Computer-enabled crimes, ie those crimes which involved the use of a computer to commit such crimes as forgery, fraud, obscenity, criminal damage and hate crimes, had been governed by a variety of legislative instruments, though sometimes amended to close loopholes and lacunas and will be identified and addressed more fully below.
The CMA was enacted to redress the clear inability of criminal law to combat computer fraud and misuse crimes due to advances in technology or the courts interpretation of the law and made hacking, unless performed under statutory powers, and the introduction of viruses into computer systems, criminal offences. However, existing legislation and the common law was left to deal with computer-enabled traditional crimes where alternative charges could be used. The first case heard under the CMA established that only one computer need be involved.
One of the CMA’s main failings was that it was only applicable to computer crimes which accessed or modified computers without authorisation. However, where authorisation is given for access but none for accessing programs or data this must be clearly defined in order to obtain a conviction. Technological developments meant that the CMA gave no legal protection or redress for DoS or DDoS attacks.
Intent need not now be proved. Recklessness is sufficient for the making, adapting or supplying of tools for use, or likely use, in computer offences and together with the inclusion of reckless and intentional launching of DoS, DDoS, botnet or blended threat attacks, these are now all criminal offences.
Another major concern is that computers and other electronic technological devices can be used to commit fraud. This computer crime can be used to obtain money, have an identity accepted from information misappropriated. However, most information or data is not property unless safeguarded under criminal law.
Computer fraud can be defined as “any fraudulent behaviour connected with computerisation by which someone intends to gain dishonest advantage.” It can be committed by input, output and program frauds whether to access data without the required payment, to make phantom withdrawals from ATM’s or to phish or pharm for data or even to use a telecommunications service with the intention not to pay for it.
The enactment of the recent Fraud Act (hereinafter FA) provided an opportunity not only to modernise by including on-line frauds and other offences using technology, redress judicial trouble in applying existing law and of bit by bit amendments, but to finally define fraud and article. Fraud can now be committed in one of three ways; by (1) making a false representation e.g. phishing. There is no necessity to have need a victim as the attention is on the representation itself. This removes occurrences where a credit card is used in breach of the victims authorisation; (2) wrongfully failing to disclose information e.g. in fraudulent credit card transactions over the Internet or where a person is under a legal duty to disclose information. The dishonesty is in the failure to give the information and not of any representation. Finally (3) an offence can be committed by secretly abusing a position of trust e.g. an employee enables a competitor to win a tender contrary to his contractual duties. All offences are inchoate but require dishonesty as defined in the Ghosh test and an intention to gain some material benefit. However, there is no longer any requirement to prove any actual gain or loss, or that the property belonged to another or that there was a link between the deception and the obtaining. The FA also repeals some of the deception and other offences in the Theft Acts, updates the offence of dishonestly obtaining a service and introduces new offences which will cover the credit card skimmers on ATM’s.
One of the main problems prior to the FA, which now removes the need for a person to be deceived, was that in order to convict, many frauds prosecuted under some of the theft offences required proof of the deception of a human mind. Deception is
“…any deception (whether deliberate or reckless) by words or conduct as to fact or as to law, including a deception as to the present intentions of the person using the deception or any other person.”
The common law had previously defined deception, but this proved difficult for the courts to apply especially where ATM’s or other electronic means were used to commit crimes which led to acquittals or quashing of convictions as the courts concluded it was not possible to deceive a machine.
Computer crime encompasses issues of the processing, storage, display or transmission of personal information or data and some offences may be charged under the Data Protection Act (hereinafter DPA) as opposed to the CMA or PJA. The DPA widened the range of data protection further than that of automatically processed information and makes individuals liable to prosecution for any unauthorised disclosure of someone’s personal data. It applies if personal data is kept on, or in connection with, a web site, computer, office system or in manual records providing that they form part of a relevant filing system or if the holder of that information or data is unregistered.
There are websites that sell fake ID documents. They usually require a purchaser’s agreement that these documents are for “novelty and fun purposes only”. It was recently estimated identity fraud cost the UK market £1.7 billion. Whilst this may be a criminal offence, it is one that would be difficult, even with recent legislation passed, to effectively prosecute as the documents are not listed, they themselves worthlessand intent would be extremely hard to establish. However belief or recklessness may be possible to establish.
Obscenity and pornography can also be unlawful data use and data publication and a public telecommunications network’s definition can encompass Internet traffic as it uses phone lines or other cables. The Internet provides an illegal way to publish, view, storeand transmit obscene material which “tends to deprave and corrupt those who are likely…to read, see or hear it” or indecent material. Additionally, the burden of proof is reversed.
The pornographic depiction of children in cyberspace has become a growing concern and recent legislation has been modernised to attempt to prevent and convict those involved in such photographic imagery, is criminal and virtually a strict liability offencewhether committed in the UK or abroad. However, these photographic or pseudo-photographic images must be in the possession of the defendant and need only be for their own useand not for financial gain or sharing. Even if they are unaware of downloading them, as their browser setting allows it to be, the offence of “making” is satisfied.
The Internet provides not only the opportunity to possess and to supply obscene or indecent material, but creates a danger from online predators by their submitting children to sexual grooming which can occur without any meeting actually taking place, or in the commission of other offences. The recent Safeguarding Vulnerable Groups Act includes some online services as regulated activities. This
means that any organisation which knows it is regulated and knowingly employs a barred person to perform work, commits a criminal offence.
The Terrorism Act 2006 makes the dissemination of terrorist publications or training material, any acts preparatory to or for the encouragement of terrorism and the threat or use of hacking a potential act of cyber-terrorism. Hacking must be designed to interfere with or seriously disrupt an electronic system, or by influencing the government or intimidating a section or all of the public and to be used to advance a political, religious or ideological cause. However, the internet can be used legitimately even for an illegitimate useand any prosecution will be made under the CMA, Criminal Damage Act or PJA.
Inciting either racial or religious hatred by publishing and disseminating online materials is a criminal offence and the Racial and Religious Hatred Act was enacted to close the gaps in existing law which had addressed anti-religious, racist, inflammatory, politically subversive or seditious statements on computer systems or the internet. Recent legislation has extended this to include hatred against people on grounds of sexual orientation.
The Protection from Harassment Act, updating the Malicious Communications Act makes 'stalking' or harassment by targeted email or other online method a criminal offence and sending unsolicited email messages and advertisements can also be Internet harassment if the content is offensive or is explicitly sexual.
Whilst many computer crimes are covered by statutory legislation, some even though not truly criminal are covered by common law; i.e. laws of defamation, contract, confidence and conspiracy to defraud, apply in cyberspace. Postings on internet message boards, discussion forums, blogs and other similar facilities can, if defamatory may be held to be libelous. An individual or company can terminate a contract of employment, under the law of contract, where an employee has breached confidentiality terms in that contract by their using or disseminating, without permission, information contained in company computers, digitalised data and programs. They can also sue to prevent the spread and to enforce the return of such information. The law of conspiracy to defraud does not require a deceit and has been excluded in the FA reforms as being adaptable and therefore could be applied, even when another crime is committed, when the original computer crime is carried out or to criminal acts outside UK jurisdiction.
In conclusion computer crimes are usually the result of weaknesses in computer systems which allow some people to take advantage of them. The speed at which technology evolves and the process and speed at which legislation is implemented means that any law is only adequate at that particular time it is drafted. The recent case of McKinnon v USA for offences under s2 CMA committed from the UK but target and damage caused in USA shows that it may be better to be tried under one country’s laws than those of another.
Many people, as a result of computer technological advances, now bank on-line and buy goods and services over the internet from others who may be based here in the UK or overseas. Cyber frauds are developing from the familiar fraudulent use of credit cards, as the cards themselves need not be used, to raiding these e-bank accounts.
There are already critics who are concerned that anyone who makes software tools, which could be used for legitimate as well as illegal hacking, could be criminalised as legislative provisions do not make any difference for the reasons for their use. However, s3A CMA will require enforcement agencies and the judiciary to ascertain whether any offences have been satisfied as articles can be quite legally made, supplied etc before convicting.
Paul Mobbs stated:
“…it is difficult to clamp down on computer-based crime by legislating against certain types of activity without affecting others…many innocent people could be covered as part of efforts to control a very small minority of 'Net users.”
Furthermore, consideration has not been given, in any new UK legislation, to some cyber issues such as spamming.
Between 2001 and 2006 there were only 89 convictions under the CMA. The amendments made to the CMA and the introduction of the PJA should go some way to convict those committing DoS and DDoS attacks and the stiffer penalties may help to deter, as viruses can be both costly in terms of finance and disruption. The Solicitor-General stated that there were over 36,000 prosecutions under the FA since its introduction and it would appear that the Act is effectively tackling the prior problems of needing a deception, the obtaining property of another which resulted in a permanent loss as the loss can now be temporary or being open just to the possibility of a loss.
The recent National Fraud Strategy identified that “fraudsters [annually] rob us all of around £14 billion pounds of hard-earned income…fraudsters are adept at adapting…advances in technology will continue to facilitate new types of fraud,” and includes a data sharing framework and establishment of anti-fraud organisations which may assist in the battle against e-crimes.
Computer crimes are borderless and as a result of fast technological advances new computer crimes, and the commission of existing or more traditional crimes, are often unforeseen and unforeseeable. In order not to have laws that are successful in preventing, enforcing and punishing computer crime there needs to be co-operation from all countries, and with similar national and international laws.
It is virtually impossible to legislate against unknown risks and, if drafting is too middle-of-the-road, this may result in legislative instruments which are either too broad or constricting to be effective. As Charlotte Walker-Osborn stated:
"the law takes a while to catch up and the practice of it is key…it is not going to put strong offenders off… the cross-jurisdictional nature of many online crimes will also make it difficult to prosecute offenders under these laws.”
Recent legislation does appear to have strengthened existing law, and therefore the statement given may be correct. However, the law will continue to be in a catch-up situation as new legislation and amendments are reactive and may be seen by some not to be reasonable in the prevention, deterrence and punishment of computer and cybercrimes.
WORDS : 3,257
‘Introduction to: Information Technology Law’ Bainbridge DI, (5th edn chap.27 p 359)
House of Lords Science and Technology Committee – Personal Internet Security, August 2007
Using advanced skills and knowledge to gain access to computer held data but without any criminal intentions to do anything with that information.
Unprincipled or criminally targeted computer trespassing
Detective Sergeant, City of London Police
‘To protect and Serve’ ISNOW (2009) winter issue
'Revision of the Computer Misuse Act’ All Party Internet Group (2004) found the lack of a definition had not been a problem and “computer” would be understood by courts to 'have the appropriate contemporary meaning' …the law is intended to provide stability and structure to societies and constantly changing the definition to address the constant flood of innovation would undermine this”.
s1(1) Data Protection Act 1998
DPP c McKeown [1997] 2 Cr App 155 p163
s32(1) Communications Act 2003, implementing Directive 2002/21/EC
House of Lords Science and Technology Committee – Personal Internet Security, August 2007
European Information Society Group (EURIM) defines e-crimes as “any criminal activity that involves the use of computers or networks in its execution, encompassing the terms cybercrime, hi-tech crime, computer crime and internet crime.”
Serious Organised Crime Agency (SOCA)
“[a] type of crime that can now be committed because technology exists which formerly did not … and[b] crimes moving on-line by criminals using and exploiting technology.” House of Lords Science and Technology Committee – Personal Internet Security, August 2007
An explicit attempt by attackers to prevent legitimate users of a service from using that service, which can be directed at any network device, including attacks on routing devices and web, electronic mail or Domain Name System servers.
A distributed denial of service attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers.
I Waldron “Computer Law: the Law and Regulation of Information Technology” (edited by C Reed and J Angel, OUP 2007)
Remove the internet and the criminal activity continues
s1(e) Terrorism Act 2000, amended 2006
Criminal Justice and Public Order Act 1994
Remove the internet and the activity continues but the global scope lessens
D Wall, “What are Cybercrimes?” Criminal Justice Review (2004)17th edition
Bryne 1994 15 Cr App R (S) 34
s1(1)(a) Data Protection Act 1994
Medical records hacked into to change drugs or dosages leading to death or injury
Child abuse resulting from pornographic or pseudo images
“…criminal acts committed using electronic communications networks and information systems or against such networks and systems.” ‘Towards a general policy on the fight against cybercrime’ European Commission report (SEC 2007aaa)
Council of Europe Convention on Cybercrime 2001: Title 1 Offences; Offences against the confidentiality, integrity and availability of computer data and systems; Title 2 Offences: Computer-related Offences, Title 3 Offences: Content- related Offences; Title 4: Offences related to infringements of copyright and related rights
Title 2: Art 7 computer related forgery, Art 8 computer related fraud
Title 3: Article 9 Offences related to child pornography
Art 2 Illegal access, Art 3 Illegal interception, Art 4 Data interference, Art 5 System interference, Art 6 Misuse of devices
Laws regulating the technological features of information ie processing, storing and transmitting.
http://www.internetworldstats.com/stats.htm
So small as to not really matter
E Wilding, ‘Hacked Off’ 156 NLJ 753 5 May 2006
e.g. Norway (2006), Cyprus(2005) and USA(2006) under the European Cybercrime Convention 2001
2006 in force 1st October 2008
European Cybercrime Convention 2001, European Framework Decision 2005/222/JHA ‘attacks against information systems.’
Alan Lawson, Butler Group ( Mondag.com 23 June 2004)
s1 Computer Misuse Act 1990 amended by s35 Police and Justice Act 2006 and Schedule 15 Serious Crime Act 2007
s1 Police and Justice Act 2006
R v Bow Street Magistrates Court and Allison ex parte Government of the United States of America [2002] 2 AC 216
s3 Police and Justice Act 2006 amended by s36 Police and Justice Act 2006 and Schedule 15 Serious Crime Act 2007
s2 Police and Justice Act 2006
s10(5) Criminal Damage Act 1971 requires modifying the contents of a computer or its storage system is not damage unless its effect is to physically damage the computer or storage systems condition.
The lack of laws or of legal sources to address a situation
R v Gold and Schifreen [1988] 2 WLR 984 Prosecution was brought under s1 Forgery and Counterfeiting Act 1981
R v Preddy [1995] Crim LR 564, CA held machines could not be deceived. The government had to rush through emergency legislation, Theft (Amendment) Act 1996 which introduced a new offence “obtaining a money transfer by deception”.
Oxford v Moss [1978] 68 Cr App R 183 Information being held not to be property under s4(1) Theft Act 1968
Computer Misuse Act (Amendment) 1994
s55 Data Protection Act 1998 can be an alternative charge to s1 Computer Misuse Act 1990 offences
R v Cropp [1991] 7 CLSR 168
DPP v Bignell [1998] 1Cr App 1 R 1
R v Whiteley [1991] 93 Cr App R 25
R v Bow Street Magistrates Court and Allison ex parte Government of the United States of America [2002] 2 AC 216
s3(3) Computer Misuse Act 1990 as amended by s36 Police and Justice Act 2006
s3A Computer Misuse Act 1990 as amended by s37 Police and Justice Act 2006
ie a botnet or 'zombie network' or 'zombie army'. A collection of internet-connected PCs which have been compromised by malware infection so they can be controlled remotely by a malicious outsider often without the PC owners' knowledge.
Meta-trojans contain multiple layers or viral infection
credit card skimmers on ATM’s,
R v Sunderland unreported 20 June 1983
Oxford v Moss [1978] 68 Cr App R 183
Personal information under the Data Protection Act 1998, government information under the Official Secrets Act
e.g. misuse of cash cards, creation of ghost accounts.
e.g. theft of pre-signed cheques.
Creating programs in order to transfer money from one, or more, accounts to a specially created “end user” account.
R v Gold and Schifreen [1988] 2 WLR 984
R v Munden [1996] unreported
process of attempting to acquire sensitive information such as usernames, passwords and credit card details by pretending to be a trustworthy individual in an electronic communication.
redirecting a websites traffic to another bogus website by either changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server’s software.
s42 Telecommunications Act 1984 repealed; ss126 and 127 Communications Act 2003
2006, in force 15th January 2007
Repealing ss15 and 16 Theft Act 1968 and ss 1 and 2 Theft Act 1978.
Theft Act 1978, Theft (Amendment) Act 1996
R v Charles [1977] AC 177, R v Lambie [1982] AC 449
i.e. The incomplete crimes of incitement, conspiracy and attempt of a substantive crime.
R v Ghosh [1982] 75 CR App R 154 established the two part test for dishonesty; “was the act dishonest according to the standards of reasonable and honest people and did the defendant realise that the act was dishonest by those standards”.
s17 Fraud Act 2006. s17 Theft Act 1968 “with intent to” has been replaced by “with a view to”.
R v Gold and Schifreen [1988] 2 WLR 984
ss15, 16 and 25 Theft Act 1968; ss 1 and 2 Theft Act 1978.ss15A and 15B Theft (Amendment) Act 1996
Automatic Teller Machines
DPP v Ray[1974] AC 370 HL
Re London & Globe Finance Corp Ltd [1903 1 Ch 728 “to induce a man to believe a thing which is false and which the person practising the deceit knows or believes to be false”.
R v Thompson [1984] 1 WLR 962
R v Munden [1996] unreported
Davies v Flackett [1973] RTR 8; R v Preddy [1996] AC 815 HL Re Holmes [2005] 1 All ER 490
Schedule 1 Part 1 Data Protection Act 1998
Durant v FSA [2003] EWCA Civ 1764 held to be personal the information must affect a persons privacy and established a 2 part test (1) Is the information biographical and (2) Is the information focused
s21 Data Protection Act 1998
Durant v FSA [2003] EWCA Civ 1764
s17(1) Data Protection Act 1998
editable templates of bank statements, utility bills, payslips and P60s
Home Office guidelines 2006
s5(2) of the Forgery and Counterfeiting Act 1981
s26 Identity Cards Act 2006 lists
s5(2) Forgery and Counterfeiting Act 1981; s25(5)Identity Cards Act 2006; s6 Fraud Act 2006 offence”; ss44 and 45 Serious Crime Act 2007
s44 Serious Crime Act 2007
s45 Serious Crime Act 2007
s42 Telecommunications Act 1984 as amended by Communications Act 2003
s68 and Schedule 14 Criminal Justice and Immigration Act 2008 implementing E-Commerce Directive (Directive 2000/31/EC)
ss 1 and 2 Obscene Publications Acts 1959 and 1964
R v Fellows and Arnold [1997] 2 All ER 548 computer files as images held in digital form were copies of a photograph and were Attorney General’s Reference [1980] no5 of 1908 72 cr
s2(1) Obscene Publications Acts 1959 and 1964
s43 Telecommunications Act 1984; s2(1) Obscene Publications Acts 1959 and 1964
s1(1) Obscene Publications Acts 1959 and 1964. R v Perrin [2002] EXCA Crim 747 established a 5 criteria test for obscene material.
ss 63-67 Criminal Justice and Immigration Act 2008
s46 Sexual Offences Act 2003
s1 Protection of Children Act 1978 as amended by s45 Sexual Offences Act 2003
Criminal Justice and Immigration Act 2008, Sexual Offences Act 2003
s37 Sexual Offences Act 2003
s1(1)(a-d) Protection of Children Act 1978 as amended by ss14 and 15 Sexual Offences Act 2003, ss84-87 Criminal Justice Public Order Act 1994
No requirement to prove mens rea.
s72 Criminal Justice and Immigration Act 2008 amending s 72 Sexual Offences Act 2003 supporting Council of Europe Convention on the Protection of Children Against Sexual Exploitation and Abuse.
ss69 and 70 Criminal Justice and Immigration Act 2008 extends the definition of an indecent photograph in the Protection of Children Act 1978 to include a tracing or other image derived from a photograph
s37 Protection of Children Act 1978
s160(1) Criminal Justice Act 1988
R v Porter [2006] EWCA Crim 560 held if images cannot be retrieved or access gained to them then there is no possession and is a matter of fact for the jury to decide if the images are beyond the defendants control and therefore possession.
In 1999 rock star Gary Glitter and pleaded guilty to 54 charges of downloading child porn.
s1(1)(a) Protection of Children Act 1978
R v Westgarth Smith and Jones [2002] EWCA Crim 683
s73 Criminal Justice and Immigration Act 2008 inserts Schedule 15 into Sexual Offences Act 2003
R v T [2005] EWCA Crim 2681
ss5-12 Protection of Children Act 1978
2006 as amended by the Prescribed Criteria and Miscellaneous Provisions Regulations 2009
Schedule 4 Safeguarding Vulnerable Groups Act 2006
Listed on the sexual offenders register
amending the Anti-Terrorism Crime and Security Act 2001 and Serious Organised Crime and Police Act 2005 and amended by the Counter-Terrorism Act 2008
David Copeland discovered how to make the nail bombs he used to bomb a gay public house in London, from the Internet. BBC June 2000
the law of blasphemy, Race Relations Act 1976
s74 and Schedule 16 Criminal Justice and Immigration Act 2008
Lennox and Others v King [2004] EWCA Civ 1329; Keith-Smith v. Williams [2006] All ER (D) 297 QBD
s1 Criminal Law Act 1977 as amended by s5 Criminal Attempts Act 1981
Scott v Commissioner of the Police of the Metropolis [1975] AC 819 held “…defraud is given its everyday meaning.”
s12 Criminal Justice Act 1987
Criminal Justice (Terrorism and Conspiracy) Act 1998 as amended.
[2008] UKHL 59. Provisional date for judicial review 9th and 10th June 2009.
The necessary details can be obtained from a thrown away credit card transaction receipt or the cardholders name, delivery address, card number and expiry date.
As amended by s36 Police and Justice Act 2006 and Schedule 15 Serious Crime Act 2007
ss1 and 3 Computer Misuse Act 1990, as amended
GreenNet Civil Society Internet Rights Project Revision 1, April 2003.
Regulation of Investigatory Powers Act 2000 surveillance of targeted computer networks
Unsolicited commercial e-mails
DPP v Lennon [2006] EWHC 2101 (Admin) held DoS attacks constitute an offence under s3 Computer Misuse Act 1990
“I Love You” virus 2000 estimated to have cost $8.75bn Computer Crime and Security Survey 2002
House of Commons debates (2009) 26 February Oral Answers to Questions — Solicitor-General
The Rt Hon Baroness Scotland QC Attorney General
Sandra Quinn Interim, Chief Executive of the National Fraud Strategic Authority
s68 Serious Crime Act 2007
9 May 2007, 58 government and banking websites were shut down under a simultaneous DDoS attack co-ordinated from Russia.
Goldsmith J and Wu T, ‘Who Controls the Internet?’ (2006) OUP
R v Fellows [1996] the investigation carried out in the UK as US enforcement agencies believed conviction more likely under UK legislation.
Vnunet.com (2008) 1 October