L'articolo 37 della legge del Regno Unito sull'uso improprio del computer afferma che non è consentito produrre, ottenere o fornire articoli che possono essere utilizzati per l'uso improprio del computer.
In che modo i blogger e i relatori della sicurezza delle informazioni del Regno Unito si occupano di questo, dal punto di vista tecnico, anche con intento non malevolo, c'è una violazione della CMA.
La legislazione in questione è sezione 3A del Computer Misuse Act 1990 (questa sezione è stata aggiunta al testo originale della CMA dalla sezione 37 del Police and Justice Act 2006):
3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
(4) In this section “article” includes any program or data held in electronic form.
(le sezioni 1 e 3 si riferiscono ad accessi non autorizzati e compromissione del funzionamento del computer)
In Inghilterra e Galles, i procedimenti giudiziari sono promossi dal Crown Prosecution Service, ci sono linee guida prodotte dal CPS per la sezione 3A:
Prosecutors should be aware that there is a legitimate industry concerned with the security of computer systems that generates 'articles' (this includes any program or data held in electronic form) to test and/or audit hardware and software. Some articles will therefore have a dual use and prosecutors need to ascertain that the suspect has a criminal intent.
...
Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
Are students, customers and others made aware of the CMA and what is lawful and unlawful?
Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Per la Sezione 3A (2):
In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:
Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
Is the article available on a wide scale commercial basis and sold through legitimate channels?
Is the article widely used for legitimate purposes?
Does it have a substantial installation base?
What was the context in which the article was used to commit the offence compared with its original intended purpose?
L'unica cosa che consente questo è il senso comune. In realtà praticamente tutti i team di test di sicurezza potrebbero fallire in quanto è molto ampio.
Fortunatamente il nostro sistema legale non è ancora così stupido, quindi "l'intento" è il punto importante qui.
Leggi altre domande sui tag legal