Computer Weekly is campaigning for the Government to review UK
computer crime laws. It is 12 years since the Computer Misuse Act
became law, and police and IT user groups are concerned that it has
failed to keep pace with the changing way technology is used. Bill
Goodwin reports
When the Computer Misuse Act came into force in 1990 few people had
heard of the Internet, and the World-Wide Web was still a twinkle
in the eye of its inventor, Tim Berners Lee.
Nevertheless, there was a thriving hacker community. Enthusiasts
used mass-dialling techniques to identify the direct dial-in lines
to vulnerable computer systems. Once inside they often found that
the computer system's designers had paid scant regard to security.
Many required no passwords. Others could still be accessed using
the default passwords set by the hardware manufacturers. And none
of it was against the law.
The public outcry which followed the acquittal of two notorious
hackers set the scene for a change in the law. Robert Schifreen and
Steve Gold hit the headlines after breaking into the Prince
Philip's mailbox on the Prestel computer system. Following a police
raid they were charged with forging the Prince's passwords, but
were acquitted on appeal. The case drew attention to a gaping hole
in the law.
The government of the day supported a private member's bill,
brought by MP Emma Nicholson, which went on to the statute books as
the Computer Misuse Act 1990. It introduced three new offences -
accessing a computer system without authorisation, unauthorised
access with the intent to commit a further crime, and the
unauthorised modification of computer data. Hackers prosecuted
under the Act could face a maximum fine of £5,000 and a prison
sentence of up to six years.
Since the Act's introduction the Internet has driven a fundamental
shift in the way that companies use their computer systems. In 1990
the emphasis was on keeping undesirable people out. Today companies
are keen to let as many people into their systems as possible
through the World-Wide Web, to sell products, let them view on-line
marketing material and to provide help services.
This development is blurring the lines between authorised and
unauthorised access. Legal experts believe that the Computer Misuse
Act may now be open to challenges from hackers who can argue that
they cannot be guilty of unauthorised access when companies are
going out of their way to encourage the public to visit their
sites.
Peter Sommer, an IT security expert with the London School of
Economics, planned to raise this issue in defence of young Welsh
hacker, Raphael Gray, last year. As expert for the defence, he felt
that there was sufficient uncertainty under the Computer Misuse Act
to mount a credible defence against charges that Gray had illegally
accessed commercial Web sites. Gray, who's claim to fame was
obtaining Bill Gates' credit card details from an insecure Web
site, accepted a plea bargain with the prosecution before the
defence evidence was heard. But it is only a matter of time before
hackers raise similar legal defences in future cases.
Another area of concern is the difficulty that police officers
encounter in bringing prosecutions against some forms of denial of
service attacks under the Computer Misuse Act. The National
High-Tech Crime Unit has sought legal advice and has been told that
denial of service attacks are not, in themselves, illegal under the
current law. The unit is so concerned about this oversight that it
has asked the Home Office to review and update the Computer Misuse
Act. But insiders suggest such a review comes very low down on the
list of Home Office priorities.
Although the police can use the Act against distributed denial of
service attacks, if they can gather evidence to prove that
perpetrators have planted zombie programs in other people's
computer systems without permission, this is not always easy, or
even possible. Other forms of denial of service attack are not
covered at all. There is currently little the police can do to
prevent someone using their own computer system to bombard a
company's mail box with tens of thousands of copies of the same
spam e-mail, for example.
A third area of concern relates to the theft of computer data.
Under the current law, if someone deliberately walks off with a
laptop computer with the intention keeping it, that person is
guilty of theft. If that same person copies a confidential document
from the same machine, that cannot be treated as theft.
The Home Office's own statistics add to the case for reform of the
Computer Misuse Act. They show that despite the high incidence of
reported computer crime, there have been only 33 prosecutions under
the Computer Misuse Act in 12 years. Of these, only 26 offenders
were sentenced and just seven jailed. The rest have received
suspended sentences, fines or community service orders, a record
raising serious questions about the Act's effectiveness.
Computer Weekly believes that the time has come for the Government
to reconsider the UK's computer crime law. Our campaign has the
backing of lawyers and IT organisations including the British
Computer Society, the lobby group Eurim, The Infrastructure Forum,
and the Computing Services and Software Association. The E-centre
has agreed to ask its legal committee to carry out a formal review
of the law and to identify the gaps and suggest remedies.
But convincing the Government to move a review higher up its
political agenda will not be easy. It will require businesses and
legal experts to come forward with convincing evidence to show that
computer crime is a serious issue and with examples that illustrate
the weaknesses of the law as it stands.
Computer Weekly has set up a special confidential e-mail address
where you can post your comments, views or let us know about your
first-hand experiences of the problems facing businesses. We will
collate and anonymise the information and forward it to the
Government.
Any new law will, of course, need to be developed in full
consultation with the businesses, organisations and individuals it
affects. We will be pressing the Government to listen carefully to
the voices of our readers before it re-writes the statutes.
Any changes to the Computer Misuse Act will be have to be very
carefully thought out, if they are to avoid criminalising honest
activities. As one of our readers pointed out, if the legislation
is not defined precisely, innocent people may well be prosecuted by
organisations anxious to pin the blame for their problems on
someone else.
The Government has a poor track record in developing IT-related
legislation. That is why the subject is too important to be left to
politicians alone.