La legislazione in questione è sezione 3A del Computer Misuse Act 1990 (questa sezione è stata aggiunta al testo originale della CMA dalla sezione 37 del Police and Justice Act 2006):
3A Making, supplying or obtaining articles for use in offence under section 1 or 3
(1) A person is guilty of an offence if he makes, adapts, supplies or
offers to supply any article intending it to be used to commit, or to
assist in the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to
supply any article believing that it is likely to be used to commit,
or to assist in the commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a
view to its being supplied for use to commit, or to assist in the
commission of, an offence under section 1 or 3.
(4) In this section “article” includes any program or data held in
electronic form.
(le sezioni 1 e 3 si riferiscono ad accessi non autorizzati e compromissione del funzionamento del computer)
In Inghilterra e Galles, i procedimenti giudiziari sono promossi dal Crown Prosecution Service, ci sono linee guida prodotte dal CPS per la sezione 3A:
Prosecutors should be aware that there is a legitimate industry
concerned with the security of computer systems that generates
'articles' (this includes any program or data held in electronic form)
to test and/or audit hardware and software. Some articles will
therefore have a dual use and prosecutors need to ascertain that the
suspect has a criminal intent.
...
Prosecutors dealing with dual use articles should consider the
following factors in deciding whether to prosecute:
Does the institution, company or other body have in place robust and
up to date contracts, terms and conditions or acceptable use polices?
Are students, customers and others made aware of the CMA and what is
lawful and unlawful?
Do students, customers or others have to sign a
declaration that they do not intend to contravene the CMA?
Per la Sezione 3A (2):
In determining the likelihood of an article being used (or misused) to
commit a criminal offence, prosecutors should consider the following:
Has the article been developed primarily, deliberately and for the
sole purpose of committing a CMA offence (i.e. unauthorised access to
computer material)?
Is the article available on a wide scale commercial basis and sold through
legitimate channels?
Is the article widely used for legitimate purposes?
Does it have a substantial installation base?
What was the context in which the article was used to commit the offence
compared with its original intended purpose?