Outdated laws fail to define, halt or combat cybercrime

IT crime expert Peter Sommer examines the laws designed to protect UK businesses from IT crime and the work already going on to...

IT crime expert Peter Sommer examines the laws designed to protect UK businesses from IT crime and the work already going on to update them.

Much work remains to be done if the law is to serve the needs of businesses employing Internet technologies

English law has been pretty flexible in adapting to the problems of cybercrime but every so often parliamentary intervention is required. There is now a significant list needing urgent attention.

Computer-related theft, blackmail, narcotics trafficking, illegal immigration, terrorism, adult and child pornography, conspiracy and many other crimes are routinely dealt with by laws without the word "computer" in them. The practical problem for the police and courts is to locate and understand evidence in digital form.

But when, in 1985, the authorities discovered some of the perpetrators behind a playful but extensive demonstration of weaknesses in the management of BT's public access service Prestel, they decided to prosecute under forgery law, arguing that a misused password was a forgery.

After initial success, first the Court of Appeal and then the House of Lords rejected the idea. The then Lord Chief Justice said, "We have, accordingly, come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case.

"It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties," the judgement said.

"The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel databank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts," it concluded.

In 1990, two years after that judgement, the Computer Misuse Act was passed.

English criminal procedure is adversarial: defence lawyers and experts will only look at the precise charges, the precise language of a statute and the precise evidence. Those of us now campaigning for further changes in the law will have to work hard. New definitions of crime require careful design so that the offences can be unambiguously identified by evidence and tested by the courts - and to ensure that careless wording does not produce unwanted side-effects.

In a number of instances the important technical work has already been carried out by the Law Commission. However, the shortage of parliamentary time resulting from the number and length of bills and secondary legislation planned mean that may not get a "Son of Computer Misuse Act", only clauses added to the existing regular compendia of criminal justice legislation.

Peter Sommer is a research fellow at the London School of Economics, an external examiner at the Centre for Forensic Computing at Shrivenham, and frequently appears as an expert witness

Fraud and deception

Surprisingly, there is no specific crime in English law of "fraud"; offences are usually treated as "obtaining goods or services by deception", a form of theft.

For computer frauds the problem is a doctrine which holds that only people, as opposed to machines, are capable of being deceived.

The Law Commission produced a wide-ranging report on fraud and deception in 1999. "The Internet also provides a medium by which services can be delivered," it said.

"If the fraudulent conduct consists of access to or use of such a service, neither the existing law nor the extensions hitherto suggested would serve to impose criminal liability. It is clear that such conduct should be criminal; and in considering how that may best be achieved, we come to the provisional conclusion that this form of misuse is a 'taking' rather than a 'tricking', and as such should be dealt with in the context of theft.

"Accordingly, we provisionally conclude that it should be made criminal by extending the offence of theft to the theft of services, or by the creation of a separate theft-like offence, rather than by extending the concept of deception."

The recommendations have not yet been implemented.


It may seem a bit soon to be reviewing the Regulation of Investigatory Powers Act 2000 and the Ant-terrorism Security and Crime Act, 2001 but many people believe there is a crucial practical flaw in both.

In relation to interception they make a distinction between "communications data" (who contacted whom, when and for how long) and "content" (what was said).

Only communications data is admissible and while content warrants must come from the home secretary, many senior law enforcement and other officials can authorise grabs of communications data.

Critics say that the distinction, easy enough in the world of analogue phones, simply cannot be made in relation to the digital traffic of the Internet. As a result the police, Internet service providers and large companies face great uncertainty over the next few months.

Paedophilia, stalking and 'grooming'

Lobbyists are seeking criminal and civil sanctions to control the actions of online "groomers" of children in chat-rooms. The problem in designing a new law is how to catch a criminal, who may be able to deny his intentions until almost the last moment, without placing children at risk.

There is an important technical reform needed, to protect police officers, prosecutors and others in the criminal justice system: simple copying of an indecent photograph - even if to produce an exhibit or test evidence - is a criminal offence for which the law currently provides no defence.

Computer Misuse Act

The 1990 Computer Misuse Act is based on notions of unauthorised access or unauthorised data modification.

Its view is pre-Internet and it has difficulty in coping with Web sites which are intended to be partly public and partly private.

It cannot cope with denial of service attacks, where a computer may be functionally disabled without either access nor modification.

A possible new law could use the idea of action "designed seriously to interfere with or seriously to disrupt an electronic system" from the Terrorism Act, 2000.

Unintended consequences

Well-intentioned but under-researched laws may have unexpected consequences. Examples include the Private Security Industry Act, 2001, aimed at regulating the "man-guarding" and "bouncer" industries but which may eventually require nearly all computer security consultants to be registered.

Another problem, which crops up in cyber-crime and anti-terrorist legislation and in proposals to protect copyright owners from digital piracy, is the attempt to create an offence of possessing devices etc which might "break" or test security but which are also essential to security consultants and researchers.

Some measures to control strategic export also restrain legitimate research.

Data theft and theft of commercial secretsEnglish law says data, as opposed to the disc media or paper upon which it is held, cannot be stolen.

Prosecutions for industrial espionage have had to be for the modus operandi - bugging, tapping, hacking - or conspiracy. Sometimes civil actions for breach of confidence have been employed. In 1997 the Law Commission issued a consultation on misuse of trade secrets. A new law could be tricky - how do we recognise a trade secret? Can originators self-classify? What exactly would be "misuse"? Will there be a public interest defence to permit proper journalism?

A new report is expected this year or next.

Council of Europe Cybercrime Convention

In November 2001 the Council of Europe's Cybercrime Convention was signed. Its signatories are not limited to Europe - indeed the US was a major player.
It seeks to harmonise definitions of crime, warrants and standards of evidence collection. It has other, more controversial elements, including issues about the extent of data interception and retention that is permitted. Britain is a signatory and, in due course, will need to ratify the convention. This action alone will require a radical appraisal of English law to see how far it complies.

Read more on IT risk management