It used to be possible to argue that concerns about the
limitations of the 15-year-old Computer Misuse Act were based on
theory, not tangible cases.
Courts, it was hoped, would be able to reinterpret the act for
changing technological circumstances. This view enabled a
succession of junior Home Office ministers to assert that the
government was broadly in favour of reform "when the legislative
timetable permits" - parliamentary code for "not any time
soon".
Following two recent cases, that is no longer good enough.
In October, Dan Cuthbert, a City-based system penetration and
software tester, was convicted of unauthorised access to a tsunami
charity website. The previous New Year's Eve, Cuthbert had visited
the site, donated £30, and become concerned at its slow response
and poor graphics. Was he being phished? He tried an unsuccessful
directory traversal test and felt relieved. But the test set off an
intrusion detection alarm and his subsequent interview with the
police went badly.
At trial his defence team argued his intentions were obviously
benign and that as a penetration tester he possessed the skills and
tools to cause large-scale disruption without being detected -
which he plainly had not used. But the prosecution said that he
must have known the directory traversal was unauthorised. It was
this interpretation the court accepted.
Cuthbert's case continues to worry the community of penetration
testers as they believe it potentially affects some of their
techniques.
In November, a youth walked free from a Wimbledon court having
admitted that he had used a mail-bomber program to flood the mail
server of an insurance company from which he had been fired.
More than five million e-mails were generated. His defence was
purely legal: each e-mail sent to an e-mail server is "authorised"
to modify it (otherwise e-mail would not work) and there is no
specific point at which a large quantity of such e-mails suddenly
become "unauthorised".
Just as in the Cuthbert case - where the judge declined defence
invitations to look at the wider context of Cuthbert's actual
motivation and not the strict wording of the Computer Misuse Act -
in the Wimbledon case, prosecution pleas that the court should
consider the obvious malign intent and damage caused were
unsuccessful.
Both judges felt it was parliament's job, not theirs, to extend
the law. In both cases extensive arguments were made about the
history of the Computer Misuse Act, and that the reasoning behind
it reflected late-1980s perceptions about how computers might be
attacked.
It may be that Cuthbert's case does not call for law reform.
Penetration testers should only operate under the explicit
permission of the owners of the systems under test, and Cuthbert
should have been more immediately straightforward with the
police.
But the Wimbledon case is as explicit a justification for a new
"denial of service" offence as you could wish. The fact that some
denial of service cases, such as those involving zombie
intermediate computers, or situations where a logic bomb wipes
essential files, can be prosecuted under the existing section three
of the Computer Misuse Act, is insufficient reason not to make
denial of service a separate offence.
The arguments for reform have now been rehearsed by the Internet
Crime Forum, the parliamentary All-Party Internet Group, in
10-minute rule bills from MPs Derek Wyatt and Tom Harris, in
campaigns run by Computer Weekly and in numerous individual
articles.
Unlike much recent government legislation there is almost no
controversy - there is very little disagreement about the specific
requirements. The few clauses needed could even be squeezed into
one of the frequent "omnibus" Criminal Justice Bills without the
need for separate a standalone Computer Misuse (Amendment)
Bill.
Now that the tangible case material exists, can we have our
legislation, please?
Peter Sommer is senior research fellow in the Information
Systems Integrity Group at the London School of Economics. He was
instructed by the defence as an expert witness in both the Cuthbert
and Wimbledon cases