was broadly written, presumably in hopes of addressing unforeseen computer crimes. Instead, it managed to criminalize research (both of the regular and the security variety) by making it illegal to engage in “unauthorized access to computer materials.” Something that people do all the time (like, say, sharing passwords to a streaming account or, you know, probing for security flaws) is something that can be punished with up to ten years in prison.

The law needs to go. It’s incapable of addressing the current computer climate and its ability to criminalize any “unauthorized access” continues to harm…