The law must be changed to redefine criminal activities

Computer Weekly is campaigning for the Government to review UK computer crime laws. It is 12 years since the Computer Misuse Act...

Computer Weekly is campaigning for the Government to review UK computer crime laws. It is 12 years since the Computer Misuse Act became law, and police and IT user groups are concerned that it has failed to keep pace with the changing way technology is used. Bill Goodwin reports

When the Computer Misuse Act came into force in 1990 few people had heard of the Internet, and the World-Wide Web was still a twinkle in the eye of its inventor, Tim Berners Lee.

Nevertheless, there was a thriving hacker community. Enthusiasts used mass-dialling techniques to identify the direct dial-in lines to vulnerable computer systems. Once inside they often found that the computer system's designers had paid scant regard to security. Many required no passwords. Others could still be accessed using the default passwords set by the hardware manufacturers. And none of it was against the law.

The public outcry which followed the acquittal of two notorious hackers set the scene for a change in the law. Robert Schifreen and Steve Gold hit the headlines after breaking into the Prince Philip's mailbox on the Prestel computer system. Following a police raid they were charged with forging the Prince's passwords, but were acquitted on appeal. The case drew attention to a gaping hole in the law.

The government of the day supported a private member's bill, brought by MP Emma Nicholson, which went on to the statute books as the Computer Misuse Act 1990. It introduced three new offences - accessing a computer system without authorisation, unauthorised access with the intent to commit a further crime, and the unauthorised modification of computer data. Hackers prosecuted under the Act could face a maximum fine of £5,000 and a prison sentence of up to six years.

Since the Act's introduction the Internet has driven a fundamental shift in the way that companies use their computer systems. In 1990 the emphasis was on keeping undesirable people out. Today companies are keen to let as many people into their systems as possible through the World-Wide Web, to sell products, let them view on-line marketing material and to provide help services.

This development is blurring the lines between authorised and unauthorised access. Legal experts believe that the Computer Misuse Act may now be open to challenges from hackers who can argue that they cannot be guilty of unauthorised access when companies are going out of their way to encourage the public to visit their sites.

Peter Sommer, an IT security expert with the London School of Economics, planned to raise this issue in defence of young Welsh hacker, Raphael Gray, last year. As expert for the defence, he felt that there was sufficient uncertainty under the Computer Misuse Act to mount a credible defence against charges that Gray had illegally accessed commercial Web sites. Gray, who's claim to fame was obtaining Bill Gates' credit card details from an insecure Web site, accepted a plea bargain with the prosecution before the defence evidence was heard. But it is only a matter of time before hackers raise similar legal defences in future cases.

Another area of concern is the difficulty that police officers encounter in bringing prosecutions against some forms of denial of service attacks under the Computer Misuse Act. The National High-Tech Crime Unit has sought legal advice and has been told that denial of service attacks are not, in themselves, illegal under the current law. The unit is so concerned about this oversight that it has asked the Home Office to review and update the Computer Misuse Act. But insiders suggest such a review comes very low down on the list of Home Office priorities.

Although the police can use the Act against distributed denial of service attacks, if they can gather evidence to prove that perpetrators have planted zombie programs in other people's computer systems without permission, this is not always easy, or even possible. Other forms of denial of service attack are not covered at all. There is currently little the police can do to prevent someone using their own computer system to bombard a company's mail box with tens of thousands of copies of the same spam e-mail, for example.

A third area of concern relates to the theft of computer data. Under the current law, if someone deliberately walks off with a laptop computer with the intention keeping it, that person is guilty of theft. If that same person copies a confidential document from the same machine, that cannot be treated as theft.

The Home Office's own statistics add to the case for reform of the Computer Misuse Act. They show that despite the high incidence of reported computer crime, there have been only 33 prosecutions under the Computer Misuse Act in 12 years. Of these, only 26 offenders were sentenced and just seven jailed. The rest have received suspended sentences, fines or community service orders, a record raising serious questions about the Act's effectiveness.

Computer Weekly believes that the time has come for the Government to reconsider the UK's computer crime law. Our campaign has the backing of lawyers and IT organisations including the British Computer Society, the lobby group Eurim, The Infrastructure Forum, and the Computing Services and Software Association. The E-centre has agreed to ask its legal committee to carry out a formal review of the law and to identify the gaps and suggest remedies.

But convincing the Government to move a review higher up its political agenda will not be easy. It will require businesses and legal experts to come forward with convincing evidence to show that computer crime is a serious issue and with examples that illustrate the weaknesses of the law as it stands.

Computer Weekly has set up a special confidential e-mail address where you can post your comments, views or let us know about your first-hand experiences of the problems facing businesses. We will collate and anonymise the information and forward it to the Government.

Any new law will, of course, need to be developed in full consultation with the businesses, organisations and individuals it affects. We will be pressing the Government to listen carefully to the voices of our readers before it re-writes the statutes.

Any changes to the Computer Misuse Act will be have to be very carefully thought out, if they are to avoid criminalising honest activities. As one of our readers pointed out, if the legislation is not defined precisely, innocent people may well be prosecuted by organisations anxious to pin the blame for their problems on someone else.

The Government has a poor track record in developing IT-related legislation. That is why the subject is too important to be left to politicians alone.

Read more on IT legislation and regulation