Walden categorises crimes that involve computers describe them as “the instrument of the crime, such as in murder and fraud, the object of the crime, such as theft of processor chips; or the subject of the crime, such as ‘hacking’ or ‘cracking’”. The Council of Europe’s Convention on Cybercrime have set the foundation for an international harmonization on this area, suggesting a change in legislation. This treaty has identified three substantive categories for which legislation must address. Anne Flanagan recognises these three areas and explains each of these categories and the crimes they concern.
“The first is ‘offences against the confidentiality, integrity and availability of computer data and systems’ that includes illegal access, illegal interception, data interference, systems interference and misuse of devices. The second is ‘computer-related offences’ that encompasses forgery and fraud. The final division might be labeled content-related offences that address child pornography and infringements of copyright and related rights.”
The enactment of CMA was prior to the making of the Cybercrime treaty, therefore it is impractical to assume that the CMA would comply with the crimes stated within the treaty. However, certain amendments have now been passed which does comply with some of the requirements stated within the treaty in respect to the enforcement of offences, which are not a criminal offence in the UK.
During the passing of this act, the legislature had considered the case law on the area of hacking, producing an act which made it illegal to commit such an offence. However, this act had passed in hindsight, and therefore, did not consider other computer-related offences, which may be committed. The CMA 1990 was subject to a lot of criticism; it was suggested that the legislature rushed enact this legislation, and therefore, it is vague in the types of offences that it actually covers. The case of DPP v Bignall made apparent the faults within this legislation. In this case, the defendants were convicted under s.1 of the CMA, for obtaining details relating to two motor cars from the Police National Computer (PNC). The DPP’s argument throughout the trial was that the Commissioner of Police, who controlled access to the computer, gave the officers’ authority to access the information for police purposes solely; he argued that the use of the PNC for personal gain was therefore unauthorised. This argument had failed in all courts on the grounds that s.1 had been enacted to prevent unauthorised access, i.e. hacking, not to “protect the integrity of computers rather than the information stored on the computers”, which it was stated in this case was the purpose of the Data Protection Act (DPA). The courts looked at the definition of unauthorised as stated under section 17(5) to decide whether the officers could be tried for having unauthorised access to the data held within the PNC. However, the definition states “he is himself not entitles to control access of the kind in question to the program or data”; since the officers did have control to access the data stored within the PNC, it could not be held that they have unauthorised access and therefore there was no breach of CMA.
The case of R v Bow Street Magistrates Court and Allison (A.P.) ex parte Government of the United States of America also criticised the use of “unauthorised access” in the CMA and how it had been applied in the case of DPP v Bignall. The House of Lords explained the true meanings of the provisions within the CMA and how it should be interpreted. Lord Hobhouse of Woodborough stated “…the authority must relate not simply to the data or programme but also to the actual kind of access secured.” He adds to this point stating:
“[T]he word ‘control’ [does not mean] a physical sense of the ability to operate or manipulate the computer. It does not introduce any concept that authority to access one piece of data should be treated as authority to access other pieces of data ‘ of the same kind’ notwithstanding that the relevant person did not in fact have authority to access that piece of data. Section 1 refers to the intent to secure unauthorised access to any programme or data. These plain words leave no room for any suggestion that the relevant person may say: ‘Yes, I know that I was not authorised to access that data but I was authorised to access other data of the same kind’.”
Therefore, applying this judgement, the defendant, who had the ability to access, however, not the authority to access, her employer’s database, was held to be within the meaning of ‘unauthorised access’ under section 1 of the CMA.
It is apparent that this judgement conflicts with the decision in Bignall; therefore, causing further controversy to the act since it does not give the courts a clear definition of “unauthorised access”. Lord Hobhouse considered carefully the Bignall decision and stated it was “probably right”. He distinguished the case of Bignall on the grounds that the access was authorised as “it was secured by the by the computer operators, who were authorised to access the PNC in response to requests from police officers”. The courts applied the doctrine of innocent agency; MacEwan states that the lacking of mens rea by the computer operators “means that that they should not have been viewed as participants in the alleged offences”. He concludes this argument by stating, “…the Principal is the participant in the crime whose act is the most immediate cause of the innocent agent's act”. Using this doctrine, the case was distinguished from the latter Bow Street case.
In his article, MacEwan explains the loopholes that “occurred in the application of the…Act”. The first occurrence of a loophole was first illustrated in the case of DPP v Lennon; this case concerned an email bombardment of a company’s email system by an employee recently dismissed. He had been prosecuted under s.3 of the CMA; however, since the email system was designed to receive emails, therefore his sending of them was authorised. The official name for this a Denial of Service (DoS) attack, this however, was not an offence covered within the CMA, therefore, it was not a criminal offence and the defendant could not be found guilty of this offence.
The DoS attack has been a more common offence since the introduction of networks; this attack causes a loss of services to users. Susan Brenner and Marc Goodman analysed the 2001 survey and found “that denial of service attacks are increasing”; they also found that these attacks are not reported, as “victims may not realize that the conduct involved is a crime, or may decide not to complain for reasons of embarrassment or corporate credibility.” MacEwan also looks at the procedural difficulties; he finds that “Computer crime is substantially under-reported”. He gives a number of reasons for this; firstly, he feels that the corporate victims would want to avoid bringing proceedings against their attackers, since this would bring unwanted publicity in relation to the companies’ security system. This is to reduce further loss to the company. Another reason for not bringing proceedings against a hacker is the deterrence that the “distinct possibility that the perpetrator would not be convicted”; the hacker would be difficult to track down due to the global extent of the use of the internet. Even if this hacker could be tracked down, the computer evidence could be disputed as it could be destroyed “leaving no admissible trace behind”. There has been more criticism in relation to the police response to computer crime; “Lack of funding, manpower and expertise remain weaknesses, notwithstanding the establishment of the National High Tech Crime Unit in April 2001”.
MacEwan also considered the Distributed Denial of Service (DDoS) attack, which he states, “posed more a potent threat”. A DDoS attack involves a wide range of remote computers, infected by a virus of malware, to attack a recognised target at the same time. MacEwan looks the judgement of Lennon; he feels that it offered up as proof of the real need for reform of the CMA in this respect. He believes criticism from the media derived from this flaw in the act. Therefore, this contributed towards the Government’s “decision to legislate further on the issue of DoS attacks”.
Reforms had been brought in under the Police and Justice Act bringing about changes to ss.1 and 3 of the CMA. The key changes to this act are the new offences of impairment and supply of “hacking” tools. Section 36 of the PJA replaces unauthorised modification of computer material with a “broader prohibition tackling unauthorised acts which impair the operation of a computer”. Section 37 creates a new offence of “making, adapting or supplying hacking tools…with the intent, or belief that such material would be used to commit a hacking offence”. A closer look at these reforms shows that they also contain flaws.
Section 36 makes the offence of DoS attacks unlawful, therefore prosecutable. MacEwan discusses this section in relation to the Cybercrime convention; the convention refers to the “serious hindering” of computer systems, and the Framework Decision to the “serious hindering or interruption” of information systems.” However, in the PJA, “serious” is not included; this broadens the legislation in this area. Moreover, the mens rea element has been altered to include that the offence must be committed with “a reckless state of mind”, thus broadening the offence further. MacEwan feels that these changes “could prove to be a costly example of legislative overkill”. He criticises the maximum term of imprisonment which has been increased to 10 years imprisonment; an increase of 5 years.
Section 37 deals with the supply of materials that could be used for hacking-related offences; this complies with the requirements of the Cybercrime Convention. This, however, caused heavy criticism; “The main problem stems from the fact that ‘researchers in information security, penetration testers and other professionals in the field … may develop and make available such tools in the course of their study or business’.” Therefore, this highlighted the flaws within the mens rea element of this offence. The mere belief that the articles in question are sufficient to commit this offence. This is more problematic when it is put in context; a password recovery program could be used for unlawful purposes even though it may have been developed for innocent purposes. It was noted that the legislature were determined to “have these less stringent mens rea requirements for this offence”. When addressing the concerns about the “interpretation of the word ‘likely’ within the newly changed section, [Hazel Blears] merely stated that ‘the word ‘likely’ is pretty well known in our legal system’.” This reasoning, however, has been argued to be inadequate, as it causes problems to the courts when applying the terms. In a later case, when applying this section, Lord Bassam of Brighton advised that “[the word] ‘likely’ reflects a belief that there is a strong possibility” This vagueness has also caused a lot of criticism in relation to this cause.
In conclusion, the CMA has been heavily criticised with the way it deals with computer-related offences. It can be said that the CMA was introduced prematurely, as there was a need to create an act to deal with computer-related offences, in relation to hacking crimes. However, this act was brought into force too early without giving much thought into other crimes, which can arise from the internet. This is visible from the cases of Bow Street, Bignall, and Lennon et al. Bow Street made visible the flaws within the legislation in relation to “unauthorised access”. Lennon, however, brought across a new offence of DoS attacks, making apparent a much greater offence of DDoS attacks. These offences have been addressed by the PJA, stated under s.35-38. This, however, has also come under heavy criticism as it deals with DDoS attacks; the words used in s.36 are wide in their meaning, therefore it makes the definition of the offence wide. Moreover, the s.37 offence in relation to the supply of materials to be used for hacking-related offences. This section also covers materials, which can be used for innocent purposes to be illegal under this new section; on of which being a password recovery system. These two sections are compliant with the Cybercrime Convention, however, they do cause controversy, therefore, it can be said that the reform that has been brought in would need to be address in relation the problems it raises. Overall, it is my view that the CMA would need a full reform to address the criticisms it has raised since it has been brought into force.
Jarvis, N., Control of Cybercrime - is an end to our privacy on the Internet a price worth paying? Part 1, C.T.L.R. 2003, 9(3), 78
Police and Justice Act 2006 s35-38
MacEwan, N., The Computer Misuse Act 1990: Lessons from its past and predictions for its future, Crim. L.R. 2008, 12, 955
(1979) 68 Cr. App. Rep. 183
Forgery and Counterfeiting Act 1981
Hansard, House of Commons, 9th February, 1990, col. 1134
Bell, R.E., The prosecution of computer crime, J.F.C., 2002, 9(4), 310
I. Walden, ‘Computer Crime’ at 295 in COMPUTER LAW (5th ed. C. Reed & J. Angel eds. 2003)
Convention on Cybercrime, Nov. 23, 2001, Europ. T.S. No. 185, <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm Convention on Cybercrime>,visited 21st January, 2011
Flanagan, A., The law and computer crime: reading the script of reform, I.J.L. & I.T. 2005, 13(1), 100
Wong, M.W.S., Cyber-trespass and "unauthorized access" as legal mechanisms of access control: lessons from the US experience, I.J.L. & I.T. 2007, 15(1), 119-120
Ormerod, D., Smith and Hogan: Criminal Law, 12th edn (Oxford: OUP, 2008), p.167
Y. Akdeniz, Encyclopaedia of E-Commerce Law (2005), para.15.007.
Brenner, S.W. & Goodman, M.D., The emerging consensus on criminal conduct in cyberspace, I.J.L. & I.T., 2002, 10(2), 155
Conclusions of the Study on Effective Measures to Prevent and Control High-Technology and Computer-Related Crime: Report of the Secretary-General, U.N. Commission on Crime Prevention and Criminal Justice, 10th Sess., Item 4 at 10, U.N. Doc. E/CN.15/2201/4 (2001), http://www.odccp.org/adhoc/crime/10_commission/4e.pdf.
Levi, M., Regulating Fraud (1987), p.136; APIG Report, Revision of the Computer Misuse Act (2004), p.10; National Hi-Tech Crime Unit 2005 Survey at http://www.nhtcu.org; CSI/FBI 2004 Survey at http://i.cmpnet.com/gocsi/dbarea/pdfs/fbi/FBI2004.pdf [Accessed January 25, 2010].
Cornwall, “ Hacking away at computer law reform” (1988) 138 N.L.J. 702
Akdeniz, “ Section 3 of the Computer Misuse Act 1990” (1996) 3 Web J.C.L.I. 6.
Espinger, T., “Teenager cleared of email attack charge”, ZDNet News, November 2, 2005 (http://news.zdnet.co.uk/security/0,1000000189,39235359,00.htm [Accessed January 25, 2010])
Worthy, J. & Fanning, M., Denial-of-Service: Plugging the legal loopholes?, Computer Law and Security Report, 23 (2007) 195
Walden, Computer Crimes and Digital Investigations (2007), p.196.
Hansard, HC Standing Committee D, col.262 (March 28, 2006)
Hansard, HC Standing Committee D, col.267 (March 28, 2006)
Hansard, HL Vol.685, col.213 (October 10, 2006).