- Email: [email protected]
The limits of the law
Computer Fraud & Security Bul/etin
Phoenix Datacom has announced the PC based Watchdog LAN monitor which converts a standard AT or MCA bussed PC into an Ethernet or Token Ring LAN monitoring tool, providing statistical monitoring and operational alarms in real time. Available as both software and interface card, Watchdog costs £1995 in Ethernet and £2695 in Token Ring. For more details phone Gill Gear on +44 (0)296 397711. The European consumer services division of Citibank has standardized on an anti-virus package for all users. The company has installed Central Point's Anti-Virus software on its 1000 strong network of PCs after seeing a beta test version, and requesting several extra features to be included in the package. For more details call Jim Horsburgh on +44 (0)81 8481414. Affiliated Software has announced PC-cillin, which uses both hardware and software solutions to prevent virus infection. The hardware immunizer attaches to the parallel port of the PC and verifies the boot sector every time that the PC is started up. If it discovers signs of an infection it downloads a clean copy from its own external memory. The software sensor is a resident filter program which monitors the RAM for general virus characteristics, and a viral scan program with a virus pattern bank. The PC-cillin pack retails at £150 for a single user. For more details phone Chris Arden on +44 (0)273 602622. CHI/COR has been awarded the ICP 5 million Dollar Award for its business recovery planning software, TRPS. The award is given to vendors when a single product exceeds this level in sales. TRPS is an IBM PC based software tool which helps organizations develop and maintain disaster recovery plans. Built entirely on a relational database, the product is available on standalone or LAN licences. For more details contact Heidi on + 1 3123220150. ERA Technology has published a report on the relative merits of some of the most common measurement methods used to assess effectiveness of RF and microwave emission screening. Methods studied included the use of
6
July 1991
anechoic and reverberation chambers, shielded enclosures, TEM cells, magnetic loop cavity, the dual shielded box and a time domain method. The report goes by the snappy title of Survey of methods used for the measurement of shielding effectiveness of planar materials, and retails at £100. For more details contact ERA on +44 (0)372374151 ext 2234.
RESTRICTING COMPUTER MISUSE The Limits of the Law Peter Sommer Virtual City Associates, UK.
In this paper I want to examine how much we can reasonably expect the legal system to help us safeguard computers and what goes on within them. I will be doing so specifically by looking at the UK Computer Misuse Act of 1990, but I hope what I have to say will go beyond the parochial needs of a UK audience. In the end, the framing of laws has to be a specific and practical exercise, not the enunciation of generalized principles. Computer laws have to interrelate with the rest of the law. In turn, all substantive law has to interact with the facilities available for enforcement; and that means looking at rules of admissibility of evidence, policing, the prosecution service and the reality of the courts. These considerations have been strikingly absent in recent debates about computer crime legislation wherever they have been held in the world. Problems of public perceptions The first problem any proposal for a computer crime statute has to cope with is public perception of the nature and extent of computer crime. It is the perception of the problem rather than the actuality which has such a profound influence on what finally happens in the determining of public policy, in Parliament, among law enforcers, and in board rooms.
©1991 Elsevier Science Publishers Ltd
July 1991
While the broad public thinks there is a lot of 'computer crime', there tums out to be no agreed definition of what should be included. Are we talking about anti-social activities in which computer files are directly manipulated (there is surprisingly little of that in the attested material in the computer crime case books), or do we broaden it out to situations in which computers are physically involved (in which case you also include theft of computer hardware)? Should we be taking a strict literalist approach - that the only computer crimes are transgressions of laws which already mention the word 'computer'? None of these definitions is more correct than any other, my point is the absence of any agreement as to which to adopt. In the absence of any consensus, the definition of 'computer crime' can be made to do almost anything you want. If you are in the computer security business, your marketing strategy must be to go for as wide a definition as possible. You cheerfully include all the large electronic funds transfer (EFT) frauds because, although all the known examples rely on abuse of (manually-based) authorities or simple impersonation and the computer systems centrally employed have never been compromised, the sums involved are always in the millions. On the other hand, if you are the head of a police force faced with ever more insistent demands for greater efficiency in all areas of your remit, coupled with complaints about the growth of your annual budget and the poor quality of your manpower, there is a lot to said for claiming that computer crime (on a restricted definition) is only a tiny problem. The lack of an agreed definition also means that all computer crime statistics are nonsense; no-one knows what is being measured. Of course the problem with computer crime statistics goes far beyond that: once you have your definition, how do you reliably collect your data? The official crime statistics reflect breaches of specific statutes and common law offences, not modus operandi. How do you assess unreported crime? We don't have even the beginnings of an idea of how much of white collar crime in general goes unreported; this is
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
currently one of the great gaps in modern criminological research. The difficulty with computer crime statistics gets worse when it comes to estimating the costs of computer crime. What do you include - sums actually lost, sums the subject of failed attempts, sums 'at risk' (the phrase used by the police fraud squads, though with no agreement as to whatever that means), consequential losses (but then how far down the line of causation do you go?). Again, there is no 'correct' answer. None of these obvious problems have prevented otherwise respectable organizations and individuals from associating themselves with quite definite figures. The Confederation of British Industries, the leading employer's body in the UK, throughout 1989 and 1990 kept on quoting the figure of £400 million though what this represented - computer crime or hacking - tended to vary. Pushed hard, they acknowledged they themselves had done no research but said what they had came from the London Business School. Enquiries at the library there showed no LBS-sponsored work; I think I have tracked the 'statistic' down to a press release from a corporate security company called Saladin who took advice from an LBS staff-member but the research, if it exists, remains unpublished. The Department of Trade and Industry, in figures released just before the Second Reading of the computer Misuse Bill in February 1990, said they had verified 270 computer crime incidents over the previous five years, of which only six had been brought to court. Enquiries of the DTI showed that they had conducted a "survey of surveys" - and no, they couldn't offer their working definition of what they were measuring. A convenient get out for those who have intellectual doubts about the figures they quote is the use of the impersonal passive tense: "it is estimated". And if pressed, respond not by explaining statistical methods but by producing a lurid anecdote and/or forecast. A very important component in the formation of public perception has been the role of media reporting. There is an inevitable bias in the newspaper and television coverage of anything
7
Computer Fraud & Security Bulletin
towards the unusual, computer crime is no different except that the level of verification seems to be lower. Among the lazier journalists, the premium is to get a story which conforms to stereotypes. I have received the request "Get me a hacker, the younger the better, from more than one mass circulation daily newsdesk. A related bias is that the 'experts' quoted are those who are prepared to make the most outrageous claims and forecasts. The 'expert quote' in fact provides the reporter with an alibi or makes weight for an otherwise dubious story. W
Any examination of the actual case material from first-hand or near-first-hand sources as opposed to the clippings libraries of the national media - and there is now over twenty years of it - shows that standards of scholarship in the reporting and analysis fo computer crime are abysmally low, but that is a subject for another paper. Yet again, sensational claims made by prosecutors and police at the begining of trials is news, the failure eventually to produce evidence for them is usually not. This is a repeating pattern: we saw it here in the UK in the Prince Philip Preste! case, in Germany with the Chaos Club/KGB hackers affair and we have seen it as recently as the end of 1990 in the USA over Operation Sun Deveil and the Legion of Doom. There are still people who believe that in 1985 New Jersey hackers were able to move satellites in space, all based on prosecutor claims that in court were shown to have been the result of hysteria and ignorance.
July 1991
crime. There is a wealth of obvious rhetoric about the sloth of law reform and the unworldiness of lawyers; so the 'logic' is complete. We have a radically new area of criminal activity called computer crime, committed by a new class of person - the computer criminal or hacker, and for which, obviously, completely new laws computer crime laws, are required. Most of the rest of this paper will show the false directions in which this logic has lead us. In its Working Paper 110 published in September 1988, the English Law Commission (ELC),the official body concerned with reviewing and recommending law reform, examined Computer Misuse and listed out the areas where existing English law already delivered remedies. These included: the Theft Acts; Conspiracy; Demanding Money with Menaces; Criminal Damage; Offences Against the Person; Official Secrets; Forgery and Counterfeiting; there are also limited criminal sanctions available in the Copyright Acts. The English Law Commission found some loopholes and exceptions which I will examine later, but what they showed in an authoritative and compact form was what was evident to anyone who had studied the case books of British computer crime. That is: that nearly all of the activity that one could include in a definition of 'computer crime' was not only punishable within existing English law, but that there had been any number of convictions. The process of law reform
Perceptions about computer law
Working Paper 110 enraged those who wanted tough legislation. The Law Commission had produced a list of technical reforms throughout the penal calendar but, on what many had persuaded themselves was the central issue (a new offence of "unauthorized access to a computer"), the Commission was agnostic, asking for evidence that any action was necessary.
The misperceptions about computer crime are accompanied by another one: that you need specific new laws to tackle computer-related
The English Law Commission had not been the first to comment on computer law reform. England and Scotland have separate though
I have spent some time talking about public perceptions because one of the things that new legislation can never do is remedy situations which substantially do not exist, at least in the forms in which the public have come to believe. There is one exception to this to which I will return at the end.
8
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
July 1991
similar legal systems and the Scottish Law Commission had produced a consultative paper in 1986 (which incidentally contains a useful summary of intemationallegislation) with a final report following in 1987. The SLC had recommended a new offence of unauthorized access to a computer: (1) A person commits an offence if, not having authority to access a program or data stored in a computer, or to a part of such program or data, he obtains such unauthorized access in order to inspect or otherwise acquire knowledge of the program or data or to add to, erase or otherwise alter the program with the intention: (a) of procuring an advantage to himself or another person; (b)
of damaging another person's interests.
(2) A person commits an offence, if not having authority to obtain access to a program or data stored in a computer, or to part of such program or data, he obtains such unauthorized access and damages another person's interests by recklessly adding to, erasing or otherwise altering the program or data. To many English lawyers the tests for proof seemed to be too vague to be practical and left too much to judicial interpretation. But what had really stimulated English demand for legislation was the case of R v. Gold & Schifreen, which in 1988 had gone to the highest court in the land, the House of Lords. Gold and Schifreen were two out of four hackers who had penetrated British Telecom's public access database service Prestel in 1984. They had not employed any great skill in doing so but had exploited the fact that British Telecom had broken almost every rudimentary rule in the computer security book. The system manager had an obvious password (it was discovered by accident .and not as a result of any password-cracking program), the test
©1991 Elsevier Science Publishers Ltd
environment had a password which showed on its log-in page, and the test environment contained live data. When the hackers contacted BT they were quickly told the problem was under control, though in fact the hackers gave the story to the press and BT's reaction was to get the perpetrators. One can only speculate on what might have happened had the hackers gone to an upmarket paper instead of a popular one, the Daily Mail. Perhaps we would have seen high-level sackings in BT rather than the launching of expensive traps to catch the message-bearers. Gold and Schifreen were charged under the Forgery and Counterfeiting Act, 1981. This was, to say the least, a prosecution experiment as this act had never previously been used in such a case. No charges were preferred under such easier headings as theft or conspiracy to defraud. The legal problem for the courts was that whatever they had done wasn't forgery, which in English law requires that an 'instrument' be forged; typing characters into a computer which then immediately accepts them does not create an 'instrument'. This was the point that actually pre-occupied the House of Lords. To the lay public, however, the House of Lords seemed to be saying that anyone can hack and get away with it. People began to speak of English law as providing a Hacker's Charter. Emma Nicholson introduced an Anti-Hacking Bill in 1989 under a procedure which meant that, while it had no chance of becoming law, it would get some publicity, perhaps for future legislation which would then have proper backing. The Bill contained phrases picked up from the Scottish Law Commission's proposals but also sought to cover electronic eavesdropping of VDU radiation, a subject which had recently also captured public imagination. The Anti-Hacking Bill was deeply impractical but served its main purpose of heightening public interest in the subject. In the meantime the English Law Commission was preparing its final report, and
9
Computer Fraud & Security Bulletin
was subject to very heavy lobbying to change their previously agnostic position. The final report came out in record time, six months after the ending of the formal consultative process following its Working Paper. Published in September 1989 the ELC proposed three new offences, all to do with "unauthorlzed access to a computer". Unusually for them, and as a result of the short time available for report writing, they included no draft bill, just a set of ideas. We will examine these in detail shortly. The Conservative government was unable to include in its legislative plans any new bill along these lines. There is a procedure by which backbench MPs can enter a lottery for the right to introduce a bill which then has considerable chance of getting on to the statute book. One such successful MP, Michael Colvin, agreed to take the bill on. In the absence of official help, he received informal technical support from the Department of Trade and Industry (who do not normally handle criminal legislation) and also from the 'tough laws needed' lobbyists. It became very difficult for those who dissented to appear as anything other than 'soft' on computer crime. Start talking about the existing law in any detail and your audience thought you were using your cleverness to obscure both the truth and your 'real' agenda. Begin querying the validity of the statistics and the veracity of the some of the anecdotes and you were soon told (a) the information came from sources that couldn't possibly be made public and (b) all respectable people knew what was happening anyway. The new law What had happened was that the English Law Commission had forgotten the general guidelines for law reform that it had originally set itself and which in turn had been handed down from the Home Office back in 1982 that: the behaviour is so serious that it goes beyond what it is proper to deal with on the basis of compensation as between one individual and another and concerns the
10
July 1991
public interest in general (that is, civil procedures are not enough). Criminal sanctions should be reserved for dealing with undesirable behaviour for which other, less drastic means of control would be ineffective, impracticable or insufficient. A new offence should be enforceable. The Bill and now the Act has a superficial elegance. There are three computer misuse offences; section 1: "unauthorized access to computers and/or computer material", section 2: "unauthorized access with intent to commit or facilitate the commission of further oftences" and section 3: "unauthorized modification of computer material ft. The last of these is intended to catch designers of logic bombs and viruses. The section 2 offence is concerned with attempts, involving computers, to commit further serious offences, such as theft or blackmail. If you have prepared to commit such an offence but have been unable to complete the deed, you can be charged under Computer Misuse. Section 2 and 3 offences attract penalties of up to 5 years in prison. Section 1 is the one that aims at 'hacking': for a prosecution to be successful, it must be shown that the person secured access to a program or data, that the access was unauthorized and that the perpetrator knew that the access was unauthorized. However, there is no need to show that the unauthorized access was directed at any particular bit of data, or program, or even any particular computer. This section attracts a maximum penalty of six months. Section 1 may also be used where there is insufficient evidence to catch an offence under sections 2 or 3. The Act also attempts to address the problem of international computer crimes, where computer connections are made across several national boundaries. In this it anticipates what needs to be done to cover the growing problem of international fraud of all kinds.
©1991 Elsevier Science Publishers ltd
July 1991
Closer examination, though, removes much of the initial gloss. To take the three principle offences in reverse order: Section 3 unauthorized alteration of programs and datawas introduced to overcome a supposed gap in the Criminal Damage Act of 1971 which was thought by some academic lawyers not to be easily applicable to 'data', data not being 'property'. In fact there had been successful prosecutions involving altered computer data by showing that the consequence had been damage to some physical property. In the case of Cox V. Riley in 1986, it was program instructions for an electric saw which had been deliberately altered. Criminal damage was the charge in two recent logic bomb cases - R V Tallboys in May 1986 where a prank by a former computer employee of Dixons went wrong, and R V McMahon, which concluded at Isleworth Crown Court in January 1988. Moreover as the Computer Misuse Act was passing through its final stages in the House of Lords (this time acting as a Second Chamber to the legislature and not as a final Court of Appeal as in the Gold and Schifreen case) a 'pure' hacking case - that of Nicholas Whiteley - was successfully concluded with a Criminal Damage conviction in the precise circumstances that the Law Commission had thought might not be possible. The decision was upheld in the Court of Appeal before Lord Chief Justice Lane this February. What we are left with now, though, is not duplicated legislation but weakened legislation. For the Computer Misuse Act now forbids the use of the Criminal Damage Act in cases involving unauthorized access to data. In future these cases must be put through the tests required of the Computer Misuse Act, that is, that there must be access to something which is not precisely defined in the legislation, namely a computer, and that such access must be unauthorized. I will return to this matter in moment. What this also does is to remove from the prosecutor the opportunity to attack reckless behaviour. The Criminal Damage Act penalises both those who act deliberately and also those who act with a reckless disregard of the consequences. The end effect of section 3 is to weaken what we had before.
©1991 Elsevier Science Publishers ltd
Computer Fraud & Security Bulletin
Section 2, unauthorized access for the purpose of committing a serious criminal offence, looks stern stuff. But it always has been an offence itself to attempt to commit an offence, even if the substantive offence remains uncommitted. It is only by a minuscule sliver that section 2 alters any requirement for the standard of proof in establishing when such an attempt has taken place. Section 2 is a makeweight. With Section 1, the simple unauthorized access offence, the ELC had problems. First, they recognized that there were serious arguments whether these actions should be criminalized at all, as opposed to making them a civil wrong, like trespass to land. (There is still no equivalent of trespass to a computer.) In making it a criminal offence it was clear that heavy punishment was not appropriate (although in fact the Act doubles the penalties the ELC proposed). The ELC spoke of the offence setting society's mark of disapproval on such activity. The trouble is this clashed directly with the principles for the justification for the introduction of new crimes which they had set themselves. In the UK, as in most countries, police powers of enforcement tend to be directly related to the penal levels specified for an offence - the more serious the offence the greater the freedom the police have to seize potential evidence and suspects without getting permission first; for most purposes this is enshrined in the 1984 Police and Criminal Evidence Act. The unauthorized access crime was not a 'serious arrestable' offence so, despite lobbying by Emma Nicholson, police powers were limited, though still exceed the usual PACE criteria. British industry has no idea under what threats it would have operated had Ms Nicholson and her colleagues had their way. For powers of seizure of evidence are not limited to those computers belonging to alleged perpetrators. In fact the domestic and small PCs owned by most 'hackers' are unreliable sources of admissible evidence. Often the useful material comes from computers owned by the alleged victims and from within any other computers used as part of the network journey from the alleged perpetrator
11
Computer Fraud & Security Bulletin
to the alleged victim. Under Ms Nicholson's proposals, a police constable armed with a warrant from a lay magistrate (respectively the lowest rank of policeman and the lowest rank of judicial life) would have been able to enter any company and seize all data, software and hardware that was deemed necessary for the investigation in hand. The threat hasn't entirely vanished under the present legislation, but higher ranks of policemen and a High Court judge must be involved. Those who think this is a theoretical concern should examine the US Operation Sun Devil in which 44 separate raids took place at the end of which there were three limited convictions and large numbers of quite innocent computer owners carrying heavy losses because federal authorities acted foolishly, even hysterically, but within their legal powers. In any event, section 1 of the Computer Misuse Act is all but unenforceable, a matter to which I will come back a little later on. Let me now return to two matters common to all three clauses - that access must be shown to be 'unauthorized' and that there must be a 'computer' involved. Does this include the secretary who uses her word processor in the lunch hour? What about the neighbour to whom you loan your house-keys and who, because her washing machine has broken down, borrows yours? The washing machine has a chip and ROM inside it. Even private use of a company's PABX may be drawn into the Computer Misuse Act. So what we have is an act weaker in one important effect than the legislation it was supposed to correct, new police powers of seizure which potentially can have many innocent victims and which introduces at least as many uncertainties in interpretation as it claims to have solved. Matters do not end here, though. What the Act left out In its 1988 Working Paper the ELC highlighted a number of defects in the existing law, and others had been noted during the public
12
July 1991
debates. I can't deal with all of them here, but there are some matters which should be identified. Deception
The first of these is deception which is covered in sections 15, 16 and 20(2) of the Theft Act 1968; obtaining goods or services by deception. The general view among lawyers is that it is only humans that can be deceived, not machines. The Law Commission identified the problem in its Working Paper 110 but in their final report said that they would have to look at the matter again sometime in the future. Interestingly enough, a extension of the law of deception would solve many of the simple unauthorized access cases (including the situation in R v. Gold & Schifreen) in that the usual consequence of unauthorized access is that computer and database services are thereby obtained. Admissibility of Evidence
The second important defect in the existing law relates to the rules of admissibility of evidence of computer-based materials. It is no good having substantive laws if it is difficult to produce evidence in a form which is acceptable to the courts. A number of lawyers believe that the current rules, which are set out in section 69 of the Police and Criminal Evidence Act, 1984, can in some circumstances become unworkable. The problem is this: before evidence can be introduced the court requires a certificate to say that the computer has at all times been behaving normally. If the modus operandi of a crime has involved making a computer behave abnormally (for example by writing to files directly outside their usual application or by violating the operating system or access control package) then it looks as though no evidence from that computer can be admitted. Information Theft
At the heart of the concern many people have about computers is the amount of information they hold and process, and the consequent risks if such information is stolen. Indeed this was one of the most frequently cited
©1991 Elsevier Science Publishers Ltd
July 1991
arguments for unauthorized access legislation. In English law information as such cannot be stolen, though the medium upon which it is held, a piece of paper or a floppy disk, can. Although there have been a number of attempts to make information 'a thing capable of being stolen' so far none of them have succeeded. The difficulties should not be under-estimated, which categories of information should be protected; how would you test for each category (is it enough for an originator to label a document 'secret' or should there be some objective measure?); should there be a 'public interest' defence? The problems with using an offence of unauthorized access to a computer as a substitute are: you confuse the means with the substance, you run the risk of drawing people into the ambit of the crime who are not actually stealing information and who are not causing any readily identifiable social harm, you are omitting instances of information theft which do not involve computers such as stealing print-based documents. A more direct approach to information theft would also provide a route to tackling another of Emma Nicholson's concerns - the use of equipment to eavesdrop on radiation from VDUs. Law Enforcement
There is little point in placing new crimes on the statue book if the means to enforce them does not exist. Law enforcement is much more than looking at the quantity and quality of police officers available in anyone specialization. In the UK, the decision to prosecute is usually made by the Crown Prosecution Service. (Different procedures apply for serious frauds which are then handled by the Serious Fraud Office.) The whole process is as follows: •
A victim decides to report a crime.
•
Reasonable levels of evidence are believed to exist.
•
The police make enquiries.
•
The police make a report to the Crown Prosecution Service.
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
•
The Crown Prosecution Service decide that there is a case which they have a reasonable chance of winning (that is, better than 50/50).
•
The case is presented in court, the skill involved depending on the lawyers employed.
•
Depending on the seriousness of the offence either a judge alone or a lay jury advised by a judge have to understand enough to be able to convict.
In most other countries there are a similar set of hurdles. The present position in the UK is that there is only one Computer Crime Unit, which is attached to the Fraud Squad, run jointly by the Metropolitan and City Police forces. Its size varies from four to five officers. Since these are always drawn from the Met side of the partnership they are on three-year tours of duty, although one officer has managed to hold on longer. There is a 20 day course in computer crime methods run at the Bramshill training college. Fewer than 100 officers out of the total 145 000 policemen and women in England and Wales have ever been through it. The Computer Crime Unit has scant funds to employ external expertise. In some 'hacking' cases it has been able to rely on the goodwill of British Telecom, but BT will only act where it thinks that its own resources have been violated or threatened and the relationship deteriorated during the 1990 Nicholas Whiteley (Mad Hacker) case. Since October 1986 the police have ceased to be the prosecutors of crime as well as the investigators. Prosecution is now handled by the Crown Prosecution Service. But for the computer crime coppers, whose training has not equipped them to understand the full range of criminal sanctions that might be available (and why should it?) they have lost easy access to lawyers who might help them frame charges sensibly. The CPS is by its own figures 23% understaffed, with a greater problem in London. What about the Serious Fraud Office, which handles frauds above £1 million in value? It has
13
Computer Fraud & Security Bulletin
20 lawyers, 17 accountants, a support staff of 25 and 20 City of London police officers on secondment. The current work load is around 70 huge frauds, many of which will take years to work their way through the courts. By chance, rather than design, it had one senior officer who was extremely interested in computer crime. but he is now in the private sector. These are simply the first hurdles; we are only just beginning to see a sufficient body of barristers literate in computers. Yet it is too easy to blame the police for what appears to be a poor response. What is interesting about computer crime is that it highlights many of the inconsistencies in public attitudes towards the police. It is clearly important to the public at large that the local police are seen 'walking the beat'. We apparently suspect the idea of elite squads and we resist the idea of a national force. Yet this same group of people are expected to cope with the social and technical complexities of white collar crime. We wouldn't tolerate any policeman 'walking the beat' through our offices and board rooms, looking for possible infractions of the law. Yet in terms of street crime it is this 'walking the beat' which is understood to have a powerful preventative effect. None of us have really thought through our expectations of the role of the police in a world where, for each of the last 15 years or so, there has been a 1% transfer from blue collar to white collar activities and presumably some considerable associated increase in the opportunities to commit white collar type crimes. One cannot look at computer crime, on any definition thereof, in isolation from these factors. Making the Case We must now examine in more detail how well the new Computer Misuse Act offences will stand up to the rigours of having to make a case in court. Leaving on one side the particular hazards of the PACE s69 rules of admissibility in evidence and on another side the question marks of the extent of actual police resources, we have to ask ourselves what typical cases will look like
14
July 1991
in court. I want to concentrate on the two situations which most excited people during the run up to the passing of the CMA - hacking (in the sense of unauthorized access unaccompanied by any further activity) and viruses. The chief practical problem in any investigation of hacking is that perpetrators don't use their own names; further, a mere confession unaccompanied by any other evidence is unlikely to be sufficient. The investigator first has to show that access has taken place. It may not be enough to show that a given suspect has material in his possession that has come from someone else's computer, the files may have been collected by some third party and a copy of them given to the suspect on diskette. The prosecutor has to prove all the network connections; in many cases it will be necessary to catch the perpetrator in flagrante delicto. Now we know this can be done, but it is very time consuming and expensive. You require lots of monitoring equipment, a number of skilled technicians, extensive cooperation between police, companies, institutions, and telecommunications suppliers. That cooperation must often extend across national borders. Investigation costs can reach £500 000 ($1 million) quite effortlessly. No sensible police force in the world can justify that amount of cost and effort on a crime for which the normal punishment is a fine and the maximum penalty is six months. Let's now look at viruses. No one knows where most viruses come from. There is no knowledge of the originator even at an anecdotal level. Very occasionally if the virus is unique and distributed on a disk there is the possibility of physical forensics. That is, locating the supplier and hence the purchaser of a particular batch of diskettes. But this is very much the exception. There is another route back to a perpetrator if the virus is accompanied by some blackmail or extortion threat. Here the criminal can be tracked down by the money collection method - which is the weak point of most attempts at demanding money with menaces. Some reports about the Panama Aids diskette allege that this is what happened there.
©1991 Elsevier Science Publishers Ltd
July 1991
But for the overwhelming majority of viruses these routes do not exist and there is no law one can envisage that will overcome the fundamental problem of anonymity. Perhaps I should raise one further situation, where the designer of rogue code decides things have gone more wrong than was intended and decides to alert potential victims. This is what happened with Robert Morris and the Internet worm. Now where does the public interest lie? Do we believe that the existence of an 'anti-virus' law deters potential offenders in a useful way, or are we worried that a successor to Morris might say, ftl didn't want things to go this far. However no one yet knows about me; anything I do to minimize the effects of my rogue code are likely to lead to my identification and I may then be punished"?
Computer Fraud & Security Bulletin
illegal sets in use. After a while, UK CB licences became available and within six months the craze was effectively dead. Is it possible that it was, among other things, the illegality of the activity (coupled with the lack of any real danger of getting caught) that was the attraction? Again, I make no final judgement, other than to say thatthe existence of a crime on the statute book may not have the intended effect. Conclusions Some of what I have said may suggest that, as a result of particular incompetence by the English Law Commission, parliamentarians and police, we have a poor computer crime law. Ifthat is the impression which you take away then I have not made myself clear.
The role of law as a deterrent At this point some people will say that I am mistaken, that the very existence of a law on the statute book, if even it cannot be readily enforced, does act as a deterrent to the majority of people. In factthis was the justification the Law Commission produced for Section 1 of the CMA. I am not sure that the position is anywhere nearly as clear as that. People break laws all the time, particularly if they can convince themselves that they are not really doing any harm. This is certainly true of many road traffic offences. On the other side, there are a number of instances where people feel constrained from an activity which is not illegal but is considered unethical; eavesdropping is one example. In other words there is no absolute correlation between the fact of illegality and a sense that certain activities should be restrained. It might be helpful to recall what happened here in the UK some years ago over Citizens Band Radio, another technological hobby with outlaw connotations. Brits holidaying in the USA discovered the low-cost mobile radio service, imported the equipment and started to use it. In the UK this was an offence under the 1949 Wireless Telegraphy Act. The craze grew and grew and officials tried, with scant success, to make arrests. A campaign for a legal UK CB started; eventually there were almost 500 000
©1991 Elsevier Science Publishers Ltd
I think I have shown that for some of the highest profile computer crime activities, no law is going to provide any sort of substantive solution because, at a practical level, investigation and evidence-gathering is either too expensive and difficult in relation to the wrongs victims might suffer or is completely impossible. For such activities as classic hacking and virus-writing we should forget about the law and concentrate on preventative measures. For the rest of the activities that help to make up the statistics of computer crime, I wonder how far it is useful to talk about computer crime at all. As I also hope I have shown, most such activity is conventional crime - chiefly fraud, extortion and criminal damage - which happens to involve computers. Talking about computer crime lumps them all together, along with hacking and virus-writing. But each one of these activities has different risk factors, different modus operandi and different preventative methods associated with them. By the same token, I am not sure that it useful to talk about computer criminals as though they all showed the same features. A computer fraudster is surely best understood within the context of other types of fraud; the extortionist who locks legitimate users out of a computer and demands a fee to rectify the situation is best
15
July 1991
Computer Fraud & Security Bulletin
comprehended along with other blackmailers. Network adventurers may be technological pranksters and cause harm along the way, but they have little in common with any other sort of criminal. This misunderstanding leads many computer-owning companies to have a wholly distorted view of the risks they face. If you don't analyse the problem properly you'll never get any sort of viable preventative program. But this confusion has now resulted in legislation for which I fear there are doomed expectations. I would have preferred an approach to law refonn which assumed that most computer-related crime would continue to be handled under the framework of existing statute and common law. I would have liked the law Commission to have concentrated on strengthening those areas where conventional law looks weak. As I have tried to show, a reform of the Criminal Damage Act, 1971 would have been more effective than what was actually produced in section 3 of the Computer Misuse Act. A refonn of the law of deception within the Theft Act would have produced some of the results hoped for in section 1 of the Computer Misuse Act, without involving many of the uncertainties of coverage and interpretation that the new Act has provided. It seems to me that people have ignored the many remedies that the civil law has. For those many crimes involving employees and sub-contractors, including unauthorized access and information theft, the law of contract provides many potent remedies, including dismissal. Student hackers may be more effectively dealt with under Disciplinary Codes, where the offence may be set in such vague terms as "conduct likely to bring the university into disrepute", where the standards of proof are lower and where the sanction may be loss of the opportunity to take a degree. In other situations the civil wrong of breach of confidentiality, although flawed, can be effective in instances of information theft. What a pity there has been no follow-up to the law Commission's work in this area, which has lain largely ignored since 1981.
16
The Computer Misuse Act delivered only one thing, and I return here to something I hinted at the beginning, it gave the illusion that something was being done. Compared with almost anything else that a country might do rethinking the role of the police in white collar crime, providing different career patterns and training for policemen, keeping your Crown Prosecution Service up to strength - passing legislation is unbelievably cheap. All it takes is the time of a few civil servants and Members of Parliament and a few printing bills. Finally, the Computer Misuse Act distracts management from examining in rigorous detail what they can be doing to stay in control of their computer resources. It develops in their mind the notion of unpredictable 'computer criminals' whose activities cannot otherwise be restrained. We need to make the discussion of computer security much more sober than it is at the moment. Effective computer security means a multi-disciplinary approach, where computer security is seen as just one aspect of securing the assets - physical, cash and intellectual of the business environment that the computer serves. Here solutions come from a balance of computer-based and administrative controls, and the law provides remedies only for the most outrageous of activities. As for the investigation of crime, it is surely better to talk of experts in computer forensics, who can aid and support the ordinary investigators when a crime goes inside a computer and evidence must be extracted in a form in which it will be useful in legal proceedings.
RESOLVING DISPUTES Lessons in litigation Steve Lamer
Computers have a life of about five years. Included within that five years is a period which
©1991 Elsevier Science Publishers ltd
Phoenix Datacom has announced the PC based Watchdog LAN monitor which converts a standard AT or MCA bussed PC into an Ethernet or Token Ring LAN monitoring tool, providing statistical monitoring and operational alarms in real time. Available as both software and interface card, Watchdog costs £1995 in Ethernet and £2695 in Token Ring. For more details phone Gill Gear on +44 (0)296 397711. The European consumer services division of Citibank has standardized on an anti-virus package for all users. The company has installed Central Point's Anti-Virus software on its 1000 strong network of PCs after seeing a beta test version, and requesting several extra features to be included in the package. For more details call Jim Horsburgh on +44 (0)81 8481414. Affiliated Software has announced PC-cillin, which uses both hardware and software solutions to prevent virus infection. The hardware immunizer attaches to the parallel port of the PC and verifies the boot sector every time that the PC is started up. If it discovers signs of an infection it downloads a clean copy from its own external memory. The software sensor is a resident filter program which monitors the RAM for general virus characteristics, and a viral scan program with a virus pattern bank. The PC-cillin pack retails at £150 for a single user. For more details phone Chris Arden on +44 (0)273 602622. CHI/COR has been awarded the ICP 5 million Dollar Award for its business recovery planning software, TRPS. The award is given to vendors when a single product exceeds this level in sales. TRPS is an IBM PC based software tool which helps organizations develop and maintain disaster recovery plans. Built entirely on a relational database, the product is available on standalone or LAN licences. For more details contact Heidi on + 1 3123220150. ERA Technology has published a report on the relative merits of some of the most common measurement methods used to assess effectiveness of RF and microwave emission screening. Methods studied included the use of
6
July 1991
anechoic and reverberation chambers, shielded enclosures, TEM cells, magnetic loop cavity, the dual shielded box and a time domain method. The report goes by the snappy title of Survey of methods used for the measurement of shielding effectiveness of planar materials, and retails at £100. For more details contact ERA on +44 (0)372374151 ext 2234.
RESTRICTING COMPUTER MISUSE The Limits of the Law Peter Sommer Virtual City Associates, UK.
In this paper I want to examine how much we can reasonably expect the legal system to help us safeguard computers and what goes on within them. I will be doing so specifically by looking at the UK Computer Misuse Act of 1990, but I hope what I have to say will go beyond the parochial needs of a UK audience. In the end, the framing of laws has to be a specific and practical exercise, not the enunciation of generalized principles. Computer laws have to interrelate with the rest of the law. In turn, all substantive law has to interact with the facilities available for enforcement; and that means looking at rules of admissibility of evidence, policing, the prosecution service and the reality of the courts. These considerations have been strikingly absent in recent debates about computer crime legislation wherever they have been held in the world. Problems of public perceptions The first problem any proposal for a computer crime statute has to cope with is public perception of the nature and extent of computer crime. It is the perception of the problem rather than the actuality which has such a profound influence on what finally happens in the determining of public policy, in Parliament, among law enforcers, and in board rooms.
©1991 Elsevier Science Publishers Ltd
July 1991
While the broad public thinks there is a lot of 'computer crime', there tums out to be no agreed definition of what should be included. Are we talking about anti-social activities in which computer files are directly manipulated (there is surprisingly little of that in the attested material in the computer crime case books), or do we broaden it out to situations in which computers are physically involved (in which case you also include theft of computer hardware)? Should we be taking a strict literalist approach - that the only computer crimes are transgressions of laws which already mention the word 'computer'? None of these definitions is more correct than any other, my point is the absence of any agreement as to which to adopt. In the absence of any consensus, the definition of 'computer crime' can be made to do almost anything you want. If you are in the computer security business, your marketing strategy must be to go for as wide a definition as possible. You cheerfully include all the large electronic funds transfer (EFT) frauds because, although all the known examples rely on abuse of (manually-based) authorities or simple impersonation and the computer systems centrally employed have never been compromised, the sums involved are always in the millions. On the other hand, if you are the head of a police force faced with ever more insistent demands for greater efficiency in all areas of your remit, coupled with complaints about the growth of your annual budget and the poor quality of your manpower, there is a lot to said for claiming that computer crime (on a restricted definition) is only a tiny problem. The lack of an agreed definition also means that all computer crime statistics are nonsense; no-one knows what is being measured. Of course the problem with computer crime statistics goes far beyond that: once you have your definition, how do you reliably collect your data? The official crime statistics reflect breaches of specific statutes and common law offences, not modus operandi. How do you assess unreported crime? We don't have even the beginnings of an idea of how much of white collar crime in general goes unreported; this is
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
currently one of the great gaps in modern criminological research. The difficulty with computer crime statistics gets worse when it comes to estimating the costs of computer crime. What do you include - sums actually lost, sums the subject of failed attempts, sums 'at risk' (the phrase used by the police fraud squads, though with no agreement as to whatever that means), consequential losses (but then how far down the line of causation do you go?). Again, there is no 'correct' answer. None of these obvious problems have prevented otherwise respectable organizations and individuals from associating themselves with quite definite figures. The Confederation of British Industries, the leading employer's body in the UK, throughout 1989 and 1990 kept on quoting the figure of £400 million though what this represented - computer crime or hacking - tended to vary. Pushed hard, they acknowledged they themselves had done no research but said what they had came from the London Business School. Enquiries at the library there showed no LBS-sponsored work; I think I have tracked the 'statistic' down to a press release from a corporate security company called Saladin who took advice from an LBS staff-member but the research, if it exists, remains unpublished. The Department of Trade and Industry, in figures released just before the Second Reading of the computer Misuse Bill in February 1990, said they had verified 270 computer crime incidents over the previous five years, of which only six had been brought to court. Enquiries of the DTI showed that they had conducted a "survey of surveys" - and no, they couldn't offer their working definition of what they were measuring. A convenient get out for those who have intellectual doubts about the figures they quote is the use of the impersonal passive tense: "it is estimated". And if pressed, respond not by explaining statistical methods but by producing a lurid anecdote and/or forecast. A very important component in the formation of public perception has been the role of media reporting. There is an inevitable bias in the newspaper and television coverage of anything
7
Computer Fraud & Security Bulletin
towards the unusual, computer crime is no different except that the level of verification seems to be lower. Among the lazier journalists, the premium is to get a story which conforms to stereotypes. I have received the request "Get me a hacker, the younger the better, from more than one mass circulation daily newsdesk. A related bias is that the 'experts' quoted are those who are prepared to make the most outrageous claims and forecasts. The 'expert quote' in fact provides the reporter with an alibi or makes weight for an otherwise dubious story. W
Any examination of the actual case material from first-hand or near-first-hand sources as opposed to the clippings libraries of the national media - and there is now over twenty years of it - shows that standards of scholarship in the reporting and analysis fo computer crime are abysmally low, but that is a subject for another paper. Yet again, sensational claims made by prosecutors and police at the begining of trials is news, the failure eventually to produce evidence for them is usually not. This is a repeating pattern: we saw it here in the UK in the Prince Philip Preste! case, in Germany with the Chaos Club/KGB hackers affair and we have seen it as recently as the end of 1990 in the USA over Operation Sun Deveil and the Legion of Doom. There are still people who believe that in 1985 New Jersey hackers were able to move satellites in space, all based on prosecutor claims that in court were shown to have been the result of hysteria and ignorance.
July 1991
crime. There is a wealth of obvious rhetoric about the sloth of law reform and the unworldiness of lawyers; so the 'logic' is complete. We have a radically new area of criminal activity called computer crime, committed by a new class of person - the computer criminal or hacker, and for which, obviously, completely new laws computer crime laws, are required. Most of the rest of this paper will show the false directions in which this logic has lead us. In its Working Paper 110 published in September 1988, the English Law Commission (ELC),the official body concerned with reviewing and recommending law reform, examined Computer Misuse and listed out the areas where existing English law already delivered remedies. These included: the Theft Acts; Conspiracy; Demanding Money with Menaces; Criminal Damage; Offences Against the Person; Official Secrets; Forgery and Counterfeiting; there are also limited criminal sanctions available in the Copyright Acts. The English Law Commission found some loopholes and exceptions which I will examine later, but what they showed in an authoritative and compact form was what was evident to anyone who had studied the case books of British computer crime. That is: that nearly all of the activity that one could include in a definition of 'computer crime' was not only punishable within existing English law, but that there had been any number of convictions. The process of law reform
Perceptions about computer law
Working Paper 110 enraged those who wanted tough legislation. The Law Commission had produced a list of technical reforms throughout the penal calendar but, on what many had persuaded themselves was the central issue (a new offence of "unauthorized access to a computer"), the Commission was agnostic, asking for evidence that any action was necessary.
The misperceptions about computer crime are accompanied by another one: that you need specific new laws to tackle computer-related
The English Law Commission had not been the first to comment on computer law reform. England and Scotland have separate though
I have spent some time talking about public perceptions because one of the things that new legislation can never do is remedy situations which substantially do not exist, at least in the forms in which the public have come to believe. There is one exception to this to which I will return at the end.
8
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
July 1991
similar legal systems and the Scottish Law Commission had produced a consultative paper in 1986 (which incidentally contains a useful summary of intemationallegislation) with a final report following in 1987. The SLC had recommended a new offence of unauthorized access to a computer: (1) A person commits an offence if, not having authority to access a program or data stored in a computer, or to a part of such program or data, he obtains such unauthorized access in order to inspect or otherwise acquire knowledge of the program or data or to add to, erase or otherwise alter the program with the intention: (a) of procuring an advantage to himself or another person; (b)
of damaging another person's interests.
(2) A person commits an offence, if not having authority to obtain access to a program or data stored in a computer, or to part of such program or data, he obtains such unauthorized access and damages another person's interests by recklessly adding to, erasing or otherwise altering the program or data. To many English lawyers the tests for proof seemed to be too vague to be practical and left too much to judicial interpretation. But what had really stimulated English demand for legislation was the case of R v. Gold & Schifreen, which in 1988 had gone to the highest court in the land, the House of Lords. Gold and Schifreen were two out of four hackers who had penetrated British Telecom's public access database service Prestel in 1984. They had not employed any great skill in doing so but had exploited the fact that British Telecom had broken almost every rudimentary rule in the computer security book. The system manager had an obvious password (it was discovered by accident .and not as a result of any password-cracking program), the test
©1991 Elsevier Science Publishers Ltd
environment had a password which showed on its log-in page, and the test environment contained live data. When the hackers contacted BT they were quickly told the problem was under control, though in fact the hackers gave the story to the press and BT's reaction was to get the perpetrators. One can only speculate on what might have happened had the hackers gone to an upmarket paper instead of a popular one, the Daily Mail. Perhaps we would have seen high-level sackings in BT rather than the launching of expensive traps to catch the message-bearers. Gold and Schifreen were charged under the Forgery and Counterfeiting Act, 1981. This was, to say the least, a prosecution experiment as this act had never previously been used in such a case. No charges were preferred under such easier headings as theft or conspiracy to defraud. The legal problem for the courts was that whatever they had done wasn't forgery, which in English law requires that an 'instrument' be forged; typing characters into a computer which then immediately accepts them does not create an 'instrument'. This was the point that actually pre-occupied the House of Lords. To the lay public, however, the House of Lords seemed to be saying that anyone can hack and get away with it. People began to speak of English law as providing a Hacker's Charter. Emma Nicholson introduced an Anti-Hacking Bill in 1989 under a procedure which meant that, while it had no chance of becoming law, it would get some publicity, perhaps for future legislation which would then have proper backing. The Bill contained phrases picked up from the Scottish Law Commission's proposals but also sought to cover electronic eavesdropping of VDU radiation, a subject which had recently also captured public imagination. The Anti-Hacking Bill was deeply impractical but served its main purpose of heightening public interest in the subject. In the meantime the English Law Commission was preparing its final report, and
9
Computer Fraud & Security Bulletin
was subject to very heavy lobbying to change their previously agnostic position. The final report came out in record time, six months after the ending of the formal consultative process following its Working Paper. Published in September 1989 the ELC proposed three new offences, all to do with "unauthorlzed access to a computer". Unusually for them, and as a result of the short time available for report writing, they included no draft bill, just a set of ideas. We will examine these in detail shortly. The Conservative government was unable to include in its legislative plans any new bill along these lines. There is a procedure by which backbench MPs can enter a lottery for the right to introduce a bill which then has considerable chance of getting on to the statute book. One such successful MP, Michael Colvin, agreed to take the bill on. In the absence of official help, he received informal technical support from the Department of Trade and Industry (who do not normally handle criminal legislation) and also from the 'tough laws needed' lobbyists. It became very difficult for those who dissented to appear as anything other than 'soft' on computer crime. Start talking about the existing law in any detail and your audience thought you were using your cleverness to obscure both the truth and your 'real' agenda. Begin querying the validity of the statistics and the veracity of the some of the anecdotes and you were soon told (a) the information came from sources that couldn't possibly be made public and (b) all respectable people knew what was happening anyway. The new law What had happened was that the English Law Commission had forgotten the general guidelines for law reform that it had originally set itself and which in turn had been handed down from the Home Office back in 1982 that: the behaviour is so serious that it goes beyond what it is proper to deal with on the basis of compensation as between one individual and another and concerns the
10
July 1991
public interest in general (that is, civil procedures are not enough). Criminal sanctions should be reserved for dealing with undesirable behaviour for which other, less drastic means of control would be ineffective, impracticable or insufficient. A new offence should be enforceable. The Bill and now the Act has a superficial elegance. There are three computer misuse offences; section 1: "unauthorized access to computers and/or computer material", section 2: "unauthorized access with intent to commit or facilitate the commission of further oftences" and section 3: "unauthorized modification of computer material ft. The last of these is intended to catch designers of logic bombs and viruses. The section 2 offence is concerned with attempts, involving computers, to commit further serious offences, such as theft or blackmail. If you have prepared to commit such an offence but have been unable to complete the deed, you can be charged under Computer Misuse. Section 2 and 3 offences attract penalties of up to 5 years in prison. Section 1 is the one that aims at 'hacking': for a prosecution to be successful, it must be shown that the person secured access to a program or data, that the access was unauthorized and that the perpetrator knew that the access was unauthorized. However, there is no need to show that the unauthorized access was directed at any particular bit of data, or program, or even any particular computer. This section attracts a maximum penalty of six months. Section 1 may also be used where there is insufficient evidence to catch an offence under sections 2 or 3. The Act also attempts to address the problem of international computer crimes, where computer connections are made across several national boundaries. In this it anticipates what needs to be done to cover the growing problem of international fraud of all kinds.
©1991 Elsevier Science Publishers ltd
July 1991
Closer examination, though, removes much of the initial gloss. To take the three principle offences in reverse order: Section 3 unauthorized alteration of programs and datawas introduced to overcome a supposed gap in the Criminal Damage Act of 1971 which was thought by some academic lawyers not to be easily applicable to 'data', data not being 'property'. In fact there had been successful prosecutions involving altered computer data by showing that the consequence had been damage to some physical property. In the case of Cox V. Riley in 1986, it was program instructions for an electric saw which had been deliberately altered. Criminal damage was the charge in two recent logic bomb cases - R V Tallboys in May 1986 where a prank by a former computer employee of Dixons went wrong, and R V McMahon, which concluded at Isleworth Crown Court in January 1988. Moreover as the Computer Misuse Act was passing through its final stages in the House of Lords (this time acting as a Second Chamber to the legislature and not as a final Court of Appeal as in the Gold and Schifreen case) a 'pure' hacking case - that of Nicholas Whiteley - was successfully concluded with a Criminal Damage conviction in the precise circumstances that the Law Commission had thought might not be possible. The decision was upheld in the Court of Appeal before Lord Chief Justice Lane this February. What we are left with now, though, is not duplicated legislation but weakened legislation. For the Computer Misuse Act now forbids the use of the Criminal Damage Act in cases involving unauthorized access to data. In future these cases must be put through the tests required of the Computer Misuse Act, that is, that there must be access to something which is not precisely defined in the legislation, namely a computer, and that such access must be unauthorized. I will return to this matter in moment. What this also does is to remove from the prosecutor the opportunity to attack reckless behaviour. The Criminal Damage Act penalises both those who act deliberately and also those who act with a reckless disregard of the consequences. The end effect of section 3 is to weaken what we had before.
©1991 Elsevier Science Publishers ltd
Computer Fraud & Security Bulletin
Section 2, unauthorized access for the purpose of committing a serious criminal offence, looks stern stuff. But it always has been an offence itself to attempt to commit an offence, even if the substantive offence remains uncommitted. It is only by a minuscule sliver that section 2 alters any requirement for the standard of proof in establishing when such an attempt has taken place. Section 2 is a makeweight. With Section 1, the simple unauthorized access offence, the ELC had problems. First, they recognized that there were serious arguments whether these actions should be criminalized at all, as opposed to making them a civil wrong, like trespass to land. (There is still no equivalent of trespass to a computer.) In making it a criminal offence it was clear that heavy punishment was not appropriate (although in fact the Act doubles the penalties the ELC proposed). The ELC spoke of the offence setting society's mark of disapproval on such activity. The trouble is this clashed directly with the principles for the justification for the introduction of new crimes which they had set themselves. In the UK, as in most countries, police powers of enforcement tend to be directly related to the penal levels specified for an offence - the more serious the offence the greater the freedom the police have to seize potential evidence and suspects without getting permission first; for most purposes this is enshrined in the 1984 Police and Criminal Evidence Act. The unauthorized access crime was not a 'serious arrestable' offence so, despite lobbying by Emma Nicholson, police powers were limited, though still exceed the usual PACE criteria. British industry has no idea under what threats it would have operated had Ms Nicholson and her colleagues had their way. For powers of seizure of evidence are not limited to those computers belonging to alleged perpetrators. In fact the domestic and small PCs owned by most 'hackers' are unreliable sources of admissible evidence. Often the useful material comes from computers owned by the alleged victims and from within any other computers used as part of the network journey from the alleged perpetrator
11
Computer Fraud & Security Bulletin
to the alleged victim. Under Ms Nicholson's proposals, a police constable armed with a warrant from a lay magistrate (respectively the lowest rank of policeman and the lowest rank of judicial life) would have been able to enter any company and seize all data, software and hardware that was deemed necessary for the investigation in hand. The threat hasn't entirely vanished under the present legislation, but higher ranks of policemen and a High Court judge must be involved. Those who think this is a theoretical concern should examine the US Operation Sun Devil in which 44 separate raids took place at the end of which there were three limited convictions and large numbers of quite innocent computer owners carrying heavy losses because federal authorities acted foolishly, even hysterically, but within their legal powers. In any event, section 1 of the Computer Misuse Act is all but unenforceable, a matter to which I will come back a little later on. Let me now return to two matters common to all three clauses - that access must be shown to be 'unauthorized' and that there must be a 'computer' involved. Does this include the secretary who uses her word processor in the lunch hour? What about the neighbour to whom you loan your house-keys and who, because her washing machine has broken down, borrows yours? The washing machine has a chip and ROM inside it. Even private use of a company's PABX may be drawn into the Computer Misuse Act. So what we have is an act weaker in one important effect than the legislation it was supposed to correct, new police powers of seizure which potentially can have many innocent victims and which introduces at least as many uncertainties in interpretation as it claims to have solved. Matters do not end here, though. What the Act left out In its 1988 Working Paper the ELC highlighted a number of defects in the existing law, and others had been noted during the public
12
July 1991
debates. I can't deal with all of them here, but there are some matters which should be identified. Deception
The first of these is deception which is covered in sections 15, 16 and 20(2) of the Theft Act 1968; obtaining goods or services by deception. The general view among lawyers is that it is only humans that can be deceived, not machines. The Law Commission identified the problem in its Working Paper 110 but in their final report said that they would have to look at the matter again sometime in the future. Interestingly enough, a extension of the law of deception would solve many of the simple unauthorized access cases (including the situation in R v. Gold & Schifreen) in that the usual consequence of unauthorized access is that computer and database services are thereby obtained. Admissibility of Evidence
The second important defect in the existing law relates to the rules of admissibility of evidence of computer-based materials. It is no good having substantive laws if it is difficult to produce evidence in a form which is acceptable to the courts. A number of lawyers believe that the current rules, which are set out in section 69 of the Police and Criminal Evidence Act, 1984, can in some circumstances become unworkable. The problem is this: before evidence can be introduced the court requires a certificate to say that the computer has at all times been behaving normally. If the modus operandi of a crime has involved making a computer behave abnormally (for example by writing to files directly outside their usual application or by violating the operating system or access control package) then it looks as though no evidence from that computer can be admitted. Information Theft
At the heart of the concern many people have about computers is the amount of information they hold and process, and the consequent risks if such information is stolen. Indeed this was one of the most frequently cited
©1991 Elsevier Science Publishers Ltd
July 1991
arguments for unauthorized access legislation. In English law information as such cannot be stolen, though the medium upon which it is held, a piece of paper or a floppy disk, can. Although there have been a number of attempts to make information 'a thing capable of being stolen' so far none of them have succeeded. The difficulties should not be under-estimated, which categories of information should be protected; how would you test for each category (is it enough for an originator to label a document 'secret' or should there be some objective measure?); should there be a 'public interest' defence? The problems with using an offence of unauthorized access to a computer as a substitute are: you confuse the means with the substance, you run the risk of drawing people into the ambit of the crime who are not actually stealing information and who are not causing any readily identifiable social harm, you are omitting instances of information theft which do not involve computers such as stealing print-based documents. A more direct approach to information theft would also provide a route to tackling another of Emma Nicholson's concerns - the use of equipment to eavesdrop on radiation from VDUs. Law Enforcement
There is little point in placing new crimes on the statue book if the means to enforce them does not exist. Law enforcement is much more than looking at the quantity and quality of police officers available in anyone specialization. In the UK, the decision to prosecute is usually made by the Crown Prosecution Service. (Different procedures apply for serious frauds which are then handled by the Serious Fraud Office.) The whole process is as follows: •
A victim decides to report a crime.
•
Reasonable levels of evidence are believed to exist.
•
The police make enquiries.
•
The police make a report to the Crown Prosecution Service.
©1991 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
•
The Crown Prosecution Service decide that there is a case which they have a reasonable chance of winning (that is, better than 50/50).
•
The case is presented in court, the skill involved depending on the lawyers employed.
•
Depending on the seriousness of the offence either a judge alone or a lay jury advised by a judge have to understand enough to be able to convict.
In most other countries there are a similar set of hurdles. The present position in the UK is that there is only one Computer Crime Unit, which is attached to the Fraud Squad, run jointly by the Metropolitan and City Police forces. Its size varies from four to five officers. Since these are always drawn from the Met side of the partnership they are on three-year tours of duty, although one officer has managed to hold on longer. There is a 20 day course in computer crime methods run at the Bramshill training college. Fewer than 100 officers out of the total 145 000 policemen and women in England and Wales have ever been through it. The Computer Crime Unit has scant funds to employ external expertise. In some 'hacking' cases it has been able to rely on the goodwill of British Telecom, but BT will only act where it thinks that its own resources have been violated or threatened and the relationship deteriorated during the 1990 Nicholas Whiteley (Mad Hacker) case. Since October 1986 the police have ceased to be the prosecutors of crime as well as the investigators. Prosecution is now handled by the Crown Prosecution Service. But for the computer crime coppers, whose training has not equipped them to understand the full range of criminal sanctions that might be available (and why should it?) they have lost easy access to lawyers who might help them frame charges sensibly. The CPS is by its own figures 23% understaffed, with a greater problem in London. What about the Serious Fraud Office, which handles frauds above £1 million in value? It has
13
Computer Fraud & Security Bulletin
20 lawyers, 17 accountants, a support staff of 25 and 20 City of London police officers on secondment. The current work load is around 70 huge frauds, many of which will take years to work their way through the courts. By chance, rather than design, it had one senior officer who was extremely interested in computer crime. but he is now in the private sector. These are simply the first hurdles; we are only just beginning to see a sufficient body of barristers literate in computers. Yet it is too easy to blame the police for what appears to be a poor response. What is interesting about computer crime is that it highlights many of the inconsistencies in public attitudes towards the police. It is clearly important to the public at large that the local police are seen 'walking the beat'. We apparently suspect the idea of elite squads and we resist the idea of a national force. Yet this same group of people are expected to cope with the social and technical complexities of white collar crime. We wouldn't tolerate any policeman 'walking the beat' through our offices and board rooms, looking for possible infractions of the law. Yet in terms of street crime it is this 'walking the beat' which is understood to have a powerful preventative effect. None of us have really thought through our expectations of the role of the police in a world where, for each of the last 15 years or so, there has been a 1% transfer from blue collar to white collar activities and presumably some considerable associated increase in the opportunities to commit white collar type crimes. One cannot look at computer crime, on any definition thereof, in isolation from these factors. Making the Case We must now examine in more detail how well the new Computer Misuse Act offences will stand up to the rigours of having to make a case in court. Leaving on one side the particular hazards of the PACE s69 rules of admissibility in evidence and on another side the question marks of the extent of actual police resources, we have to ask ourselves what typical cases will look like
14
July 1991
in court. I want to concentrate on the two situations which most excited people during the run up to the passing of the CMA - hacking (in the sense of unauthorized access unaccompanied by any further activity) and viruses. The chief practical problem in any investigation of hacking is that perpetrators don't use their own names; further, a mere confession unaccompanied by any other evidence is unlikely to be sufficient. The investigator first has to show that access has taken place. It may not be enough to show that a given suspect has material in his possession that has come from someone else's computer, the files may have been collected by some third party and a copy of them given to the suspect on diskette. The prosecutor has to prove all the network connections; in many cases it will be necessary to catch the perpetrator in flagrante delicto. Now we know this can be done, but it is very time consuming and expensive. You require lots of monitoring equipment, a number of skilled technicians, extensive cooperation between police, companies, institutions, and telecommunications suppliers. That cooperation must often extend across national borders. Investigation costs can reach £500 000 ($1 million) quite effortlessly. No sensible police force in the world can justify that amount of cost and effort on a crime for which the normal punishment is a fine and the maximum penalty is six months. Let's now look at viruses. No one knows where most viruses come from. There is no knowledge of the originator even at an anecdotal level. Very occasionally if the virus is unique and distributed on a disk there is the possibility of physical forensics. That is, locating the supplier and hence the purchaser of a particular batch of diskettes. But this is very much the exception. There is another route back to a perpetrator if the virus is accompanied by some blackmail or extortion threat. Here the criminal can be tracked down by the money collection method - which is the weak point of most attempts at demanding money with menaces. Some reports about the Panama Aids diskette allege that this is what happened there.
©1991 Elsevier Science Publishers Ltd
July 1991
But for the overwhelming majority of viruses these routes do not exist and there is no law one can envisage that will overcome the fundamental problem of anonymity. Perhaps I should raise one further situation, where the designer of rogue code decides things have gone more wrong than was intended and decides to alert potential victims. This is what happened with Robert Morris and the Internet worm. Now where does the public interest lie? Do we believe that the existence of an 'anti-virus' law deters potential offenders in a useful way, or are we worried that a successor to Morris might say, ftl didn't want things to go this far. However no one yet knows about me; anything I do to minimize the effects of my rogue code are likely to lead to my identification and I may then be punished"?
Computer Fraud & Security Bulletin
illegal sets in use. After a while, UK CB licences became available and within six months the craze was effectively dead. Is it possible that it was, among other things, the illegality of the activity (coupled with the lack of any real danger of getting caught) that was the attraction? Again, I make no final judgement, other than to say thatthe existence of a crime on the statute book may not have the intended effect. Conclusions Some of what I have said may suggest that, as a result of particular incompetence by the English Law Commission, parliamentarians and police, we have a poor computer crime law. Ifthat is the impression which you take away then I have not made myself clear.
The role of law as a deterrent At this point some people will say that I am mistaken, that the very existence of a law on the statute book, if even it cannot be readily enforced, does act as a deterrent to the majority of people. In factthis was the justification the Law Commission produced for Section 1 of the CMA. I am not sure that the position is anywhere nearly as clear as that. People break laws all the time, particularly if they can convince themselves that they are not really doing any harm. This is certainly true of many road traffic offences. On the other side, there are a number of instances where people feel constrained from an activity which is not illegal but is considered unethical; eavesdropping is one example. In other words there is no absolute correlation between the fact of illegality and a sense that certain activities should be restrained. It might be helpful to recall what happened here in the UK some years ago over Citizens Band Radio, another technological hobby with outlaw connotations. Brits holidaying in the USA discovered the low-cost mobile radio service, imported the equipment and started to use it. In the UK this was an offence under the 1949 Wireless Telegraphy Act. The craze grew and grew and officials tried, with scant success, to make arrests. A campaign for a legal UK CB started; eventually there were almost 500 000
©1991 Elsevier Science Publishers Ltd
I think I have shown that for some of the highest profile computer crime activities, no law is going to provide any sort of substantive solution because, at a practical level, investigation and evidence-gathering is either too expensive and difficult in relation to the wrongs victims might suffer or is completely impossible. For such activities as classic hacking and virus-writing we should forget about the law and concentrate on preventative measures. For the rest of the activities that help to make up the statistics of computer crime, I wonder how far it is useful to talk about computer crime at all. As I also hope I have shown, most such activity is conventional crime - chiefly fraud, extortion and criminal damage - which happens to involve computers. Talking about computer crime lumps them all together, along with hacking and virus-writing. But each one of these activities has different risk factors, different modus operandi and different preventative methods associated with them. By the same token, I am not sure that it useful to talk about computer criminals as though they all showed the same features. A computer fraudster is surely best understood within the context of other types of fraud; the extortionist who locks legitimate users out of a computer and demands a fee to rectify the situation is best
15
July 1991
Computer Fraud & Security Bulletin
comprehended along with other blackmailers. Network adventurers may be technological pranksters and cause harm along the way, but they have little in common with any other sort of criminal. This misunderstanding leads many computer-owning companies to have a wholly distorted view of the risks they face. If you don't analyse the problem properly you'll never get any sort of viable preventative program. But this confusion has now resulted in legislation for which I fear there are doomed expectations. I would have preferred an approach to law refonn which assumed that most computer-related crime would continue to be handled under the framework of existing statute and common law. I would have liked the law Commission to have concentrated on strengthening those areas where conventional law looks weak. As I have tried to show, a reform of the Criminal Damage Act, 1971 would have been more effective than what was actually produced in section 3 of the Computer Misuse Act. A refonn of the law of deception within the Theft Act would have produced some of the results hoped for in section 1 of the Computer Misuse Act, without involving many of the uncertainties of coverage and interpretation that the new Act has provided. It seems to me that people have ignored the many remedies that the civil law has. For those many crimes involving employees and sub-contractors, including unauthorized access and information theft, the law of contract provides many potent remedies, including dismissal. Student hackers may be more effectively dealt with under Disciplinary Codes, where the offence may be set in such vague terms as "conduct likely to bring the university into disrepute", where the standards of proof are lower and where the sanction may be loss of the opportunity to take a degree. In other situations the civil wrong of breach of confidentiality, although flawed, can be effective in instances of information theft. What a pity there has been no follow-up to the law Commission's work in this area, which has lain largely ignored since 1981.
16
The Computer Misuse Act delivered only one thing, and I return here to something I hinted at the beginning, it gave the illusion that something was being done. Compared with almost anything else that a country might do rethinking the role of the police in white collar crime, providing different career patterns and training for policemen, keeping your Crown Prosecution Service up to strength - passing legislation is unbelievably cheap. All it takes is the time of a few civil servants and Members of Parliament and a few printing bills. Finally, the Computer Misuse Act distracts management from examining in rigorous detail what they can be doing to stay in control of their computer resources. It develops in their mind the notion of unpredictable 'computer criminals' whose activities cannot otherwise be restrained. We need to make the discussion of computer security much more sober than it is at the moment. Effective computer security means a multi-disciplinary approach, where computer security is seen as just one aspect of securing the assets - physical, cash and intellectual of the business environment that the computer serves. Here solutions come from a balance of computer-based and administrative controls, and the law provides remedies only for the most outrageous of activities. As for the investigation of crime, it is surely better to talk of experts in computer forensics, who can aid and support the ordinary investigators when a crime goes inside a computer and evidence must be extracted in a form in which it will be useful in legal proceedings.
RESOLVING DISPUTES Lessons in litigation Steve Lamer
Computers have a life of about five years. Included within that five years is a period which
©1991 Elsevier Science Publishers ltd