Campaign: Continuing the cybercrime debate, an IT law specialist
argues that UK legislation, provided it is properly applied,
already deals with everything the European Convention on Cybercrime
proposes to cover
The Computer Misuse Act 1990 is under attack. Critics point to the
low number of convictions under the Act and the perceived leniency
of sentences handed down to those, relatively few, hackers who have
been convicted in the past 10 years. A common means to sabotage Web
sites, the denial of service attack (DoS), may not even an offence
since criminality is based on a concept of unauthorised
access.
Cyber-criminals are an amorphous band of creatures whose activities
range from hacking and spreading viruses to fraud and extortion.
Business-critical functions rely increasingly on network
connections outside the corporate headquarters and "always-on"
links to the Web are becoming the norm. Online businesses are
particularly susceptible to anti-competitive activity such as
spamming or lower-level DoS attacks designed to degrade the
performance of a Web site.
In the information society, information increases in value and
vulnerability in similar proportions.
Something more has to be done to tackle the problem - but what?
Opinions seem to fall into two camps. There are those who believe
that the Computer Misuse Act needs only limited amendment to update
it, whereas others want a wholesale change, with a range of new
cybercrime offences.
The European Convention on Cybercrime offers an all-embracing
legislative solution, should the UK government wish to adopt it.
The convention proposes the introduction of no less than nine
cybercrime offences and a series of proposed detection and
prosecution powers to assist the relevant national authorities to
secure convictions. Without intending to be a comprehensive
comparison, the table shows that most of the suggested offences are
either already covered by specific offences under existing
legislation, or there are similar offences in UK law.
The increased investigatory powers awarded under the convention
would impose substantial financial and organisational obligations
on Internet service providers, telecommunications companies and
other service providers to preserve and retain data.
Telecommunications companies had a taste of one expensive version
of the future when they were recruited to assist in data retention
following the US terror attacks of 11 September.
The focus of the convention is almost entirely on the prosecution
picture, and it is a truism that legislation to protect one
person's security may restrict the freedom of another - which is
fine for those of us that have unquestioning faith in the integrity
and reliability of all prosecuting authorities. It is not that we
are being overly sceptical but, if the member states' authorities
got it right all the time why would we need a Convention on Human
Rights?
Before embarking on a new round of legislation we should be asking,
"What are we trying achieve and how have existing laws failed to
meet our objectives?" It may be an easier process, and politically
more acceptable, to pass yet more laws than to get to the truth
about the failure to control cybercrime.
A gap in the Computer Misuse Act that lets DoS slip through tells
us nothing about the low number of prosecutions and light sentences
for hacking. Distributed DoS attacks are, in fact, already offences
under the Act.
Placing cybercrime in its wider context provides some greater
perspective: for instance, would one consciously choose to divert
police resources away from violent crime to tackling computer
offences?
Practically speaking, the Computer Misuse Act has been in force
since 1990 and yet it is only in the past year or so that
information security has featured near the top of the corporate
agenda. It may be disappointing, but cannot be surprising, that
successive governments have not allocated money to give technology
training and equipment to the police on a national scale.
Nor should it be surprising if juries are reluctant to convict, or
judges lenient on sentencing, when, until recently, the hacker's
image has been more of a person struggling to be noticed than a
notorious criminal.
However, that was then. Today cybercrime has been recognised as a
major threat to the financial and governmental infrastructure: so
much so that government departments and agencies such as the Office
of the E-Envoy, the National Infrastructure Co-ordination Centre
and the National High Tech Crime Unit are competing with one
another to raise public awareness of information security.
The debate about updating or replacing the Computer Misuse Act
raises profound questions of the importance of technology in
society. To what lengths are we prepared to go to protect our
technical infrastructure in order to provide a safer environment
for personal data, to communicate electronically and conduct
e-commerce? Are we prepared to accept a new legislative model like
the European Convention on Cybercrime, that may push freedom of
expression and personal privacy into second place?
We already live in an age of creeping surveillance, with a blurring
of the distinction between legitimate corporate and illegitimate
criminal activity. Company directors face the unenviable task of
threading their way through the myriad legal regulations and
obligations while still being expected to derive profit from the
bottom line.
Most cybercrimes are still financially motivated. We need to
involve the business world and engage in a wider debate about the
source of the problems with the Computer Misuse Act before we
resort to making more law as a solution.
How existing laws cover proposed new offences
Convention Offence: Illegal access
Existing UK Offence: Section 1 Computer Misuse Act 1990:
unauthorised access to computer material
Convention Offence: Illegal interception
Existing UK Offence: Section 44 of Telecommunications Act
1984: intentional modification of messages on a public telecoms
system
Section 1 of the Regulation of Investigatory Powers Act 2000:
unlawful interception of public/private telecommunications
systems
Convention Offence: Data Interference
Existing UK Offence: Section 3 of the Computer Misuse Act:
unauthorised modification of computer material
Convention Offence: Systems interference
Existing UK Offence: Section 3 of the Computer Misuse Act as
above; The Terrorism Act 2000
Convention Offence: Misuse of devices
Exisitng UK Offence: Section 42A of Telecommunications Act:
possession or supply of anything for fraudulent purpose in
connection with use of telecommunications system
Convention Offence: Computer-related forgery
Existing UK Offence: No UK offence for entering unauthentic
data per se
Convention Offence: Computer-related fraud
Exisiting UK Offence: No fraud offence as such in UK but
various fraud type offences in the Theft Act 1968 and section 2 of
the Computer Misuse Act: unauthorised access with intent to commit
further offences
Convention Offence: Offences related to child
pornography
Existing UK Offence: Obscene Publications Act
Convention Offence: Offences related to infringement of
copyright
Existing UK Offence: Copyright Designs and Patents
Act.
Peter Wilson is a partner in the dispute resolution
department at Tarlo Lyons solicitors. He can be contacted via
020-7814 6850 or peter.wilson@tarlolyons.com