- Email: [email protected]
Computer misuse
COMPUTER MISUSE THE COMPUTER MISUSE BILL 1990 If enacted the Bill would create three new criminal offences dealing with "ordinary" hacking, hacking with intent to commit a serious crime and unauthorised modification of computer material. The Bill follows the recommendations of the Law Commission very closely but, nonetheless, may be subject to amendment during its process through Parliament. Certain important amendments have already been introduced to it during the three Committee sittings which followed the Bill's second reading. The text of Clauses in the Bill set out in this paper incorporates the changes made in Committee in italic.
A C o m p u ~ I~Er,u ~ I.I! hes j u ~ ~ i~ Committae stage in the House of Commons having had an unopposed second reading. This article briefly ~ the ~ to the Introduction
of the new I.!1, examt.es the thinking of the Law Commlseion in Its Working Paper and subsequent Report on Computar Misuse (which has greatly Influenced the drafting of the Bill), and, finally, considers in d~lail the three new offences relating to computm" misuse m a t e d by the Bill as well as certain ancillary provisions.
C O N S I D E R A T I O N S OF T H E L A W C O M M I S S I O N On the Second Reading of his Bill, Michael Colvin MP told Parliament that computer "crime" is estimated by the CBI to cost £400 million every year while some large computer companies say the figure could be as much as £2 billion. He said that of 270 cases of computer misuse identified by the Department of Trade and Industry over the past five years only six had been brought to Court and only three had resulted in successful prosecutions. An opinion poll was recently reported in the press as showing that 17% of firms have been victims of computer hackers and another 11% have had their computer operations invaded by viruses, while 58% admit that their computer systems are not protected from hacking. Against this background, the Law Commission, in its Working Paper and final Report, identified and analysed a number of different types of computer misuse and went on to make recommendations as to which of these required immediate legislative action. The principal types of computer misuse identified by the Law Commission in its Working Paper are: • hacking • unauthorised alteration or destruction of information stored on a computer • computer fraud • eavesdropping This paper will focus on the first two of these forms of computer misuse since they are the only ones covered by the proposed new legislation although fraud and eavesdropping are considered in outline.
BACKGROUND In 1984 the Law Society of Scotland asked the Scottish Law Commission to consider "the applicability and effectiveness of the criminal law of Scotland in relation to the use and abuse of computers, computer systems and other data storing, data processing and telecommunications systems". The Scottish Law Commission produced a consultative memorandum on the subject in 19861 followed by a full report in 19872. The work of the Scottish Law Commission, combined with the publication by the English Law Commission in 1987 of a consultation paper 3 on conspiracy to defraud, which raised a number of issues of computer misuse, provided the background for the English Law Commission's detailed enquiry into computer misuse and its publication, in September 1988, of a working paper 4 on the subject. The Law Commission's provisional conclusions s were that existing English criminal law was apt to cover most forms of computer misuse but that two particular kinds might require fresh legislation. The first comprised cases covering the "deception" of a computer as opposed to a human being. The second was "hacking", which it described as "the obtaining of unauthorised accessto a computer". It accepted that hacking is hardly covered at all by the existing criminal law but came to no conclusion as to whether there should be wider coverage. Consultation with interested sectors of commerce and industry then ensued. In April 1989, Emma Nicholason MP introduced an "antihacking Bill" into Parliament as a private members Bill. This was doomed to failure under our parliamentary system and she eventually withdrew it in the Summer of 1989 having been reassured by statements of government ministers that the government was likely to introduce legislation of its own initiative. In October 1989, the Law Commission produced its full Report on Computer Misuse 6 recommending new anti-hacking legislation. However there was no proposed Bill with the Report as would have been normal. It was widely assumed that the government would then introduce its own Bill along the lines recommended by the Law Commission but, following the Queen's speech in November 1989, it became clear that pressure on the government's legislative timetable would prevent this. Instead, Nicholas Ridley MP indicated that the government would support a Private Members' Bill if one were introduced. Following this lead, Michael Colvin MP introduced his Computer Misuse Bill as a Private Members' Bill on 20th December 1989. The Bill had an unopposed second reading in the House of Commons on 9th February and has recently completed its Committee stage. Unlike Miss Nicholson's earlier Bill, this one is likely to become law under our system because it came within the top six of the November ballot.
HACKING: In its Working Paper, the Law Commission considered the extent to which existing criminal law covers the activity of hacking and concluded that it does not, save to a very limited extent, although a number of disparate pieces of legislation touch on the problem. Amongst such legislation considered by the Law Commission were the following:• The Forgery and Counterfeiting Act 1981 The prosecution bought against the notorious Prestel hackers, Gold and Schifreen, under section 1 of the Forgery and Counterfeiting Act 1981 had failed in the House of Lords in 1988'. The prosecution had been unable to show that Gold and Schifreen had created a ComputerCrime(1986) Consultati~MemorandumNo. 68 2 Reporton ComputerCrime(1987), Scot. Law Corn. N~ t06 3 Conspiracyto Defraud(1987), WorkingPaperNo. 104. Working PaperNo. 110 on ComputerMisuse Ibid, Part VIII,
6 Reporton ComputerMisuse,Law CommissionNo. 186 7 R. v Gold and Sddtrr~m (1988) 2 WLR 984
13
"false instrument" because that would have involved their "recording" or "storing" information on a disc, tape, soundtrack or other device. Although Gold and Schifreen had entered other peoples' customer identification numbers and a password into the user segment of the Prestel computer this was a momentary process and the data was then expunged. Accordingly "recording or "storing" could not be established and the prosecution failed.
Commission for Local Authorities m England and vVale~, as to the extent of the hacking problem But following fu~ r.e. consultation, the Law Commission became satisfied tha! ~, problem was in fact so serious that not only was anti-hacking legislation necessary but its final report should be concluded as a matter or urgency, one result of which being that there was no time to prepare a draft bill. It decided that the malt; concern was not so much the protection of information but the need to protect the integrity of computer systems .qle compelling arguments being (para 2 14/: .. "first, the actual losses and costs incurred by the computer system owners whose security systems are (or might have been) breached, secondly, that unauthonsed entry may be the preliminary to genera/crimma/offences, and third/>~ that general willingness to invest in computer systems may be reduced, and effective use of such systems substantia/ly ympeded, by repeated attacks and the resulting feeling of insecurity on the part of computer operators"
• Theft Act 1968
While section 13 of the TheftAct 1968 makes it an offence dishonestly to abstract electricity, the amount of electricity used by a hacker is likely to be both minimal and impossible to quantify. The Law Commission thought it highly artificial, in any event, to seek to prosecute hacking by means of this offence. • Criminal Damage Act 1971
Criminal damage, within the meaning of section 1(1) of the Criminal Damage Act 1971, will not be caused by a hacker if he does not alter or destroy data in the computer to which he has gained entry but merely "takes a look". Even where data is altered or destroyed, it is far from clear that this falls within the scope of the Criminal Damage Act since the Act provides that damages must be caused to tangible rather than intangible property. This is considered further below.
UNAUTHORISED ALTERATION OR ERASURE OF DATA
Where the hacker does not merely "have a look" but actually alters or erases data on a computer, the Law Commission felt at the Working Paper stage that the Criminal Damage Act 1971 provided a remedy. In Cox v. Riley ~3 the defendant was convicted, under s1(1) of that Act, of causing damage to a plastic circuit card used in a computer-operated saw owned by his employers. The defendant erased the programs from the card and thus rendered the card useless. The Courl of Appeal held that this constituted damage because, without reprogramming the card, which would require more than minimal time and effort, the card was useless. This analysis was necessary for there to be a conviction because, for the purposes of the Act, the damaged property must be "tangible" so that it was not sufficient to show that the, program itself had been destroyed. The fact that the damage could be undone by reprogramming and need not therefore be permanent, was held by the Court not to matter. Accordingly, the Law Commission concluded in its Working Paper ~4 that the existing criminal law covers the situation where a hacker erases or alters data. However it changed its mind in the ensuing consultation process and concluded in its subsequent final Report that fresh legislation was required. Its main reasons for this were, first, that there may be cases where there is no convenient tangible property like a plastic circuit card on which to hang the offence; secondly, it had second thoughts as to whether mere reduction in value rather than an absence of physical impairment was enough to constitute damage; thirdly it thought that it mmght be hard to quantify the damage caused by a hacker .... a necessary procedure under the Criminal Damage Act for determining mode of trial.
• Interception of Communications Act 1985
The Interception of Communications Act 1985 makes it an offence intentionally to intercept a communication in the course of its transmission by means of a public telecommunication system 8. Hacking however will not usually involve any such interception. • Telecommunications Act 1984
The Telecommunications Act 1984 makes it an offence to use a public telecommunications system for certain improper purposes 9. Again hacking need not be carried out over such a system. •
Data Protection Act 1984
In certain limited situations it may be possible to bring a prosecution against a hacker under the Data Protection Act 1984. • Common law obligations of confidence
Under the civil law, following the case of ITC Film Distributors v Video Exchange Ltd. r° it may be possible to argue that information which is reprehensibly obtained can become subject to a duty of confidence
OPTIONS FOR HACKING OFFENCES Against this background the Law Commission set out four possible options for a new anti-hacking law. Options A and B would prevent the hacker seeking to inspect, respectively, certain defined information or information of any kind. Option C would create an offence where the hacker caused damage, whether deliberately or not, to data or software. Option D, the widest, would prohibit the intentional obtaining of unauthorised access to a computer regardless of any ulterior purpose and of whether damage was caused. The Working Paper set out arguments for and against each option but reached no conclusion, pending further consultation as to whether it was necessary to introduce any new offence into the criminal law. The Law Commission's main concern relating to the introduction of a new hacking offence was that there was only scanty evidence - principally that of the Audit
COMPUTER FRAUD
There is no shortage of anecdotes of computer fraud, mostly involving theft-related offences or blackmail. The Law Commission concluded that existing provisions of our criminal law, in particular those under the TheftAct 1968 relating to theft (sl), obtaining property by deception (s15) and false accounting (sl 7) and the common law offence of conspiracy to defraud generally provided adequate protection in respect 8 In~"ception of Communicatk~ Act 1985: ss 1 and 10 9 Teleoommu~ Act 1984:543
to (1982)Ch 431 11 Surveyof Computer Fraudand Abuse, 3rd triennial report (1987) 12Report, para 2,14 ~3(1986) 83 Cr. App. R54 14Working PaperNo. 110 pani 8.11
14
~{'~r--~---it~ . . . . . . . . . . . . . . . . .
"[l|t" COMP[TT| |~ [,~'% "~N[) ,~[(UI(I~Y RF['()R1
19L,~0--91 ! ! Cl.Slt,
program" in the Copyright Designs and PatentsAct 1988. (2) The Law Commission wished to distinguish between casual and more serious hackers and the Bill adopts a hierarchical structure of two hacking offences, the second (where there is an intent to commit a serious crime) carrying a heavier penalty. (3) The offence is committed when the defendant causes the computer to perform a function with the necessary intent. It does not matter whether he actually obtains access. The Law Commission was persuaded of the view that the person who "knocks on the door of the target computer without authority" may well be as productive of the mischief that the offence seeks to deter as is the person who actually gains entry. However it wished to define the preparatory conduct of the defendant within the terms of the offence because it considered that the general law of attempted crime was inadequate. Certain conduct of a defendant might fall short of what is required to establish "attempt" under existing criminal law because it was merely preparatory. (4) The offence is to "cause a computer to perform any function with intent to ..... " This requirement was favoured by the Law Commission so as to prevent the offence including "passive eavesdropping" or the obtaining of hard copy material from a computer or the obtaining of physical access, to a computer. (5) The concept of "access" is widely defined in clause 18 of the Bill so as to include the running of a program or part thereof. This is in accordance with the Law Commission's recommendation 16. (6) The Law Commission thought the main thrust of the basic hacking offence should be the "remote" hacker while recognising that hacking is commonly perpetrated by employees or insiders who already have some degree of legitimate access to the system but who exceed the bounds of their authority. Accordingly, for the offence to be committed, the access sought must be unauthorised and the defendant must know this to be the case. The burden of proof is on the prosecution which must show 17 both (i) that the defendant is not entitled to access of the kind in question to the program or data, and (ii) that he does not have consent to access of the kind in question to such program or data from any person who is so entitled. The Law Commission thought it highly desirable 18 for employers to put their houses in order in terms of clearly defining limits of authorisation applicable to each employee. Note that if access is authorised, it is not an offence to make use of such access for unauthorised purposes. The Law Commission thought such use to be no different from a typist who uses her employer's typewriter for private purposes. There was an attempt in Committee to introduce a defence in the Bill that reasonable care had not been taken to prevent access but this failed. (7) By way of further protection for the careless employee the offence requires full intent: mere recklessness is not enough. (8) If the hacker intends to secure access to any program or data it does not matter for the purpose of the basic offence whether or not he had any ulterior purpose.
of computer fraud. The only problem identified by the Law Commission as requiring attention was one connected with the law of deception. Under present criminal law it seems that a machine as opposed to a human being cannot be deceived (although alternative charges of theft may be brought where property is actually appropriated or of conspiracy to defraud if more than one person is involved). The Law Commission, in its final Report, took matters no further, recommending that the subject of deception of computers be left over for consideration in the context of its separate examination of conspiracy. However, it recommended that the suggestions it had made with regard to jurisdiction in its report on "Jurisdiction over offences of fraud and dishonesty with a foreign element ''is should be implemented as a matter of urgency. Whilst certain jurisdictional nettles have been grasped in the new Computer Misuse Bill, computer fraud as a whole has not been tackled. EAVESDROPPING Although the Interception of Communications Act 1985 covers some kind of computer eavesdropping, there remain loopholes: for example, monitoring the radiation field surrounding a VDU. The Law Commission regarded this activity as merely an example of unauthorised surveillance which should not be covered by any new hacking offence because it does not pose a threat to the operational integrity of a computer system in the way hacking does. It thought, in any event, that on the present available technical evidence, eavesdropping of the above type was not a major threat. THE P R O V I S I O N S OF THE C O M P U T E R M I S U S E B I L L - - T H E BASIC H A C K I N G OFFENCE Clause 1 of the Bill sets out the terms of the basic new hacking offence as follows:"1.-(1) A person is guilty of an offence i f (a) he causes a' computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; (c) he knows at the time when he causes the computer to perform the function that this is the case. (2) The intent a person has to have to commit an offence under this section need not be directed a t (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer: (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both". The following comments may be made on this clause:(1) There is no definition of "computer" in the Bill. The Law Commission thought it foolish to attempt any definition in such a fast-moving field of technology. This is in line with the absence of any definition of "computer
ts (1989) Law Corn No. 180 16Report:para3.30 17Clause18(5) is Report:para3.37
15
(9)
It does not matter whether the hacker had any particular program or data in mind ~9. The Law Commission pointed out that a hacker who attacks a computer may well not know in advance, or care, what particular data or programs it contains 2°. (10) In accordance with the hierarchical structure intended by the Law Commission, the basic hacking offence is a summary one only, with a maximum penalty of six months imprisonment or a fine not exceeding level 5 (£2,000) or both. In each case this is double the Law Commission's recommendation. An attempt in Committee to reduce the penalties to those recommended by the Law Commission failed
(3)
THE ULTERIOR INTENT HACKING OFFENCE (4)
Clause 2 of the Bill sets out the terms of the second and more serious proposed hacking offence as follows:"2 (1) A person is guilty of an offence under this is he commits an offence under section 1 above ("the unauthorised access offence") with intent(a) to commit an offence to which this section applies or; (b) to facilitate the commission of such an offence (whether by himself or by any other person); and the offence he intends to commit or facilitate is referred to below in this section as the further offence. (2) This section applies to offences(a) for which the sentence is fixed by law; or (b) for which a person of twenty-one years of age or over (not previously corMcted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates' Courts Act 1980). (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the futher offence is impossible. (5) A person guilty of an offence under this section shall be liable:(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and Co) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.
(5)
(6)
blood [he five yearlimt;,harbttrary,~ ~e,~e~)ut ,,~ same test as determines what is at-, ,.],:estaDie ,"f.*,~:'. under the Police and Cnminal Evidence Act 1984. i.: ,.,,, fits in with what the Law Commission thougM ,,~ould i;, the proper maximum penalty for any :,f these u!ter:,. ~ntent offences. The ulterior intent includes not just that of commrtt,~c: a relevant offence but also of facilitating the commissic,~ thereof, whether by the defendant himself or by someon,.. else. For this purpose it is immaterial whether the furt!'..e, offence is to be committed on the same ,~::~ a tim:,,. occasion ;'~ Thusut catches the hacker w h o , s : r w n g :,: enable a friend to corr~mit a theft ,J~ ,~ho :-~bta;~~ confidential information ~r order ',ate.~' to biackn.,:: someone. Existing criminal law relating tc attempts wou~d not cover such activib/ This clause makes it expressly clear' T,,at tr~e offer,~: can be committed ever, though the commission of '!,~.~ fdrther offence is ~n fa,:~ :mpossible Tncs brings ~ ir" ~ ~' with section 1(2i :.f "~I~ :rimlnai ,:~,ttempts Acl ~.c,,?,. which applies to "attempts" The offence is triable either way. ,J~; conviction .~. indictment it carries a maximum penalty cd five ,fear,: ~mprisonment or a fine:As drafted, the offence created by this clause did r;,z~t apply to Scotland for which a different offence w<~,; created by clause 3 of the Bill, defining ~he necessary ulterior intent as being that of obtaining ~'a significan'( personal or material advantage for n~mself or another person" or damaging "seriously another persor., interests" The English Law Commission differed fror~- ~", Scottish counterpart over how to define the uitenur intent, y~ However in Committee it was decided th~ clause 2 could apply to Scotland with the result t},,~' clause 3 has now beer= deleted
UNAUTHORISED MODIFICATION OF COMPUTER MATERIAL Clause 4, which creates the third and last new offence uf unauthorised modification of computer material, is as follows: 4 - ( 1 ) A person is guilty of an offence i f (a) he does any act which causes an unauthorised modification of the contents of any computer's memory or of the contents of any other computer; and (b) at the time when he does the act he has the requisite intent and the requisite knowledge. (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modif'~ation of the contents of any computer and by so doing(a) to impair the operation of any computer; •(b). to prevent or hinder areas to any program or data he/d in any computer; or (c) to impair the operation of any such program or the rel~bility of any such data. (3) The intent need not be directed a t (a) any particular computer;
It is worth noting the following points about clause 2 : (1) This more serious hacking offence is created by clause 2 of the Bill where a hacker has, in addition to the elements required by clause 1, an intent to commit or facilitate a serious crime. (2) Serious crime is defined by clause 2(2) as one for which the sentence is fixed by law (murder) or one for which the defendant may be sentenced to imprisonment for a term of 5 years. The Law Commission thought it imprudent to try and draw up a list of all possible offences. Whilst, in practice, the relevant offences are likely to be ones of dishonesty, others are not excluded e.g. where a hacker hacks into a hospital computer and rearranges data providing details as to blood groups with the intention that a patient should be given the wrong
19Clause 1(2) ~ I~port: loam 3.32 Clause Z(3) z2 Clause 1(4) 23 Report par~: 1.37 to 139 and 3.8 to 3.9
16
,'~,.~-~-ii:~ ......................
TIfF ( O'qI'I,,'T[R I AW ,\ND SF( URI'[¥ R t I ' O R I
1 9 9 0 - 9 1 i 1 CI.SR
know which (if any) computer will eventually be infected or what (if any) impairment will be caused, an offence is committed. The Law Commission regarded the risk of this offence as substantial and serious. (6) As with the two new hacking offences, recklessnesswill not be enough, there must be intent and that intent must not merely be to cause a modification but also, "by so doing", to impair or destroy. Through the use of the phrase "by so doing" the Law Commission wanted to ensure that this new offence is not committed simply by the act of attempting to log on. (7) The intent must be to impair the operation of any computer/computer program or destroy or impair the reliability/accessibility of any data stored/held in the computer's memory. The additional reference to reliability/accessibility of "data" was included so as to ensure that the offence covers activities which might arguably be said not to impair the "operation" of the computer. As examples the Law Commission instanced the reformatting of a disk so as entirely to remove all the data that it previously held or the deletion of a file on a disk with the effect that the area on the disk that it previously occupied is no longer flagged as an area that cannot have other data stored on it. Even though these and other examples may not involve an intent to impair the "operation" of the computer, the Law Commission was satisfied that they involve serious interference with the running of the system and should be captured by this offence. (8) However the Law Commission did not wish the offence to cover activity which was intended not to "impair" but either to improve or to be neutral in its effect on the computer or its operations. For example, if an employee, in deliberate contravention of his employer's instructions, gained access to a computer in order to copy a file from another person's to his directory, the Law Commission thought that this offence should not bite (although the basic hacking offence would). Even so, the Law Commission recognised that it may catch some relatively harmless forms of unauthorised use of a computer e.g. the employee who adds data to his employer's computer in order to work out permutations for his football pools coupon. However the Law Commission felt that in such cases, it might be difficult for the prosecution to show an intent to impair the operation of the system. (9) Clause 4(5) makes it clear that an unauthorised modification and its effect can be merely temporary, thus dealing with the problem presented by the Gold and Schifreen case. (10) Clause 4(5A), introduced in Committee, effectively provides that, where clause 4 applies, the Criminal Damage Act 1971 does not. Accordingly the decision in Cox v Riley will be reversed. There would otherwise be confusion if the offence could be prosecuted under two separate Acts carrying differing maximum penalties. As recommended by the Law Commission, the offence under clause 4 is to be triable either way and, on indictment, carries a sentence of imprisonment for up to five years. This is a lesser penalty than the one under the Criminal Damage Act.
(b) any particular program or data or a program or data of any particular kind; or (c) any particular modification or a modification of any partk:ular ~nd (4) For the purposes of subsection (1)(Io) above the requisite knowledge is knowledge that any modification he intends to cause is unauthodsed. (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be permanent or merely temporary. (SA) For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. (6) A person guilty of an offence under this section shall be liable(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.
The provisions of clause 4 of the Bill closely follow the recommendations of the Law Commission. It is worth making the following points:(1) The defendant must cause an "unauthorised" modification. Unauthorised is defined 24 in a similar way to the use of the concept in the other offences. Thus the burden of proof is on the prosecution. (2) The modification may be to the contents of either computer memory or of any computer. The first category covers ROM and RAM. The second includes storage media such as disks or tapes which, when loaded, are regarded as part of the contents of the computer. (3) The use of the phrase "the contents of" was deemed by the Law Commission to be apt to cover all that could be required without the need for difficult technical explanations in certain cases. (4) The concept of causing a "modification" covers both the alteration or erasure of programs or data already stored on a computer or computer storage medium and the addition of a program or data to it. This is made clear in clause 18 (6) which clarifies the meaning of "modification" by the phrase "whether or not by way of alteration of anything already stored or otherwise held there". Thus the clause covers the unauthorised addition of a virus or worm to a computer's library of programs intended to impair the computer's operation by using up its capacity or the unauthorised addition of a password to a data file rendering that data inaccessible to anyone who does not know the password. (5) Note that the modification can be to "any" computer's memory. Read with clause 4(3), which makes it clear that the requisite intent need not be directed at a particular computer or program, this ensures that the offence will be committed where the defendant copies a virus onto a floppy disc and then puts that disc into circulation with the intended eventual result that another computer should become infected by the virus. Even though, when the virus is put into circulation the defendant does not
17
JURISDICTION
there being further consultation. It thought that the detection of hacking by employees i.e "inside" access was merely a matter of the computer owner investing in sufficient safety devices and sufficient control systems to be able to detect what use was being made of the computer and which insider was doing it. So far as outside hacking was concerned, it thought that the powers afforded to the authorities by virtue of the Telecommunications Act 1984 and the Interception of Communications Act 1985 were sufficient to enable hackers to be detected without contravening the existing prohibition against telephone tapping. It is legitimate under the 1984 Act for the telephone authority to monitor the time, duration and destination of calls without making any attempt to intercept them o~ scrutinise their content and such authority is entitled to disclose any information so obtained for the prevention or detection of crime under section 45 of the Act Furthermore, the Interception of Communications Act authorises interceptions which take place with the consent either of the sender or of the receiver of the communication in question so that, if the owner of a computer who suspects unauthorised hacking gave his authority, it would be legitimate for the authorities to intercept the message "echoed back" to the hacker from the target computer. Moreover, the Law Commission pointed out that the ulterior intent hacking offence would carry a maximum penalty of 5 years imprisonment thus making it an arrestable offence which, in a case where there was reasonable suspicion that the offence is being committed affords certain powers of arrest, entry in order to arrest and search of the arrested persons premises under the Police and Criminal Evidence Act 1984 (PACE). It was thought that there was already sufficiently extensive powers of forfeiture of property used or intended to be used in committing offences provided under section 69 of the Criminal Justice Act and that these could in appropriate circumstances be applied to hacking equipment However this subject was extensively debated in Committee and it appears that the government is now persuaded of the need for greater police powers of search in respect of clause 1 offences. Accordingly a new clause has been added to the Bill which will enable a magistrate to grant a search warrant where satisfied that there are reasonable grounds for believing that a clause 1 offence has been or is about to be committed in any premises and that relevant evidence is in those premises. More wide-ranging amendments tables by Emma Nicholson MP in Committee which would have given a greater power of search to the police were not approved. One particular problem raised with the Law Commission had been the risk that any evidence required to establish the commission of the new computer misuse offences might well have to be computer-produced and could, under the provisions of section 69 of PACE, be found to be tainted. That section requires the prosecution, in respect of any computerproduced document, to show that there are no reasonable grounds for believing that the statement in such document is inaccurate because of improper use of any computer and that at all material times the computer was operating properly or, if not, that the respect in which it was not operating properly was not such as to affect the production of the document or the accuracy of its contents. The Law Commission does not accept that this section creates a problem. In its view oral evidence will have to be given in any computer misuse case to explain the normal working of the
There are detailed provisions in the Bill, in clauses 6 to 11 inclusive, relating to jurisdiction. Very briefly, jurisdictional problems have been identified by the Law Commission 2s in international fraud generally, not necessarily involving computers. This is because of the rule of English criminal law that, for English Courts to have jurisdiction, an offence must have been committed here by which it is meant that the last act or event necessary to its completion must have occurred here. The Law Commission has made specific recommendations to reform the criminal law in order to eradicate such general difficulties. The Law Commission made specific recommendations in its Report on Computer Misuse in respect of jurisdiction over the three proposed new offences now contained in the Bill. The general principle that the Law Commission recommended be followed was that the English Courts should have jurisdiction over computer misuse that originates from, or is directed against, computers in this country. Accordingly, the offence will be committed if either the offender or the computer is in this country at the time the offence is committed. The Computer Misuse Bill essentially adopts this recommendation. Specific further points recommended by the Law Commission and taken up in the new Bill, are that the clause 4 offence can be committed if either the target computer is in this country or if the modified material is here. In relation to conspiracies, attempts and incitements the principle of double criminality is incorporated in the Bill so that a conspiracy attempt or incitement in this country to commit a computer misuse offence wholly abroad would not be prosecutable in this country unless the acts contemplated, if done, would be punishable under the laws of the country where they were to take place.
TIME LIMITS Clause 13 of the Bill abrogates the basic time limit provision under section 127 of the Magistrates" Courts Act 1980, for the bringing of proceedings in respect of the basic hacking offence under clause 1. The general rule is that any information must be laid within 6 months from when the offence is comitted. There are already certain exceptions to this e.g. the Road Traffic Offenders Act. The Law Commission thought that, since there c a n be particular difficulties in detecting hacking offenders, the basic rule should be changed, as it is in clause 13, so as to make the time limit of six months run from the date from which evidence sufficient to warrant the proceedings comes to the knowledge of the prosecutor, with a long stop of three years after the commission of the offence. As a result of debate in Committee, the clause may now be amended so as to provide only an outer limit.
CONVICTION OF LESSER OFFENCE There is an express provision, clause 14 of the Bill, enabling a jury to find a defendant who is charged under clause 2 or clause 4, guilty only of the lesser offence of basic hacking under ciause 1. This express provision is required because an offence under clause 1 is triable summarily only and so the provisions of section 6(3) or the Crimina/Law Act 1967 which enable alternative convictions to be returned would not apply.
EVIDENCE AND PROCEDURE The Law Commission concluded in its Report that no changes to the existing criminal law with regard to evidence and procedure were obviously necessary and was therefore not prepared to make any recommendations on this score without
I 2SReportNC~1 8 0 o n " j u @ with a foreignelement".
18
o~eroflencesoffraudanddishon~ 1
~,IX~-----F~ . . . . . . . . . . . . . . . .
I IIF {O,"41'UT|R IAV~' :\N[} SI{I).JRITY Ill I ' O R I
~.1 9 9 0 - 9 1 ~ ! {I SI~.
The second and more serious proposed hacking offence seems to have attracted less criticism than the first although it could be said that, if the prime purpose of the legislation is to protect the "integrity" of the computer systems and to reduce the inordinate costs of preventing and monitoring unauthorised entry and of investigation26, then it is irrelevant what ulterior purpose the hacker may have. It is also suggested that the law will be brought into disrepute because of the difficulties of detection and enforcement. This is a problem which Mr. Colvin and the Government have recognised in Committee, although some will say that they have still not gone far enough. Commentators have also complained about the failure of the Bill to deal with the problems of deception of a computer, passive eavesdropping, the admissibility of computer evidence 27 and the fact that, under present law, there can be no theft of information 28. In general however it is fair to say that the Bill has been widely welcomed and it is to be hoped that it will shortly become law.
computer and the way in which it was alleged to have been interfered with. None of such evidence would fall within the terms of section 69 PACE. However if computer produced documents were relied on in order to show the alteration of data or the attempts of a hacker to enter a system the facts they would be stating would be data at present contained within the computer. The Law Commission saw no reason in such a case for exempting the prosecution from the general requirement of showing that the computer was, apart from the alleged interference, otherwise operating properly. This area was not debated in Committee. FinaJly the Law Commission flatly rejected any suggestion that there should be a new, statute imposed, duty to disclose incidents of computer misuse. It regarded this as a complete and unjustifiable departure from the general practice of the law. CONCLUSION The Bill has been criticised both for going too far and for not going far enough. Some critics, notably Eric Howe, the Data Protection Registrar, have attacked the basic proposed new hacking offence on the basis that it is wrong to criminalise mere misbehaviour. Others go further and suggest that the ordinary hacker serves a useful purpose in demonstrating to computer owners the security failures in their system. It is suggested that, if clause 1 of the Bill becomes law, such "benign" hackers - described during the parliamentary debate as "the Raffles of the microchip" - may become liable to blackmail or that, if the embarrassment they cause is removed, computer manufacturers will become complacent over security. The latter retort that it must be for them to determine how they wish the security of their system to be tested.
Richard Dedman Report Correspondent Partner, Barlow, Lycleand Gilbert solicitors, and author of legal section of the "Price Waterhouse Complete Computer Virus Handbook" (1989). This paper was first delivered at a conference on Computer Misuse hosted by Westminster Management Consultants on 14th March 1990. Z6 Report, para 1.29 . . . . 27See, for e~ample, Hacb'ng: Proving the Crime by Mark Tjntam, Computer law and ~actice: VOI. 6 No. 3. "° Oxford v Meals (1978) 68 Cr. App. R. 183
INFORMATION Annotations to the LAW COMMISSION proposals on Computer Misuse October 1 9 8 9 - T h e French experience Each day the use of computer spreads a little more in all fields of french activity, so does computer misuse. For 1987, loss resulting from computer misuse in France represented 3.900 million Francs. Up to 1988, year when the first computer fraud repression and prevention law was enforced after long and impassioned parliamentary discussions, French Courts dealt with computer fraud as well as they could, that is to say under the old law which was soon found to be inappropriate leading to cases going untried. The main difficulty arose from the principle "No law, no repression" which developed the need for specific computer fraud legislation. The purpose of the computer fraud repression law (Loi "Godfrain" du 5 janvier 1988) was to solve these gaps. It introduced 7 new articles into the Criminal Code classified in three categories: • those aiming to protect data processing systems from unauthorised access (a particular offence of impairing data transmission is prodded), • those dealing with falsification of computerised documents and their use (the first prosecution based on these new provisions--T.G.I. Paris, 12 Octobre 1988 -- revealed difficulties about determination of "computerised documents"), • those concerning attempts (punished like offences) and meant to prevent computer crimes. The first observation that can be made is that the repression resulting from french law is significantly wider than the scope of the proposals made by the British Law Commission in its report on Computer misuse, partly because the Commission lacked time for further proposals (deception of machines for instance). Furthermore, even though French Parliament when discussing the law clearly stated, as did the British Law Commission, that the purpose was
to "safeguard the integrity of computer systems rather than the information contained therein", one should note that the French approach is slightly different, especially for the fraudulent access issue. Article 462.2 of Criminal Code provides for Fraudulent access or remaining in a data processing system punishable by two months to one year imprisonment, 2.000 to 50.000 Francs fine or one only of the two punishments which becomes two months to two years and 10.000 to 100.000 Francs when intrusion causes suppression or alteration of data or alteration of the functioning of the system. Also if the Commission's proposal for a basic Hacking offence appears very clearly too be the same as the one adopted in France, the main difference comes from the proposed Ulterior Intent offence which has no equivalent. In France there is no need to produce evidence about the intruder's intent to commit a further offence. The fact of remaining in a system falls under the textual prohibition, even if access is not obtained by fraud. Terefore, as far as proof is concerned, it seems easier to prove that one has unduly remained in a system than to establish the intent was to commit or facilitate the commission of a crime. If the intruder does commit an offence in connection with the system (altering data, impairing the functioning) or an offence for which access to the system is the guilty act (fraud, misappropriatiion....... ) he will be prosecuted. That is one of the reasons why the french computer misuse law apart from having a wider scope, also appears to be more severe than the offences resulting from the Commission's proposals.
Marina Couste, Report Correspondent
19
A C o m p u ~ I~Er,u ~ I.I! hes j u ~ ~ i~ Committae stage in the House of Commons having had an unopposed second reading. This article briefly ~ the ~ to the Introduction
of the new I.!1, examt.es the thinking of the Law Commlseion in Its Working Paper and subsequent Report on Computar Misuse (which has greatly Influenced the drafting of the Bill), and, finally, considers in d~lail the three new offences relating to computm" misuse m a t e d by the Bill as well as certain ancillary provisions.
C O N S I D E R A T I O N S OF T H E L A W C O M M I S S I O N On the Second Reading of his Bill, Michael Colvin MP told Parliament that computer "crime" is estimated by the CBI to cost £400 million every year while some large computer companies say the figure could be as much as £2 billion. He said that of 270 cases of computer misuse identified by the Department of Trade and Industry over the past five years only six had been brought to Court and only three had resulted in successful prosecutions. An opinion poll was recently reported in the press as showing that 17% of firms have been victims of computer hackers and another 11% have had their computer operations invaded by viruses, while 58% admit that their computer systems are not protected from hacking. Against this background, the Law Commission, in its Working Paper and final Report, identified and analysed a number of different types of computer misuse and went on to make recommendations as to which of these required immediate legislative action. The principal types of computer misuse identified by the Law Commission in its Working Paper are: • hacking • unauthorised alteration or destruction of information stored on a computer • computer fraud • eavesdropping This paper will focus on the first two of these forms of computer misuse since they are the only ones covered by the proposed new legislation although fraud and eavesdropping are considered in outline.
BACKGROUND In 1984 the Law Society of Scotland asked the Scottish Law Commission to consider "the applicability and effectiveness of the criminal law of Scotland in relation to the use and abuse of computers, computer systems and other data storing, data processing and telecommunications systems". The Scottish Law Commission produced a consultative memorandum on the subject in 19861 followed by a full report in 19872. The work of the Scottish Law Commission, combined with the publication by the English Law Commission in 1987 of a consultation paper 3 on conspiracy to defraud, which raised a number of issues of computer misuse, provided the background for the English Law Commission's detailed enquiry into computer misuse and its publication, in September 1988, of a working paper 4 on the subject. The Law Commission's provisional conclusions s were that existing English criminal law was apt to cover most forms of computer misuse but that two particular kinds might require fresh legislation. The first comprised cases covering the "deception" of a computer as opposed to a human being. The second was "hacking", which it described as "the obtaining of unauthorised accessto a computer". It accepted that hacking is hardly covered at all by the existing criminal law but came to no conclusion as to whether there should be wider coverage. Consultation with interested sectors of commerce and industry then ensued. In April 1989, Emma Nicholason MP introduced an "antihacking Bill" into Parliament as a private members Bill. This was doomed to failure under our parliamentary system and she eventually withdrew it in the Summer of 1989 having been reassured by statements of government ministers that the government was likely to introduce legislation of its own initiative. In October 1989, the Law Commission produced its full Report on Computer Misuse 6 recommending new anti-hacking legislation. However there was no proposed Bill with the Report as would have been normal. It was widely assumed that the government would then introduce its own Bill along the lines recommended by the Law Commission but, following the Queen's speech in November 1989, it became clear that pressure on the government's legislative timetable would prevent this. Instead, Nicholas Ridley MP indicated that the government would support a Private Members' Bill if one were introduced. Following this lead, Michael Colvin MP introduced his Computer Misuse Bill as a Private Members' Bill on 20th December 1989. The Bill had an unopposed second reading in the House of Commons on 9th February and has recently completed its Committee stage. Unlike Miss Nicholson's earlier Bill, this one is likely to become law under our system because it came within the top six of the November ballot.
HACKING: In its Working Paper, the Law Commission considered the extent to which existing criminal law covers the activity of hacking and concluded that it does not, save to a very limited extent, although a number of disparate pieces of legislation touch on the problem. Amongst such legislation considered by the Law Commission were the following:• The Forgery and Counterfeiting Act 1981 The prosecution bought against the notorious Prestel hackers, Gold and Schifreen, under section 1 of the Forgery and Counterfeiting Act 1981 had failed in the House of Lords in 1988'. The prosecution had been unable to show that Gold and Schifreen had created a ComputerCrime(1986) Consultati~MemorandumNo. 68 2 Reporton ComputerCrime(1987), Scot. Law Corn. N~ t06 3 Conspiracyto Defraud(1987), WorkingPaperNo. 104. Working PaperNo. 110 on ComputerMisuse Ibid, Part VIII,
6 Reporton ComputerMisuse,Law CommissionNo. 186 7 R. v Gold and Sddtrr~m (1988) 2 WLR 984
13
"false instrument" because that would have involved their "recording" or "storing" information on a disc, tape, soundtrack or other device. Although Gold and Schifreen had entered other peoples' customer identification numbers and a password into the user segment of the Prestel computer this was a momentary process and the data was then expunged. Accordingly "recording or "storing" could not be established and the prosecution failed.
Commission for Local Authorities m England and vVale~, as to the extent of the hacking problem But following fu~ r.e. consultation, the Law Commission became satisfied tha! ~, problem was in fact so serious that not only was anti-hacking legislation necessary but its final report should be concluded as a matter or urgency, one result of which being that there was no time to prepare a draft bill. It decided that the malt; concern was not so much the protection of information but the need to protect the integrity of computer systems .qle compelling arguments being (para 2 14/: .. "first, the actual losses and costs incurred by the computer system owners whose security systems are (or might have been) breached, secondly, that unauthonsed entry may be the preliminary to genera/crimma/offences, and third/>~ that general willingness to invest in computer systems may be reduced, and effective use of such systems substantia/ly ympeded, by repeated attacks and the resulting feeling of insecurity on the part of computer operators"
• Theft Act 1968
While section 13 of the TheftAct 1968 makes it an offence dishonestly to abstract electricity, the amount of electricity used by a hacker is likely to be both minimal and impossible to quantify. The Law Commission thought it highly artificial, in any event, to seek to prosecute hacking by means of this offence. • Criminal Damage Act 1971
Criminal damage, within the meaning of section 1(1) of the Criminal Damage Act 1971, will not be caused by a hacker if he does not alter or destroy data in the computer to which he has gained entry but merely "takes a look". Even where data is altered or destroyed, it is far from clear that this falls within the scope of the Criminal Damage Act since the Act provides that damages must be caused to tangible rather than intangible property. This is considered further below.
UNAUTHORISED ALTERATION OR ERASURE OF DATA
Where the hacker does not merely "have a look" but actually alters or erases data on a computer, the Law Commission felt at the Working Paper stage that the Criminal Damage Act 1971 provided a remedy. In Cox v. Riley ~3 the defendant was convicted, under s1(1) of that Act, of causing damage to a plastic circuit card used in a computer-operated saw owned by his employers. The defendant erased the programs from the card and thus rendered the card useless. The Courl of Appeal held that this constituted damage because, without reprogramming the card, which would require more than minimal time and effort, the card was useless. This analysis was necessary for there to be a conviction because, for the purposes of the Act, the damaged property must be "tangible" so that it was not sufficient to show that the, program itself had been destroyed. The fact that the damage could be undone by reprogramming and need not therefore be permanent, was held by the Court not to matter. Accordingly, the Law Commission concluded in its Working Paper ~4 that the existing criminal law covers the situation where a hacker erases or alters data. However it changed its mind in the ensuing consultation process and concluded in its subsequent final Report that fresh legislation was required. Its main reasons for this were, first, that there may be cases where there is no convenient tangible property like a plastic circuit card on which to hang the offence; secondly, it had second thoughts as to whether mere reduction in value rather than an absence of physical impairment was enough to constitute damage; thirdly it thought that it mmght be hard to quantify the damage caused by a hacker .... a necessary procedure under the Criminal Damage Act for determining mode of trial.
• Interception of Communications Act 1985
The Interception of Communications Act 1985 makes it an offence intentionally to intercept a communication in the course of its transmission by means of a public telecommunication system 8. Hacking however will not usually involve any such interception. • Telecommunications Act 1984
The Telecommunications Act 1984 makes it an offence to use a public telecommunications system for certain improper purposes 9. Again hacking need not be carried out over such a system. •
Data Protection Act 1984
In certain limited situations it may be possible to bring a prosecution against a hacker under the Data Protection Act 1984. • Common law obligations of confidence
Under the civil law, following the case of ITC Film Distributors v Video Exchange Ltd. r° it may be possible to argue that information which is reprehensibly obtained can become subject to a duty of confidence
OPTIONS FOR HACKING OFFENCES Against this background the Law Commission set out four possible options for a new anti-hacking law. Options A and B would prevent the hacker seeking to inspect, respectively, certain defined information or information of any kind. Option C would create an offence where the hacker caused damage, whether deliberately or not, to data or software. Option D, the widest, would prohibit the intentional obtaining of unauthorised access to a computer regardless of any ulterior purpose and of whether damage was caused. The Working Paper set out arguments for and against each option but reached no conclusion, pending further consultation as to whether it was necessary to introduce any new offence into the criminal law. The Law Commission's main concern relating to the introduction of a new hacking offence was that there was only scanty evidence - principally that of the Audit
COMPUTER FRAUD
There is no shortage of anecdotes of computer fraud, mostly involving theft-related offences or blackmail. The Law Commission concluded that existing provisions of our criminal law, in particular those under the TheftAct 1968 relating to theft (sl), obtaining property by deception (s15) and false accounting (sl 7) and the common law offence of conspiracy to defraud generally provided adequate protection in respect 8 In~"ception of Communicatk~ Act 1985: ss 1 and 10 9 Teleoommu~ Act 1984:543
to (1982)Ch 431 11 Surveyof Computer Fraudand Abuse, 3rd triennial report (1987) 12Report, para 2,14 ~3(1986) 83 Cr. App. R54 14Working PaperNo. 110 pani 8.11
14
~{'~r--~---it~ . . . . . . . . . . . . . . . . .
"[l|t" COMP[TT| |~ [,~'% "~N[) ,~[(UI(I~Y RF['()R1
19L,~0--91 ! ! Cl.Slt,
program" in the Copyright Designs and PatentsAct 1988. (2) The Law Commission wished to distinguish between casual and more serious hackers and the Bill adopts a hierarchical structure of two hacking offences, the second (where there is an intent to commit a serious crime) carrying a heavier penalty. (3) The offence is committed when the defendant causes the computer to perform a function with the necessary intent. It does not matter whether he actually obtains access. The Law Commission was persuaded of the view that the person who "knocks on the door of the target computer without authority" may well be as productive of the mischief that the offence seeks to deter as is the person who actually gains entry. However it wished to define the preparatory conduct of the defendant within the terms of the offence because it considered that the general law of attempted crime was inadequate. Certain conduct of a defendant might fall short of what is required to establish "attempt" under existing criminal law because it was merely preparatory. (4) The offence is to "cause a computer to perform any function with intent to ..... " This requirement was favoured by the Law Commission so as to prevent the offence including "passive eavesdropping" or the obtaining of hard copy material from a computer or the obtaining of physical access, to a computer. (5) The concept of "access" is widely defined in clause 18 of the Bill so as to include the running of a program or part thereof. This is in accordance with the Law Commission's recommendation 16. (6) The Law Commission thought the main thrust of the basic hacking offence should be the "remote" hacker while recognising that hacking is commonly perpetrated by employees or insiders who already have some degree of legitimate access to the system but who exceed the bounds of their authority. Accordingly, for the offence to be committed, the access sought must be unauthorised and the defendant must know this to be the case. The burden of proof is on the prosecution which must show 17 both (i) that the defendant is not entitled to access of the kind in question to the program or data, and (ii) that he does not have consent to access of the kind in question to such program or data from any person who is so entitled. The Law Commission thought it highly desirable 18 for employers to put their houses in order in terms of clearly defining limits of authorisation applicable to each employee. Note that if access is authorised, it is not an offence to make use of such access for unauthorised purposes. The Law Commission thought such use to be no different from a typist who uses her employer's typewriter for private purposes. There was an attempt in Committee to introduce a defence in the Bill that reasonable care had not been taken to prevent access but this failed. (7) By way of further protection for the careless employee the offence requires full intent: mere recklessness is not enough. (8) If the hacker intends to secure access to any program or data it does not matter for the purpose of the basic offence whether or not he had any ulterior purpose.
of computer fraud. The only problem identified by the Law Commission as requiring attention was one connected with the law of deception. Under present criminal law it seems that a machine as opposed to a human being cannot be deceived (although alternative charges of theft may be brought where property is actually appropriated or of conspiracy to defraud if more than one person is involved). The Law Commission, in its final Report, took matters no further, recommending that the subject of deception of computers be left over for consideration in the context of its separate examination of conspiracy. However, it recommended that the suggestions it had made with regard to jurisdiction in its report on "Jurisdiction over offences of fraud and dishonesty with a foreign element ''is should be implemented as a matter of urgency. Whilst certain jurisdictional nettles have been grasped in the new Computer Misuse Bill, computer fraud as a whole has not been tackled. EAVESDROPPING Although the Interception of Communications Act 1985 covers some kind of computer eavesdropping, there remain loopholes: for example, monitoring the radiation field surrounding a VDU. The Law Commission regarded this activity as merely an example of unauthorised surveillance which should not be covered by any new hacking offence because it does not pose a threat to the operational integrity of a computer system in the way hacking does. It thought, in any event, that on the present available technical evidence, eavesdropping of the above type was not a major threat. THE P R O V I S I O N S OF THE C O M P U T E R M I S U S E B I L L - - T H E BASIC H A C K I N G OFFENCE Clause 1 of the Bill sets out the terms of the basic new hacking offence as follows:"1.-(1) A person is guilty of an offence i f (a) he causes a' computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; (c) he knows at the time when he causes the computer to perform the function that this is the case. (2) The intent a person has to have to commit an offence under this section need not be directed a t (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer: (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both". The following comments may be made on this clause:(1) There is no definition of "computer" in the Bill. The Law Commission thought it foolish to attempt any definition in such a fast-moving field of technology. This is in line with the absence of any definition of "computer
ts (1989) Law Corn No. 180 16Report:para3.30 17Clause18(5) is Report:para3.37
15
(9)
It does not matter whether the hacker had any particular program or data in mind ~9. The Law Commission pointed out that a hacker who attacks a computer may well not know in advance, or care, what particular data or programs it contains 2°. (10) In accordance with the hierarchical structure intended by the Law Commission, the basic hacking offence is a summary one only, with a maximum penalty of six months imprisonment or a fine not exceeding level 5 (£2,000) or both. In each case this is double the Law Commission's recommendation. An attempt in Committee to reduce the penalties to those recommended by the Law Commission failed
(3)
THE ULTERIOR INTENT HACKING OFFENCE (4)
Clause 2 of the Bill sets out the terms of the second and more serious proposed hacking offence as follows:"2 (1) A person is guilty of an offence under this is he commits an offence under section 1 above ("the unauthorised access offence") with intent(a) to commit an offence to which this section applies or; (b) to facilitate the commission of such an offence (whether by himself or by any other person); and the offence he intends to commit or facilitate is referred to below in this section as the further offence. (2) This section applies to offences(a) for which the sentence is fixed by law; or (b) for which a person of twenty-one years of age or over (not previously corMcted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates' Courts Act 1980). (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the futher offence is impossible. (5) A person guilty of an offence under this section shall be liable:(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and Co) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.
(5)
(6)
blood [he five yearlimt;,harbttrary,~ ~e,~e~)ut ,,~ same test as determines what is at-, ,.],:estaDie ,"f.*,~:'. under the Police and Cnminal Evidence Act 1984. i.: ,.,,, fits in with what the Law Commission thougM ,,~ould i;, the proper maximum penalty for any :,f these u!ter:,. ~ntent offences. The ulterior intent includes not just that of commrtt,~c: a relevant offence but also of facilitating the commissic,~ thereof, whether by the defendant himself or by someon,.. else. For this purpose it is immaterial whether the furt!'..e, offence is to be committed on the same ,~::~ a tim:,,. occasion ;'~ Thusut catches the hacker w h o , s : r w n g :,: enable a friend to corr~mit a theft ,J~ ,~ho :-~bta;~~ confidential information ~r order ',ate.~' to biackn.,:: someone. Existing criminal law relating tc attempts wou~d not cover such activib/ This clause makes it expressly clear' T,,at tr~e offer,~: can be committed ever, though the commission of '!,~.~ fdrther offence is ~n fa,:~ :mpossible Tncs brings ~ ir" ~ ~' with section 1(2i :.f "~I~ :rimlnai ,:~,ttempts Acl ~.c,,?,. which applies to "attempts" The offence is triable either way. ,J~; conviction .~. indictment it carries a maximum penalty cd five ,fear,: ~mprisonment or a fine:As drafted, the offence created by this clause did r;,z~t apply to Scotland for which a different offence w<~,; created by clause 3 of the Bill, defining ~he necessary ulterior intent as being that of obtaining ~'a significan'( personal or material advantage for n~mself or another person" or damaging "seriously another persor., interests" The English Law Commission differed fror~- ~", Scottish counterpart over how to define the uitenur intent, y~ However in Committee it was decided th~ clause 2 could apply to Scotland with the result t},,~' clause 3 has now beer= deleted
UNAUTHORISED MODIFICATION OF COMPUTER MATERIAL Clause 4, which creates the third and last new offence uf unauthorised modification of computer material, is as follows: 4 - ( 1 ) A person is guilty of an offence i f (a) he does any act which causes an unauthorised modification of the contents of any computer's memory or of the contents of any other computer; and (b) at the time when he does the act he has the requisite intent and the requisite knowledge. (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modif'~ation of the contents of any computer and by so doing(a) to impair the operation of any computer; •(b). to prevent or hinder areas to any program or data he/d in any computer; or (c) to impair the operation of any such program or the rel~bility of any such data. (3) The intent need not be directed a t (a) any particular computer;
It is worth noting the following points about clause 2 : (1) This more serious hacking offence is created by clause 2 of the Bill where a hacker has, in addition to the elements required by clause 1, an intent to commit or facilitate a serious crime. (2) Serious crime is defined by clause 2(2) as one for which the sentence is fixed by law (murder) or one for which the defendant may be sentenced to imprisonment for a term of 5 years. The Law Commission thought it imprudent to try and draw up a list of all possible offences. Whilst, in practice, the relevant offences are likely to be ones of dishonesty, others are not excluded e.g. where a hacker hacks into a hospital computer and rearranges data providing details as to blood groups with the intention that a patient should be given the wrong
19Clause 1(2) ~ I~port: loam 3.32 Clause Z(3) z2 Clause 1(4) 23 Report par~: 1.37 to 139 and 3.8 to 3.9
16
,'~,.~-~-ii:~ ......................
TIfF ( O'qI'I,,'T[R I AW ,\ND SF( URI'[¥ R t I ' O R I
1 9 9 0 - 9 1 i 1 CI.SR
know which (if any) computer will eventually be infected or what (if any) impairment will be caused, an offence is committed. The Law Commission regarded the risk of this offence as substantial and serious. (6) As with the two new hacking offences, recklessnesswill not be enough, there must be intent and that intent must not merely be to cause a modification but also, "by so doing", to impair or destroy. Through the use of the phrase "by so doing" the Law Commission wanted to ensure that this new offence is not committed simply by the act of attempting to log on. (7) The intent must be to impair the operation of any computer/computer program or destroy or impair the reliability/accessibility of any data stored/held in the computer's memory. The additional reference to reliability/accessibility of "data" was included so as to ensure that the offence covers activities which might arguably be said not to impair the "operation" of the computer. As examples the Law Commission instanced the reformatting of a disk so as entirely to remove all the data that it previously held or the deletion of a file on a disk with the effect that the area on the disk that it previously occupied is no longer flagged as an area that cannot have other data stored on it. Even though these and other examples may not involve an intent to impair the "operation" of the computer, the Law Commission was satisfied that they involve serious interference with the running of the system and should be captured by this offence. (8) However the Law Commission did not wish the offence to cover activity which was intended not to "impair" but either to improve or to be neutral in its effect on the computer or its operations. For example, if an employee, in deliberate contravention of his employer's instructions, gained access to a computer in order to copy a file from another person's to his directory, the Law Commission thought that this offence should not bite (although the basic hacking offence would). Even so, the Law Commission recognised that it may catch some relatively harmless forms of unauthorised use of a computer e.g. the employee who adds data to his employer's computer in order to work out permutations for his football pools coupon. However the Law Commission felt that in such cases, it might be difficult for the prosecution to show an intent to impair the operation of the system. (9) Clause 4(5) makes it clear that an unauthorised modification and its effect can be merely temporary, thus dealing with the problem presented by the Gold and Schifreen case. (10) Clause 4(5A), introduced in Committee, effectively provides that, where clause 4 applies, the Criminal Damage Act 1971 does not. Accordingly the decision in Cox v Riley will be reversed. There would otherwise be confusion if the offence could be prosecuted under two separate Acts carrying differing maximum penalties. As recommended by the Law Commission, the offence under clause 4 is to be triable either way and, on indictment, carries a sentence of imprisonment for up to five years. This is a lesser penalty than the one under the Criminal Damage Act.
(b) any particular program or data or a program or data of any particular kind; or (c) any particular modification or a modification of any partk:ular ~nd (4) For the purposes of subsection (1)(Io) above the requisite knowledge is knowledge that any modification he intends to cause is unauthodsed. (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be permanent or merely temporary. (SA) For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. (6) A person guilty of an offence under this section shall be liable(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.
The provisions of clause 4 of the Bill closely follow the recommendations of the Law Commission. It is worth making the following points:(1) The defendant must cause an "unauthorised" modification. Unauthorised is defined 24 in a similar way to the use of the concept in the other offences. Thus the burden of proof is on the prosecution. (2) The modification may be to the contents of either computer memory or of any computer. The first category covers ROM and RAM. The second includes storage media such as disks or tapes which, when loaded, are regarded as part of the contents of the computer. (3) The use of the phrase "the contents of" was deemed by the Law Commission to be apt to cover all that could be required without the need for difficult technical explanations in certain cases. (4) The concept of causing a "modification" covers both the alteration or erasure of programs or data already stored on a computer or computer storage medium and the addition of a program or data to it. This is made clear in clause 18 (6) which clarifies the meaning of "modification" by the phrase "whether or not by way of alteration of anything already stored or otherwise held there". Thus the clause covers the unauthorised addition of a virus or worm to a computer's library of programs intended to impair the computer's operation by using up its capacity or the unauthorised addition of a password to a data file rendering that data inaccessible to anyone who does not know the password. (5) Note that the modification can be to "any" computer's memory. Read with clause 4(3), which makes it clear that the requisite intent need not be directed at a particular computer or program, this ensures that the offence will be committed where the defendant copies a virus onto a floppy disc and then puts that disc into circulation with the intended eventual result that another computer should become infected by the virus. Even though, when the virus is put into circulation the defendant does not
17
JURISDICTION
there being further consultation. It thought that the detection of hacking by employees i.e "inside" access was merely a matter of the computer owner investing in sufficient safety devices and sufficient control systems to be able to detect what use was being made of the computer and which insider was doing it. So far as outside hacking was concerned, it thought that the powers afforded to the authorities by virtue of the Telecommunications Act 1984 and the Interception of Communications Act 1985 were sufficient to enable hackers to be detected without contravening the existing prohibition against telephone tapping. It is legitimate under the 1984 Act for the telephone authority to monitor the time, duration and destination of calls without making any attempt to intercept them o~ scrutinise their content and such authority is entitled to disclose any information so obtained for the prevention or detection of crime under section 45 of the Act Furthermore, the Interception of Communications Act authorises interceptions which take place with the consent either of the sender or of the receiver of the communication in question so that, if the owner of a computer who suspects unauthorised hacking gave his authority, it would be legitimate for the authorities to intercept the message "echoed back" to the hacker from the target computer. Moreover, the Law Commission pointed out that the ulterior intent hacking offence would carry a maximum penalty of 5 years imprisonment thus making it an arrestable offence which, in a case where there was reasonable suspicion that the offence is being committed affords certain powers of arrest, entry in order to arrest and search of the arrested persons premises under the Police and Criminal Evidence Act 1984 (PACE). It was thought that there was already sufficiently extensive powers of forfeiture of property used or intended to be used in committing offences provided under section 69 of the Criminal Justice Act and that these could in appropriate circumstances be applied to hacking equipment However this subject was extensively debated in Committee and it appears that the government is now persuaded of the need for greater police powers of search in respect of clause 1 offences. Accordingly a new clause has been added to the Bill which will enable a magistrate to grant a search warrant where satisfied that there are reasonable grounds for believing that a clause 1 offence has been or is about to be committed in any premises and that relevant evidence is in those premises. More wide-ranging amendments tables by Emma Nicholson MP in Committee which would have given a greater power of search to the police were not approved. One particular problem raised with the Law Commission had been the risk that any evidence required to establish the commission of the new computer misuse offences might well have to be computer-produced and could, under the provisions of section 69 of PACE, be found to be tainted. That section requires the prosecution, in respect of any computerproduced document, to show that there are no reasonable grounds for believing that the statement in such document is inaccurate because of improper use of any computer and that at all material times the computer was operating properly or, if not, that the respect in which it was not operating properly was not such as to affect the production of the document or the accuracy of its contents. The Law Commission does not accept that this section creates a problem. In its view oral evidence will have to be given in any computer misuse case to explain the normal working of the
There are detailed provisions in the Bill, in clauses 6 to 11 inclusive, relating to jurisdiction. Very briefly, jurisdictional problems have been identified by the Law Commission 2s in international fraud generally, not necessarily involving computers. This is because of the rule of English criminal law that, for English Courts to have jurisdiction, an offence must have been committed here by which it is meant that the last act or event necessary to its completion must have occurred here. The Law Commission has made specific recommendations to reform the criminal law in order to eradicate such general difficulties. The Law Commission made specific recommendations in its Report on Computer Misuse in respect of jurisdiction over the three proposed new offences now contained in the Bill. The general principle that the Law Commission recommended be followed was that the English Courts should have jurisdiction over computer misuse that originates from, or is directed against, computers in this country. Accordingly, the offence will be committed if either the offender or the computer is in this country at the time the offence is committed. The Computer Misuse Bill essentially adopts this recommendation. Specific further points recommended by the Law Commission and taken up in the new Bill, are that the clause 4 offence can be committed if either the target computer is in this country or if the modified material is here. In relation to conspiracies, attempts and incitements the principle of double criminality is incorporated in the Bill so that a conspiracy attempt or incitement in this country to commit a computer misuse offence wholly abroad would not be prosecutable in this country unless the acts contemplated, if done, would be punishable under the laws of the country where they were to take place.
TIME LIMITS Clause 13 of the Bill abrogates the basic time limit provision under section 127 of the Magistrates" Courts Act 1980, for the bringing of proceedings in respect of the basic hacking offence under clause 1. The general rule is that any information must be laid within 6 months from when the offence is comitted. There are already certain exceptions to this e.g. the Road Traffic Offenders Act. The Law Commission thought that, since there c a n be particular difficulties in detecting hacking offenders, the basic rule should be changed, as it is in clause 13, so as to make the time limit of six months run from the date from which evidence sufficient to warrant the proceedings comes to the knowledge of the prosecutor, with a long stop of three years after the commission of the offence. As a result of debate in Committee, the clause may now be amended so as to provide only an outer limit.
CONVICTION OF LESSER OFFENCE There is an express provision, clause 14 of the Bill, enabling a jury to find a defendant who is charged under clause 2 or clause 4, guilty only of the lesser offence of basic hacking under ciause 1. This express provision is required because an offence under clause 1 is triable summarily only and so the provisions of section 6(3) or the Crimina/Law Act 1967 which enable alternative convictions to be returned would not apply.
EVIDENCE AND PROCEDURE The Law Commission concluded in its Report that no changes to the existing criminal law with regard to evidence and procedure were obviously necessary and was therefore not prepared to make any recommendations on this score without
I 2SReportNC~1 8 0 o n " j u @ with a foreignelement".
18
o~eroflencesoffraudanddishon~ 1
~,IX~-----F~ . . . . . . . . . . . . . . . .
I IIF {O,"41'UT|R IAV~' :\N[} SI{I).JRITY Ill I ' O R I
~.1 9 9 0 - 9 1 ~ ! {I SI~.
The second and more serious proposed hacking offence seems to have attracted less criticism than the first although it could be said that, if the prime purpose of the legislation is to protect the "integrity" of the computer systems and to reduce the inordinate costs of preventing and monitoring unauthorised entry and of investigation26, then it is irrelevant what ulterior purpose the hacker may have. It is also suggested that the law will be brought into disrepute because of the difficulties of detection and enforcement. This is a problem which Mr. Colvin and the Government have recognised in Committee, although some will say that they have still not gone far enough. Commentators have also complained about the failure of the Bill to deal with the problems of deception of a computer, passive eavesdropping, the admissibility of computer evidence 27 and the fact that, under present law, there can be no theft of information 28. In general however it is fair to say that the Bill has been widely welcomed and it is to be hoped that it will shortly become law.
computer and the way in which it was alleged to have been interfered with. None of such evidence would fall within the terms of section 69 PACE. However if computer produced documents were relied on in order to show the alteration of data or the attempts of a hacker to enter a system the facts they would be stating would be data at present contained within the computer. The Law Commission saw no reason in such a case for exempting the prosecution from the general requirement of showing that the computer was, apart from the alleged interference, otherwise operating properly. This area was not debated in Committee. FinaJly the Law Commission flatly rejected any suggestion that there should be a new, statute imposed, duty to disclose incidents of computer misuse. It regarded this as a complete and unjustifiable departure from the general practice of the law. CONCLUSION The Bill has been criticised both for going too far and for not going far enough. Some critics, notably Eric Howe, the Data Protection Registrar, have attacked the basic proposed new hacking offence on the basis that it is wrong to criminalise mere misbehaviour. Others go further and suggest that the ordinary hacker serves a useful purpose in demonstrating to computer owners the security failures in their system. It is suggested that, if clause 1 of the Bill becomes law, such "benign" hackers - described during the parliamentary debate as "the Raffles of the microchip" - may become liable to blackmail or that, if the embarrassment they cause is removed, computer manufacturers will become complacent over security. The latter retort that it must be for them to determine how they wish the security of their system to be tested.
Richard Dedman Report Correspondent Partner, Barlow, Lycleand Gilbert solicitors, and author of legal section of the "Price Waterhouse Complete Computer Virus Handbook" (1989). This paper was first delivered at a conference on Computer Misuse hosted by Westminster Management Consultants on 14th March 1990. Z6 Report, para 1.29 . . . . 27See, for e~ample, Hacb'ng: Proving the Crime by Mark Tjntam, Computer law and ~actice: VOI. 6 No. 3. "° Oxford v Meals (1978) 68 Cr. App. R. 183
INFORMATION Annotations to the LAW COMMISSION proposals on Computer Misuse October 1 9 8 9 - T h e French experience Each day the use of computer spreads a little more in all fields of french activity, so does computer misuse. For 1987, loss resulting from computer misuse in France represented 3.900 million Francs. Up to 1988, year when the first computer fraud repression and prevention law was enforced after long and impassioned parliamentary discussions, French Courts dealt with computer fraud as well as they could, that is to say under the old law which was soon found to be inappropriate leading to cases going untried. The main difficulty arose from the principle "No law, no repression" which developed the need for specific computer fraud legislation. The purpose of the computer fraud repression law (Loi "Godfrain" du 5 janvier 1988) was to solve these gaps. It introduced 7 new articles into the Criminal Code classified in three categories: • those aiming to protect data processing systems from unauthorised access (a particular offence of impairing data transmission is prodded), • those dealing with falsification of computerised documents and their use (the first prosecution based on these new provisions--T.G.I. Paris, 12 Octobre 1988 -- revealed difficulties about determination of "computerised documents"), • those concerning attempts (punished like offences) and meant to prevent computer crimes. The first observation that can be made is that the repression resulting from french law is significantly wider than the scope of the proposals made by the British Law Commission in its report on Computer misuse, partly because the Commission lacked time for further proposals (deception of machines for instance). Furthermore, even though French Parliament when discussing the law clearly stated, as did the British Law Commission, that the purpose was
to "safeguard the integrity of computer systems rather than the information contained therein", one should note that the French approach is slightly different, especially for the fraudulent access issue. Article 462.2 of Criminal Code provides for Fraudulent access or remaining in a data processing system punishable by two months to one year imprisonment, 2.000 to 50.000 Francs fine or one only of the two punishments which becomes two months to two years and 10.000 to 100.000 Francs when intrusion causes suppression or alteration of data or alteration of the functioning of the system. Also if the Commission's proposal for a basic Hacking offence appears very clearly too be the same as the one adopted in France, the main difference comes from the proposed Ulterior Intent offence which has no equivalent. In France there is no need to produce evidence about the intruder's intent to commit a further offence. The fact of remaining in a system falls under the textual prohibition, even if access is not obtained by fraud. Terefore, as far as proof is concerned, it seems easier to prove that one has unduly remained in a system than to establish the intent was to commit or facilitate the commission of a crime. If the intruder does commit an offence in connection with the system (altering data, impairing the functioning) or an offence for which access to the system is the guilty act (fraud, misappropriatiion....... ) he will be prosecuted. That is one of the reasons why the french computer misuse law apart from having a wider scope, also appears to be more severe than the offences resulting from the Commission's proposals.
Marina Couste, Report Correspondent
19