Hey there! Sign in to join this conversationNew here? Join for free

B691 - Cybercrime Prevention Bill 2014 Watch

    • Wiki Support Team
    • Thread Starter
    Offline

    2
    ReputationRep:
    B691 - Cybercrime Prevention Bill 2014, TSR Opposition


    Cybercrime Prevention Act 2014



    An Act to legislate measures that protect the nation from the trouble of Cybercrime, whilst recognising an individual's right to freedom of privacy.



    BE IT ENACTED by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

    1. Definitions

    —1. Cybercrime is hereby defined to be criminal activities carried out by means of computers or the Internet.
    —2. Hacking is hereby defined to be gaining unauthorised access to data in a system or computer.
    —3. Black Hat Hackers are hereby defined to be an individual or entity who violates computer security for malicious reasons or for personal gain.
    —4. White Hat Hackers are hereby defined to be an individual or entity who violates computer security for non-malicious reasons, with a known contractual agreement with the organisation or entity it is hacking.
    —5. Damage is hereby defined to be physical harm which reduces the usefulness or normal function of something, be it Economic, Environmental, Social or impairment of National security.
    —6. "Victim" is hereby defined for the purpose of this bill to be an individual or entity to whom damage is done, as a result of hacking.
    —7. Right to privacy is defined for the purpose of this bill to be the freedom given to an individual to expect their data not to be accessed, unless for the purpose of securing national security or preventing conflict in society.

    2. Offences

    —1. An individual or entity is found guilty of an offence if -
    ——a. Damage is done to a "Victim".
    ——b. Hacking occurs with no effort made to warn or inform the "Victim" that the act of Cybercrime was to occur.
    ——c. Hacking occurs which results in a breach of an individual or entity's right to freedom of privacy.
    ——d. Information sharing occurs between the hacker and another individual or entity anywhere in the world without the "victim"'s consent, whereby each party is either sending and/or receiving information that had been gained through Cybercrime.
    ——e. Control of another computer occurs without agreement from the computer's owner and is used for malicious purposes (e.g. DDoS attacks, Command and Control servers etc).
    ——f, Equipment is built specifically to hack, control and cause damage to a "victim" (this includes equipment used to hijack electronics such as drones).

    3. Exemptions

    —1. A hacker is exempted from Sub-section 2.1.b if the hacker was a professionally certified White Hat Hacker with an implicit contractual agreement with the "victim" which involved simulating a Cyberattack or testing the "victim"'s ability to defend against Cyberattacks. This exemption clause may be used in situations where hacking needed to be done without explicit prior notice as to when such attack would occur, or if the hacker was a member of a law enforcement agency with a mandate to shut down a "victim"'s Cybercrime operation.
    —2. A hacker is exempted from Sub-section 2.1.c if the hacker had been sanctioned by a court or the Parliamentary Intelligence and Security committee for reasons of protection of society or national security.
    —3. A hacker is exempted from Sub-section 2.1.d if the hacker receives a court order or an approval from the Parliamentary Intelligence and Security committee that specifically allows the data gained from hacking to be given to another intelligence agency for reasons of protection of society or national security.
    —4. A hacker is exempted from Sub-section 2.1.f if the hacker is using the equipment for the purpose of White Hat Hacking.

    4. Sanctions

    —1. Those found to be in contravention to Sub-section 2.1 -
    ——a. May be imprisoned for a maximum of 10 years (to be determined by the judge) where they are unable to provide compensation to repair the damage done or if they had previously been found guilty of being in contravention to any offence listed in Section 2, and where no exemption from Section 3 applies.
    ——b. May be fined so that they provide sufficient compensation (to be determined by an independent expert in all non governmental cases) to repair the damage done when they are financially capable of doing so, and where no exemption from Section 3 applies.
    ——c. Where there had been no prior history of being found guilty of being in contravention to any offence listen in Section 2, the hacker may be given a warning where any further offence will result in imprisonment as detailed in Sub-section 4.1.a.

    5. Commencement, Short Title and Extent

    —1. This Act may be referred to as the Cybercrime Prevention Act 2014.
    —2. This Act extends to the entire United Kingdom.
    —3. This Act will come into effect on the 1st of April 2015.




    Notes
    Spoiler:
    Show


    1. This act was designed to modernise legislation to respond effectively against new efforts by hackers to profit from Cybercrime through Ransomware, DDoS attacks, and information leaking (such as the attack and consequent data sharing by Hack in a box on The Student Room).

    2. This act continues to allow those attempting to strengthen the Cybersecurity of individuals and firms (known as White Hat Hacking or Ethical Hacking) to operate without acting in a manner that is illegal.

    3. Those in violation of any offence outlined in Section 2 without an exemption from Section 3 are deemed to be Black Hat Hacking, for which Section 4 applies.

    4. All national intelligence agencies (GCHQ, MI5, MI6) are legally obliged to comply with this act unless exempted under a condition outlined in Section 3.

    5. National intelligence agencies can continue to operate as per usual, but as detailed in Sub-section 2.1.c, may not gain intelligence in a manner which does first ask for permission from an individual or entity without first gaining authorisation from the Parliamentary Intelligence and Security committee or a joint direct authorisation by the Secretary of States for Defence and Foreign Affairs, to extract data specifically from their "Victim". This was written in response to concerns regarding the recent hacking programme by the NSA and GCHQ.

    6. National intelligence agencies can continue to operate as per usual, but as detailed in Sub-section 2.1.d, may not share or gain intelligence obtained from hacking or spying, with another intelligence agency without gaining authorisation from the Parliamentary Intelligence and Security committee or a joint direct authorisation by the Secretary of States for Defence and Foreign Affairs, approving the specific data being shared. This was written in response to concerns regarding a possible legal loophole that allowed intelligence agencies to circumvent existing legislation.

    7. DDoS attacks refer to when a hacker controls a computer network for the purposes of overwhelming another network to render it inoperable.

    8. Command and Control servers refer to computers used by a hacker to distribute ransomware and proceeds gained from it.

    9. Ransomware refers to malware which restricts a computer's operation and demands a ransom of some kind to be paid in order to regain full operation.

    10. A maximum of ten years can be seen to be excessive, but this figure is set based on the existing maximum sentence of the Computer Misuse Act for impairing a computer, and the actual figure remains to be set at the discretion of the judge.

    11. Equipment used to hack other devices can include drone hacking drones, hacking adapted smartphones and tablets, laptops running custom software for the purpose of accessing files without authorisation etc.



    Offline

    0
    ReputationRep:
    Section 3.2 need modifying in my opinion to include non-sanctioned (not being sanctioned by PIS Committee) MI6 field agents gaining access to monitor movements of known criminals and look over their plans/activities.
    • TSR Support Team
    • Clearing and Applications Advisor
    Offline

    20
    ReputationRep:
    (Original post by The Politisphere)
    Section 3.2 need modifying in my opinion to include non-sanctioned (not being sanctioned by PIS Committee) MI6 field agents gaining access to monitor movements of known criminals and look over their plans/activities.
    MI6 is covered by the Parliamentary Intelligence and Security Committee, so were it deemed necessary for the field agent to operate in a manner that would trigger an offence, it could go through them. The alternative route for exemption as outlined in the notes section is joint authorisation by the Secretary of Defence as well as the Secretary of Foreign Affairs. This process is meant to improve accountability for our intelligence agencies (so that someone has to answer for anything which goes wrong) whilst minimising the level of bureaucracy necessary to operate effectively without violating an individual's rightful expectation of freedom of privacy where they pose no harm to society.
    Offline

    0
    ReputationRep:
    (Original post by The Financier)
    MI6 is covered by the Parliamentary Intelligence and Security Committee, so were it deemed necessary for the field agent to operate in a manner that would trigger an offence, it could go through them. The alternative route for exemption as outlined in the notes section is joint authorisation by the Secretary of Defence as well as the Secretary of Foreign Affairs. This process is meant to improve accountability for our intelligence agencies (so that someone has to answer for anything which goes wrong) whilst minimising the level of bureaucracy necessary to operate effectively without violating an individual's rightful expectation of freedom of privacy where they pose no harm to society.
    That answers my worry, thank you. Although, is approval needed for each individual hack or is approval granted vaguely?

    For example, would an agent need permission each time he enters a target's computer or would permission be given to the operation as whole for unlimited access? Would permission be extended to a one-off grant to the agency as a whole? When the number of hacks are taken into account from static monitoring or in the field monitoring and the number of intelligence officers there are monitoring thousands of known suspects the number will be in the hundreds of thousands, if not millions. It would be impossible to obtain permission for each individual hack so the only alternative is broad permission. How is this broad permission going to be any different from what is currently in place? How will broad permission be decided on?

    To add in some comparisons, over an 18 month year period in a foiled bomb plot over 2 million man hours were spent using computers to monitor everything from emails to phone calls. Each requires a 'hack'. Imagine how many hacks were used and how much permission would be needed from any of the bodies you listed in the bill.
    • Offline

      12
      I think it is important to recognise this as a new crime, the damage done often amounts to more than could be achieved physically. Aye
      • TSR Support Team
      • Clearing and Applications Advisor
      Offline

      20
      ReputationRep:
      I just noticed...shouldn't this bill be B691?

      (Original post by The Politisphere)
      That answers my worry, thank you. Although, is approval needed for each individual hack or is approval granted vaguely?

      For example, would an agent need permission each time he enters a target's computer or would permission be given to the operation as whole for unlimited access? Would permission be extended to a one-off grant to the agency as a whole? When the number of hacks are taken into account from static monitoring or in the field monitoring and the number of intelligence officers there are monitoring thousands of known suspects the number will be in the hundreds of thousands, if not millions. It would be impossible to obtain permission for each individual hack so the only alternative is broad permission. How is this broad permission going to be any different from what is currently in place? How will broad permission be decided on?

      To add in some comparisons, over an 18 month year period in a foiled bomb plot over 2 million man hours were spent using computers to monitor everything from emails to phone calls. Each requires a 'hack'. Imagine how many hacks were used and how much permission would be needed from any of the bodies you listed in the bill.
      Permission is granted for the entity involved and is maintained so long as there is credible evidence of involvement in an activity that would harm society (for example, if the field agent has evidence that individual X is part of terrorist group Y, then he has permission to spy on X so long as he is actively partaking in Y's activities that pose a credible threat). Part of the aim of this bill is to prevent intelligence agencies from mass-gathering data not given to them with permission, which is often unnecessary (e.g. In the case of 9/11, the FBI knew about the suspects before the attack happened...and this at a time when government surveillance was not as high as it is now).
      Offline

      3
      ReputationRep:
      I'd say 4.1.A needs amending - up to 10 years, including full payment to the "victim" for damages, with 10 years for extensive and multiple hackings.

      Either way, I'm voting: nay.
      Offline

      0
      ReputationRep:
      (Original post by The Financier)
      the FBI knew about the suspects before the attack happened...and this at a time when government surveillance was not as high as it is now).
      Could this not be taken as a reason for the security services to store as much data, given to them by allies or collected by themselves, as possible so full profiles can be built up and potential attacks avoided?
      • TSR Support Team
      • Clearing and Applications Advisor
      Offline

      20
      ReputationRep:
      (Original post by The Politisphere)
      Could this not be taken as a reason for the security services to store as much data, given to them by allies or collected by themselves, as possible so full profiles can be built up and potential attacks avoided?
      No, I don't see it that way. If they knew about the suspects, it means the capability of finding the initial evidence of terrorist intentions was there. If they found said evidence, much of the profile would be complete, with this bill giving them the ability to fill the last gaps.

      HUMINT should not be completely usurped by SIGINT as a means of identifying terrorists when there are many flaws which can backfire on the government. Holding so much data on a single database can for example make the government an attractive target for the most talented cyber-criminals or nation-states with hostile intentions, yet most of what is held is useless for terrorist identification (the equivalent of putting all of your faberge eggs in one basket despite only needing one, and then leaving it showing in the window). This bill does not prevent the use of SIGINT, but mediates its use as a means of further identifying and verifying the profiles and intentions of the individuals involved so long as there was evidence of ill-intent to start with. This isn't unreasonable to me.

      I would also like to add that this is drifting into a debate which ignores the many other aspects of this bill. For example, it gives ethical hackers more freedom to help companies strengthen their security to prevent criminals from getting through. It provides legislation against likely future threats of hacking (e.g. Drones) as a means of discouraging any further proliferation in these types of hacks. Recognising one individual can potentially do more damage with their keyboard than an armed gang, and legislating to reduce this threat, is vastly important in this highly networked day and age.
      Offline

      0
      ReputationRep:
      (Original post by The Financier)
      No, I don't see it that way. If they knew about the suspects, it means the capability of finding the initial evidence of terrorist intentions was there. If they found said evidence, much of the profile would be complete, with this bill giving them the ability to fill the last gaps.

      HUMINT should not be completely usurped by SIGINT as a means of identifying terrorists when there are many flaws which can backfire on the government. Holding so much data on a single database can for example make the government an attractive target for the most talented cyber-criminals or nation-states with hostile intentions, yet most of what is held is useless for terrorist identification (the equivalent of putting all of your faberge eggs in one basket despite only needing one, and then leaving it showing in the window). This bill does not prevent the use of SIGINT, but mediates its use as a means of further identifying and verifying the profiles and intentions of the individuals involved so long as there was evidence of ill-intent to start with. This isn't unreasonable to me.

      I would also like to add that this is drifting into a debate which ignores the many other aspects of this bill. For example, it gives ethical hackers more freedom to help companies strengthen their security to prevent criminals from getting through. It provides legislation against likely future threats of hacking (e.g. Drones) as a means of discouraging any further proliferation in these types of hacks. Recognising one individual can potentially do more damage with their keyboard than an armed gang, and legislating to reduce this threat, is vastly important in this highly networked day and age.
      SIGNIT can't be ignored as you correctly pointed out but SIGNIT alone was responsible for identifying the liquid bomb plot. Without the ability to snoop on random people connected to known targets, the bomb plot would have gone ahead. The bill still seems vague in this section. If you were a terrorist and had a motive, would this bill allow security services to snoop on me? Ideally it should as they don't know what I may go and pass on to future people. If this bill was passed the potential for lawsuits against unlawful snooping would be massive.

      The rest of it in regards to WHH's I agree with so shall not comment past commending you for the good job in that section.

      An amendment should allow British security services to spy on any foreign national/foreign government without any permission, to cover all bases. Most intelligence from abroad comes from SIGNIT via 'Five Eyes'. Having MI6 request permission to spy on the whole of Europe and European Russia - as they are currently tasked to do - would see such a request refused under this bill due to the vague nature of essentially asking to spy on whatever they like outside of British borders in that region.
      Offline

      0
      ReputationRep:
      Nay. I don't buy this ' if you won't give us your data you've something to hide' nonsense: why should the state be able to blanket hack our data for selling off 24/7?

      Additionally, this would criminalise further hacktivism and operations such as Wikileaks which are important in a free and fair society.
      Offline

      14
      ReputationRep:
      Excellent Bill, excellently written.

      PhysicsKid, please read all the Bill.
      (Original post by PhysicsKid)
      QFA
      Offline

      0
      ReputationRep:
      (Original post by Cryptographic)
      Excellent Bill, excellently written.

      PhysicsKid, please read all the Bill.
      I have. Using 'white hat hackers' and 'black hat hackers' is ridiculous. One set are permitted to hack by the Government under the guise of national security while others, who may be socially beneficial by exposing key digital evidence and data, are automatically 'malicious'.
      Offline

      3
      ReputationRep:
      Aye!
      • Wiki Support Team
      Online

      19
      ReputationRep:
      Erring towards the aye but will probably abstain.
      • TSR Support Team
      • Clearing and Applications Advisor
      Offline

      20
      ReputationRep:
      (Original post by PhysicsKid)
      I have.
      Debatable.

      Using 'white hat hackers' and 'black hat hackers' is ridiculous. One set are permitted to hack by the Government under the guise of national security while others, who may be socially beneficial by exposing key digital evidence and data, are automatically 'malicious'.
      Using this terminology is conforming to the exacting standards that the cyber-security sector does. The bill does not determine all intelligence and law enforcement agencies as white hat hackers (which if you read the definitions of the bill, are hackers with an agreement with the "victim" to be hacked) as you seem to have interpreted the wording, and contrary to your belief does not give free reign for the government to hack your data. If anything, it is making it far more difficult to do so without a valid reason that would affect society. It also closes off known legal loopholes that GCHQ and the NSA have used, and introduces accountability.
      Offline

      0
      ReputationRep:
      (Original post by The Financier)
      Debatable.

      Using this terminology is conforming to the exacting standards that the cyber-security sector does. The bill does not determine all intelligence and law enforcement agencies as white hat hackers (which if you read the definitions of the bill, are hackers with an agreement with the "victim" to be hacked) as you seem to have interpreted the wording, and contrary to your belief does not give free reign for the government to hack your data. If anything, it is making it far more difficult to do so without a valid reason that would affect society. It also closes off known legal loopholes that GCHQ and the NSA have used, and introduces accountability.
      I've just found a massive flaw in this. 2.d. reads...

      "Information sharing occurs between the hacker and another individual or entity anywhere in the world without the "victim"'s consent, whereby each party is either sending and/or receiving information that had been gained through Cybercrime."

      If the CIA decided to classify its hackers as security officials, they would be exempt from this bill. The bill only affects British based hackers (obviously as the bill has no international reach) so MI6 could lawfully receive data from the CIA. The CIA wouldn't be gaining its data through Cybercrime so 2.d. doesn't apply.
      • TSR Support Team
      • Clearing and Applications Advisor
      Offline

      20
      ReputationRep:
      (Original post by The Politisphere)
      I've just found a massive flaw in this. 2.d. reads...

      "Information sharing occurs between the hacker and another individual or entity anywhere in the world without the "victim"'s consent, whereby each party is either sending and/or receiving information that had been gained through Cybercrime."

      If the CIA decided to classify its hackers as security officials, they would be exempt from this bill. The bill only affects British based hackers (obviously as the bill has no international reach) so MI6 could lawfully receive data from the CIA. The CIA wouldn't be gaining its data through Cybercrime so 2.d. doesn't apply.
      Edit: I'm not sure what you mean now. Whilst it does not allow prosecution of the CIA, it would allow prosecution of the intelligence agencies here for partaking in a step (e.g. sending or recieving). This alone would allow 2.d to stand since one side being prosecutable closes the legal loophole.
      Offline

      0
      ReputationRep:
      (Original post by The Financier)
      Edit: I'm not sure what you mean now. Whilst it does not allow prosecution of the CIA, it would allow prosecution of the intelligence agencies here for partaking in a step (e.g. sending or recieving). This alone would allow 2.d to stand since one side being prosecutable closes the legal loophole.
      Prosecution would close the legal loophole but 2.d specifically states "sending and/or receiving information that had been gained through Cybercrime" - The information the CIA sends MI6 would not be gained through cybercrime. As in line with 2.d, prosecution could only take place if the information handed to MI6 was gained through cybercrime. As such information isn't gained through cybercrime, MI6 can't be prosecuted for receiving or storing the information, and the loophole isn't closed.

      Similarly, the USA has a similar law written into their Constitution forbidding the CIA to spy on Americans and store illegally gained material. To bypass this MI6 spies on Americans and passes the information on to the CIA. It's legal that way. As the Constitution only covers the USA and US security agencies, data form Americans collected by MI6 is completely legal. The proposed bill will this situation to continue, but in reverse.
      Offline

      0
      ReputationRep:
      Aye
     
     
     
    TSR Support Team

    We have a brilliant team of more than 60 Support Team members looking after discussions on The Student Room, helping to make it a fun, safe and useful place to hang out.

    Updated: July 21, 2014
  1. See more of what you like on The Student Room

    You can personalise what you see on TSR. Tell us a little about yourself to get started.

  2. Poll
    Did TEF Bronze Award affect your UCAS choices?
  3. See more of what you like on The Student Room

    You can personalise what you see on TSR. Tell us a little about yourself to get started.

  4. The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

    Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE

    Quick reply
    Reputation gems: You get these gems as you gain rep from other members for making good contributions and giving helpful advice.