Proposed Penalty For UK Hackers Who "Damage National Security": Life

An anonymous reader writes with this excerpt from The Guardian: Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts who warn that the new law could be used to target legitimate whistleblowers. The proposed legislation would mean that any British person deemed to have carried out an unauthorised act on a computer that resulted in damage to human welfare, the environment, the economy or national security in any country would face a possible life sentence. Last week the Joint Committee on Human Rights raised concerns about the proposals and the scope of such legislation.

could be?

[Trailer+Trash]

Government plans that mean computer users deemed to have damaged national security, the economy or the environment will face a life sentence have been criticised by experts who warn that the new law could be used to target legitimate whistleblowers.

Could be? Come on - targeting whistleblowers is the point. It's not about damaging national security, the economy or the environment - it's about damaging somebody's political career.

Re:could be?

[ub3r+n3u7r4l1st]

"it's about damaging somebody's political career."

Which in many countries this activity carries a death sentence, the UK is trying to conform to global standards.

Re:could be?

[Vitriol+Angst]

What I learned today;
So instead of embarrassing abusive power hungry security morons, it's better to just "stand your ground" -- in a Florida kind of way?

Re:could be?

[Vitriol+Angst]

Just like copyright. When a few Disney characters come near being free to market, they'll extend copyright beyond Walt Disney's "sell by date" for his frozen head.

Re:could be?

[TheRaven64]

In case you were wondering, no that whooshing noise above your head wasn't someone trying to stone you to death.

Re:could be?

[Opportunist]

Instead of ending a politician's career, end his life. The penalty is the same, so why bother with the lesser crime?

Don't do the crime

[smooth+wombat]

deemed to have carried out an unauthorised act on a computer

I know this is a radical idea, and I'm just spitballing here, but maybe the part about unauthorized act being done a computer should be a hint. If it's not your computer or your system, don't try to get into it.

Or are we going to use excuses as to why it's acceptable to try and get into someone else's equipment when you're not supposed to then whine about the penalty when you're found out?

Re:Don't do the crime

[Lunix+Nutcase]

Why would that act in and off itself even remotely warrant life in prison?

Re:Don't do the crime

[Grantbridge]

What counts as "unauthorised" though? What if it's your job, but your boss gets you to do something which his boss didn't authorise. Was that authorised use of a computer system?

What if you use a false name on facebook and so breach the T+Cs, is that unauthorised use?

Re:Don't do the crime

[DarkOx]

The problems are its not always getting a shell. What if you violate a websites TOS, is that an unauthorized act?

What does damage national security mean, If I post about how Minister X lied about Y 10 years ago does that erode society's faith in its officials and by extension "threaten national security"?

There are bright lines such as bypassing an authentication mechanism; deliberate insertion of abnormally structured data designed to alter application behavior (injection attacks); that could be defined in laws like this. Its very possible to write laws governing computer access that are both inclusive to allow interpretations to cover changing and new technology and still be specific enough a reasonable people can agree on if a specific act meets the criteria.

Groups like OWASP have done the work; we now have good working definitions and generic criteria for describing attacks and abuse. Its not '92 anymore where public network access was a new thing.

There are two reasons overly broad laws like this are being written both equally scary. 1) The people writing and enacting them remain profoundly ignorant of topics that pretty much effect every aspect of the economy today. 2) They want them overly broad because it makes for a nice blunt instrument to shutdown anything that threatens the status quo.

Re:Don't do the crime

[Lunix+Nutcase]

So you're saying the UK doesn't already have laws against murder or manslaughter?

But let the bankers off.

[John+Jamieson]

So Bankers that damage the world economy face no time in jail and no fines, but the whistle blower can get life?

Sounds about right for this messed up world.

Re:But let the bankers off.

[Vitriol+Angst]

So instead of showing the security flaws, they need to abscond with enough money to pay for a few candidates.

Hackers; share the wealth!

Put me down for a trillion-ish, and I won't see anything wrong.

Re:Not inherently unreasonable

[taikedz]

Except that this has nothing to do with "attacks". The word "damage" is also applied to the "trust" and "credibility" of governmental institutions.

This kind of legislation would apply even if nobody died in the carrying out of the activity.

Here we go again

[kronix2]

The problem with this law is that it will later be abused by whatever party or coalition is in power at the next election. Nobody has an issue with jailing people for life if they've intruded upon a secure network with the intent to cause damage or inconvenience, but the scope of the law's potential application is so broad it will ensare mostly innocuous behaviour if the government of the day decides it wants to be seen as tough on crime.

Terrorists? Jail them for life. Whistleblowers? All major parties publicly encourage whistleblowers in the NHS and so on, so why should the Tory/Lib-Dem coalition get away with passing a law which criminalises their whistleblowing?

Re:Here we go again

[Anonymous+Brave+Guy]

Nobody has an issue with jailing people for life if they've intruded upon a secure network with the intent to cause damage or inconvenience

Um... Sorry, but I for one have a big problem with that.

Leaving aside legitimate questions about the role of incarceration and its effectiveness as a deterrent and/or for rehabilitation of offenders, a life sentence is the kind of thing you hand down for premeditated murder, deliberately taking the life of another human being.

It is absurd to suggest that the same sanction should apply to someone who merely hacks some corporation's network and messes with the office printer in an irritating but otherwise harmless protest against some corporate policy. Such a law would imply that physically harmless hacking of some corporate or government entity is many times worse than rape, killing someone accidentally through dangerous driving, defrauding an individual of their life savings, and numerous other very personal and very damaging crimes.

Just on a computer? But, but, but...

[fahrbot-bot]

...any British person deemed to have carried out an unauthorised act on a computer that resulted in damage to human welfare, the environment, the economy or national security in any country would face a possible life sentence.

What about politicians that do the same thing? Oh, I guess that would an "authorized" act. Never mind.

[ Man, oh man, if we could jail politicians for damaging the economy, environment or human welfare here in the U.S. ...]

Re:Not inherently unreasonable

[T.E.D.]

If you attack an industrial system at a utility and make a bunch of people sick or die, even if it was "unintentional" you should get life

...and you almost certainly would, with no changes required to current law. Well...I don't know about the UK, but in the USA if you cause the death of another human being, that's homicide. There's a spectrum from Involuntary Manslaughter up to Premeditated Murder. Using a poison or a machine to do it doesn't change anything.

So you can get rid of the "injuring people" argument. This law would only change what happens when nobody is physically harmed.

Seriously

[doug141]

Eric Holder gave a televised interview in which he credited a whistle blower at a bank for allowing the bank executives to be held to account for their part in making money off liar's loans. The reporter missed the obvious follow-up question to Holder, "So whistleblowers are good?"

Re:Seriously

[DarkOx]

Not really the reporter knows everyone who cares enough to listen to anything holder says already is perfectly aware of the true answer to that question at least in Eric's opinion.

Whistle-blowers are great as long as they are embarrassing my political enemies, in which case I am thrilled to stand up for strong protections and will gladly come up with some elaborate construct to make it morally equivalent something people get whipped up about like civil rights or something. In all other cases I perceive them as threat as a threat to the status quo and my crony buddies; I'am prepared to invent some wild construct to tie it to "national security" because that way everything is "on the table", I don't mind sounding "insane" to anyone actually listening because my buddies will brand anyone listening as "insane".

Re:Not inherently unreasonable

[Anonymous+Brave+Guy]

If you attack an industrial system at a utility and make a bunch of people sick or die, even if it was "unintentional" you should get life.

If you attack an industrial system and people get sick or die as a result then there are already plenty of laws to punish you, up to and including the likes of manslaughter and murder. There is nothing special about doing so via computer and no additional laws are required, nor is any "zero tolerance" style life sentence just because computers were involved a useful addition to the statute books.

Even if you're an aspie with boundless curiosity, there has to be a consequence for breaking into sensitive systems and inflicting real, measurable harm to the public.

And there would be -- if, in the judgement of a competent court, there was in fact real, measurable harm caused to the public. But this proposal as reported seems to be full of words like "deemed to cause" (by whom?) or "significant risk of" (measured how?).

Wow, just wow.

[gurps_npc]

That law is so vague it applies to ANYTHING.

"damage to human welfare, the environment, the economy or national security in any country"

First note that it allows for damaging the national security in any country. So the UK is now the world police? Hey, I thought that was the USA's job! Also, does that mean they will protect ISIL? Or North Korea? Does that mean when the government of South Korea attempts to defend itself from a cyberattack from North Korea, they are violating the UK's law? It's damaging the National Security of North Korea by preventing them from undermining South Korea!

Human welfare, the environment, the economy or National security pretty much covers ANYTHING. And the word damage is similarly vague.

When I use Hack BP's computer and find out they are illegally dumping oil in Scotland, isn't that damaging the economy by revealing BP's crime?

When the FBI pretends to be a criminal on Facebook, isn't that damaging the 'welfare" of the human criminal?

This is a law designed to let the UK selectively arrest anyone who does anything on a computer that is 'unauthorised'.

Worst law ever

Murder is the preferred option apparently

[butchersong]

So if your boss and your bosses bosses are acting in ways that you deem inapropriate and in violation of their duties to the citizens of the UK you're better off killling them now than exposing them. You might get off in just a few years.

Re:Not inherently unreasonable

[91degrees]

The attacker is already established by precedent. Most crimes have a "Mens rea" requirement - an intent to commit the crime. Aunt Tilly didn't have any intent so she's not guilty. The person who created the emoticon hack was intending to do commit a crime.

The victim is anyone who suffered loss. The company and anyone whose password was stolen in this case.

This really is a solved problem in law.

Re:Not inherently unreasonable

[DarkOx]

Most crimes have a "Mens rea"

Yes that is why I asked if the requirement was more than negligent. Negligent basically means you formed no intent; specifically you did not for see the particular consequences of your actions or possibly inaction.

Consider this, suppose I buy some candy out of the back of some guys white van in parking lot. I bring it into the kids preschool for snack. All the kids die. I would totally be up for manslaughter. The mens rea would be negligent. I was just being a cheap bastard, did not mean anyone any harm but should have known better.

We might argue similarly about Tilly or Bobby. They should have known better than to be pasting crap from some untrusted website, but... the kitten looked like it had a smile.. yea well.

What about known unsecure software OS releases?

[Stan92057]

Who will they send to jail for life when a corporations like Microsoft, Apple, Adobe, Oracle, Google, Mozilla release known buggy and insecure software to get it out the door and patch later? That sure in hell is national security issue.

why not Transportation?

[goombah99]

IN old england, the prisons became so over crowded they started using the rotting hulks of navy ships as prisons and as that became full they resorted to "transportation" which basically meant you get a one way ticket to help settle australia. (see book "the Fatal Shore"). Now that mars transport is about to approach feasibility ans Elon Musk says we need vast numbers of people for sustainable living I'm shocked the UK govt isn't sentencing these hackers to Transportation.

They already have laws for this

[rsilvergun]

it's called Treason. It's also very, very hard to prove. This is just an attempt to get around those laws so they can punish people without all the red tape of due process.