Proposed new law to ban (some?) computer code in UK company names

A new bill, the Economic Crime and Corporate Transparency Bill, proposes to prohibit the inclusion of "computer code" in UK company names.

It's only a bill - it is not yet law - but it amused me, so here we are.

What the bill says

Clause 11 of the bill says:

A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.

But aren't there already rules on company names?

Yes!

There are already rules about what can be used as, and in, company names.

These include:

  • detailed rules about which symbols can be used in a name, and (in some cases) where in the name they can appear
  • rules on words which you cannot use in your company's name, or can only use in certain parts of the name.

But, to date, you could still name a company in such a way that the name could be problematic for badly developed systems which receive or scrape names from Companies House.

People have put "computer code" into company names?!

Also yes!

Readers of web comic xkcd will no doubt be familiar with xkcd 327:

XKCD 327

A software developer, Sam Pizzey, registered "; DROP TABLE "COMPANIES";-- LTD".

Screenshot of Companies House entry for "; DROP TABLE "COMPANIES";-- LTD"

In 2020, another computer programmer (spotting a theme?!), Dr Michael Tandy, registered a company name containing html which could exploit an XSS (cross-site scripting) vulnerability in shonky code processing information from Companies House.

As far as I know, there was no concern that Companies House itself would find this kind of company name problematic. The concern, as I understand it, is about downstream, third party, systems. But seemingly Companies House was so worried about these third party that it even modified the company's certificate of incorporation:

Screenshot of a company certificate, saying "Name available on request from Companies House"

For those intrigued, the name in question was:

">< SCRIPT SRC=HTTPS://MJT[.]XSS[.]HT> LTD

(I have added some square brackets, just in case.)

Legislation, or input sanitisation?

I suspect that this legislation is in response to these japes.

Paragraph 150 of the Explanatory Notes says:

Computer code embedded in an IT database can maliciously infect the systems of those who access or download data to their own systems.

Honestly, I'm gobsmacked that someone thought that legislating to prohibit computer code in company names was better than reminding people who build systems which obtain data from Companies House to sanitise their inputs, but there we go.

As The Register noted in 2020:

As for lessons to be drawn from this, Brown wondered if simply advising people to sanitise inputs from official systems was "too dull" for El Reg. We happen to agree but it's also the sort of common-sense advice someone, somewhere, might actually benefit from.

I am even more gobsmacked that it is being done so badly.

So what would be prohibited?

The current text would prohibit registration under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.

The bill does not define "computer code".

But this doesn't really matter, because the test being proposed is not what is computer code, but what in the opinion of the Secretary of State is computer code.

This is, in my humble opinion, a dreadful way to draft legislation. It lacks certainty, and gives the Secretary of State far too much discretion.

What might the Secretary of State consider to be "computer code"?

Honestly, who knows?

But, if the goal of the measure is to prevent the re-occurrence of the kind of names above, it seems likely that the Secretary of State will take a very broad interpretation of "computer code".

I don't want to go down too far down the "is it code?" rabbit hole, as I'm not the Secretary of State, but is SQL or HTML "computer code"?

If they are, would the Secretary of State also consider that a terminal command (the path to a program, and perhaps some switches / parameters) is "computer code"?

If so, would sudo rm -rf / --no-preserve-root && Limited - a name which complies with the current naming requirements - be prohibited? Even though the likelihood of someone managing to accidentally run this by virtue of ingesting a list of names from Companies House seems close to zero and, anyway, Companies House displays names in uppercase.

You can even set up a company so that you don't need to use the word "Limited", to help with your code.

How about echo Limited (a current company name), since this is a complete command in itself (or would be if it were in lowercase). But would the Secretary of State consider it "computer code"?

The now-dissolved sudo grep bash Ltd?

But don't worry - shell scripts are already prohibited.1

GOTO 10 LTD?

If "computer code" is simply an instruction to a computer, what about "plain language" instructions, such as "{Alexa, Siri} what is the time"? (Even though the impact on a database engine ingesting this should be zero.)

What if a new vulnerability is discovered, and it turns out that some company names trigger it? Will we see the Secretary of State issuing edicts that currently-permitted company names must be changed?

Presumably, none of these are the kind of "computer code" which the legislation would, if passed, seek to prohibit. But the proposal as drafted affords the Secretary of State complete discretion.

Fun and games ahead, if it becomes law.


  1. Company names beginning #! are already prohibited, as # is contained in Table 3 of Schedule 1 to The Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015 and, as any fool knows, the signs and symbols set out in table 3 in Schedule 1 may not be used as one of the first three permitted characters of a company's name. ↩︎