From: clive.denton
Date: 2006-10-21 20:05:01
Source: Hansard – The official record of the proceedings of the British Houses of Parliament, London, Oct 2006The Earl of Erroll: My Lords, I shall speak to this group, and particularly to my Amendment No. 129A. First, I thank the Government for taking into account some of the comments I made about the difference between making and inventing the tools, and supply and distribution of the tools, which is what they are trying to hit.However, I am afraid that their amendment does not quite go far enough. It is a question of effectiveness and whether it works, and I am afraid to say that it will not. I reassure the noble Baroness, Lady Anelay of St Johns, that things like “scriptkiddies” are quite common terms in the industry. Phishing is a big worry at the moment; I was talking about it only last week.The real problem probably stems from something we have just been talking about. I have just been at dinner with the Hansard Society in the Commons, talking about globalisation, regulation and a few other things. This is a typical example. We think we can regulate, but in a global, internet-based world we cannot. People can host these things abroad. They can host sites which will supply tools to allow you to do this, that and the other, and there is nothing we can do to prevent it. They will be hosted on servers abroad by foreign companies, and you cannot do anything about it. If they were hosted on British servers you could give them notice and tell them to remove them or even prosecute them if you were lucky enough.Will it work? It will not, I am afraid. It is one of those things that sounds good but will do nothing. What it will do is cause a lot of trouble to large companies that supply perfectly legitimate tools to help people to carry out remote maintenance or use remote access. It will not help parliamentary staff because if someone supplies the tools to them, whereby they can shadow you working on your own terminal in Parliament and thereby help you solve the problem that you just got trapped in, those sorts of tools might be forbidden under the supply rule.The Home Office response to this is: “Well of course we won’t chase the good guys. We won’t go after them. We are only after the bad guys.” The trouble with that is that it is all well until an enforcer trying to achieve some other aim threatens someone. I do not think that, as Parliament, we should be passing laws that give power to enforcement agencies to blackmail companies into doing other things for them because they know they can use something like this against them. It is too much of a blanket power.Further, it is useful for penetration testing-for instance, people testing to see whether their company systems can be hacked. A typical example of this is phishing. Last week I was sitting next door to a chap called Gary McKinnon, who is the person the Americans are trying to extradite and put in jail for 60 years because he put post-it notes all over the Department of Defense systems. Five years ago he got into their systems because he thought it would be fun to see how good their passwords were. He ran a little program and discovered that a large number of people with Windows access had not bothered to use passwords. For the Department of Defense in America not to check that its stuff was moderately secure and that its senior people at least had passwords to prevent access is stupid. So he thought he would show them how stupid they were.As a result of that Gary has got into hot water. I will not go into the merits of the case or whatever, but the department should have been using tools like this to ensure their own security was all right long before Gary got there. And so should we. However, it will make these things illegal and large groups, large banks and so on should be testing that their systems are secure. In fact Parliament should. But, under this provision, whoever supplies you with that tool to test that will be committing an offence. It is all very well to say, “They are the good guys, we won’t prosecute them”, but I do not think that is good enough. I have great trouble with laws that hand over powers to the enforcers and say, “It is at our discretion whether we are going to prosecute you”.I stand very strongly on that, having seen and heard of many incidents where people have been told that unless they comply with something else there is an obscure rule and they can throw the book at a company for something else. I know that there will be efforts made at the European level to reverse this provision if we pass it in this form. I was informed of that by some international companies.I would prefer to see the amendment of the noble Earl, Lord Northesk, go through and remove the provision altogether. I do not think it will do any good. It is a waste of time. It will not allow you to do anything effective against enforcing what you want. However, I believe that the Minister will not allow that. Therefore, I would suggest that you should either say “more likely than not” if that is what you mean. I suggested last time using the word “primarily”; this time I suggest using “principally”. We are looking at the objective of the people supplying or trying to sell these tools. If it is principally to sell it to the hacker community, I do not have a problem. In which case say so in the Bill. We know these things are likely to be used. If the Government mean that it is more likely than not, then they should say more likely than not.I would like to push this issue at some stage. I know that there is only one more stage of the Bill. It concerns me greatly that we should leave the matter in this form. Therefore, I would like to hear what the Government have to say.
