Police don't know what to do
I would certainly support sensible changes to the current law. My perception, based on experience at a previous employer, is that the police have no idea what to do when you contact them for advice following a security incident.
If you are lucky enough to eventually find someone willing to take you seriously they tell you that there is no chance of it going further since it is near impossible to prosecute.
As it happened the employer in question was an academic institution with some clout and reasonable support and legal services. Other administrators were informed and the information propagated - in my current role at a smaller business this is not the case.
The UK Government should urgently look into updating the computer crime laws, providing training for those on the front-line, and fostering a security community within the UK. There is, as far as I'm aware, no organisation like the Computer Emergency Response Team (Cert) - except for Janet-Cert with its limited remit - in the UK to disseminate UK specific and focused information, advice and support.
Al Howat, Senior systems administrator
Authorities ignored fraud
I have come across £100,000-worth of credit card fraud during the past nine months and none of the police forces seem to be interested, either local, national or international.
DoS not always a crime
Updating the law to reflect current trends so that "bad" things become criminal offences is an honourable task, if done properly. However, we must be careful.
How do you define a denial of service attack?
For example, a system administrator reboots a core server, which fails to boot because a piece of hardware was on its last legs. This takes down the corporate network, worldwide, for a considerable time, because he or she did not understand how the network works. This is a denial of service, but I do not think ignorance should be punishable by law.
What if an employee runs a ping flood against the network router? The very fact this is a "flood" might suggest to you it is always malicious. But many Unix versions of ping include the "f" switch which is extremely useful for testing network equipment reliability under high loads. Someone might complain about a connection being slow for a long period, but at the end of the day, networks have to be tested.
Perhaps a script kiddie runs a ping flood against a network router, and later in court claims he or she was just testing a modem or network card; or a secretary is talking on the phone and with his or her foot wiggles a wire which comes unplugged - it just happened to be the office's backbone connection.
The current Computer Misuse Act uses the term "unauthorised access" but who gives the authorisation? A secretary? A system administrator? A managing director? How can you know when you have been given properly authorised access? How can you tell who is authorised to give that access?
If this legislation is not done right, many innocent people will be prosecuted by others trying to place the blame or pass the buck.
If a company gets bad publicity as victim of a national crime that reflects badly on the government they have to prosecute someone. But that someone should be the right person.
Another concern is that the Government will try to outlaw "hacking" tools. Leaving defining these terms to a UK government is a bad idea because, quite frankly, what do they know about IT?
Whistleblowers need protection
I recently discovered a vulnerability in an online retailer's Web site where, having bought an item, refreshing a page revealed some personal details (name, address, but fortunately not credit card numbers) of subsequent customers.
I had read articles in Computer Weekly and elsewhere, relating how some banks had reacted adversely when public-spirited citizens had warned of vulnerabilities, and had threatened prosecution.
Nonetheless, I contacted the webmaster of the site. Fortunately for me they reacted well, acknowledged the fault and thanked me for reporting it.
However, I was worried that I too might have been threatened with prosecution under the Computer Misuse Act, and consequently I was hesitant to report the fault, and spent a few anxious hours before the webmaster contacted me.
The only security I could think of to protect myself was to contact a well-known journalist to let him know what I had done and why. The risk of doing that was that a less-scrupulous journalist might prefer to publish, and thereby put me and the retailer into conflict.
Any reworking of the Act should take into account that some security holes do exist, and that people who discover them should not be in fear of prosecution if they take reasonable steps to report vulnerabilities to the correct parties. The Act should consider what "reasonable steps" might be, and maybe nominate or set up suitable third-party bodies to act as screens to handle this sort of tip-off anonymously and swiftly.
Bill Powell, Software development manager
Business needs security
Surely if Tony Blair wants the UK to be at the forefront of the electronic age we need the most modern and robust laws to safeguard this growing business opportunity. Failure to put this needed legal structure in place will impede the UK's desire to expand its IT industry.
Andy Campbell, Managing director, Reflex Magnetics
Laws focused on intent will last longer
Surely the concept of "clearly defining" so as to pin down what should be catagorised as illegal is short-termist and counter-productive.
One of the great characteristics of British law is that it is based on principle rather than detail, although this is progressively being lost to an American-style documented legalism.
Could not the revision of the Act be focused on "intent" and "purpose"? Then, as technology develops, it remains useful. Indeed, the very notion that there is a "computer" misuse act is too detailed. You then have to define the term "computer", is a mobile phone one? When your mobile phone gets a virus will that be covered?
Denials of service, hacking and many more areas, could all be covered by addressing the intent and purpose of the interaction.
Craig Tranfield, Computer operations manager
This was first published in July 2002