[heyyyouu]

This was my thought as well. It has to be some sort of UK law? But I can't find it. The laws apply to surreptitiously installing the software on someone else's phone or computer. But then owning (and/or buying) the software shouldn't be illegal and the site shouldn't have been able to come down.

Hacking tools aren't illegal by default, that I know of anyway.

[celticninja]

I imagine it's dependent on how the software is marketed. If you advertise it as a way to spy on others and steal passwords and banking logins, then it's pretty obvious it was built and sold with that intent. I imagine it becomes more grey if there are people who use it nefariously but you market it as a security analysts tool.

Also it seems like taking down the website stopped the software working. If it was centralised then there is a link between the theft of bank logins and the associated fraud directly to the website. Of course it might just be dialing in and checking the license as opposed to the website facilitating functionality.

Edit. Just seen an archived page for the tool, looks like a legitimate network access and monitoring tool. If that's the case then arresting the dev seems excessive. I did note that the page provided support, so I wonder if there was some entrapment along the lines of "how do I monitor for bank logins ?" Perhaps with enough info to make it clear the tool was being used to perform illegal activity, and that support is what fucked the dev?

[joe_the_user]

This.

A large portion of common law revolves around intent - I think the technical term is "mens rea" (mentioned by another poster).

If a site sold knives as "neighbor killers", with the comment "use this and you can definitely kill your neighbor, $19.95", then all the same considerations would come into play. And knives aren't illegal, at least to cook with.

[matthewheath]

This is covered by the Computer Misuse Act 1990 — specifically Section 3A which covers obtaining articles for use with related offences covered in Sections 1, 3, and 3ZA of the Act.

It's a crime to own the software intending to use it even if you don't actually use it. Arguably, the purchaser intended to use it at the point they made the purchase; people don't typically purchase software like this accidentally (of course there are obvious exceptions like perhaps security researchers wanting to decompile it to understand how to block it in the future, etc.)

[pbhjpbhj]

I think it's 3ZA(1)(c) that's changed - by the Serious Crimes Act 2015 - in that this allows that an action can simply "create a serious risk of, damage of a material kind".

AFAIR that's different to how the act was prior to SCA2015. Indeed this section including "material kind" strongly suggests that the original intent was that the Act would punish material damage, rather than a trumped up suggestion by the CPS (on whomevers behalf) that an act might be reckless as to whether it creates an increased risk of serious damage.

This legislation seems to work like "well you went on a road near some property, which is exactly what a criminal who was going to destroy that property would do, so you're clearly guilty". It seems somewhat over-reaching to me.

[matthewheath]

The whole of 3ZA is new — that didn't exist before the Serious Crimes Act 2015.

However, they do have to actually take action and material damage is defined by s3ZA(2) with "damage to human welfare" (s3ZA(2)(a)) constrained by s3ZA(3).

It is unlikely that the threshold for a charge under S3ZA would be met. The more likely charge is S1 (unauthorised access) or S3A(3) which makes it an offence to obtain any article intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA — you don't even have to actually use the software to be criminalised, merely possessing it is enough provided the prosecution can prove your intent beyond reasonable doubt.

You can read the Explanatory Notes for the SCA 2015 amendments that altered the CMA 1990 at http://www.legislation.gov.uk/ukpga/2015/9/notes/division/3/... for background on why these changes were made.

[heyyyouu]

Thank you! This is extremely informative.

[pbhjpbhj]

Thanks for your input MatthewHeath.

[heyyyouu]

Thank you for this! Very much appreciated.

[matthewheath]

You're welcome.

[Symbiote]

The Europol press releases says the arrested developer and employee were in Australia and Belgium, so it's probably law of those countries that's most relevant. The website had Australian phone numbers.

https://www.europol.europa.eu/newsroom/news/international-cr...

[jstanley]

> The NCA said properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey were among those searched.

Presumably there would have to be some allegation of UK law-breaking in order to get a search warrant for properties in the UK.

[salad77]

No, just a mutual aid request from an agency recognized under law enforcement treaty. There are many agreements for mutual recognition and execution of legal process across national boundaries (normally added as part of trade treaty negotiations but sometimes in things like extradition treaties). Lots of FBI raids outside the US are conducted this way - local police do the raid and have FBI 'observe' them in action. In this case, an EU police force and a 5-Eyes nation like Australia will be zero-friction recipient of assistance.