Cases show reform of Computer Misuse Act is essential if it is to be fair and relevant

It used to be possible to argue that concerns about the limitations of the 15-year-old Computer Misuse Act were based on theory, not tangible cases.

It used to be possible to argue that concerns about the limitations of the 15-year-old Computer Misuse Act were based on theory, not tangible cases.

Courts, it was hoped, would be able to reinterpret the act for changing technological circumstances. This view enabled a succession of junior Home Office ministers to assert that the government was broadly in favour of reform "when the legislative timetable permits" - parliamentary code for "not any time soon".

Following two recent cases, that is no longer good enough.

In October, Dan Cuthbert, a City-based system penetration and software tester, was convicted of unauthorised access to a tsunami charity website. The previous New Year's Eve, Cuthbert had visited the site, donated £30, and become concerned at its slow response and poor graphics. Was he being phished? He tried an unsuccessful directory traversal test and felt relieved. But the test set off an intrusion detection alarm and his subsequent interview with the police went badly.

At trial his defence team argued his intentions were obviously benign and that as a penetration tester he possessed the skills and tools to cause large-scale disruption without being detected - which he plainly had not used. But the prosecution said that he must have known the directory traversal was unauthorised. It was this interpretation the court accepted.

Cuthbert's case continues to worry the community of penetration testers as they believe it potentially affects some of their techniques.

In November, a youth walked free from a Wimbledon court having admitted that he had used a mail-bomber program to flood the mail server of an insurance company from which he had been fired.

More than five million e-mails were generated. His defence was purely legal: each e-mail sent to an e-mail server is "authorised" to modify it (otherwise e-mail would not work) and there is no specific point at which a large quantity of such e-mails suddenly become "unauthorised".

Just as in the Cuthbert case - where the judge declined defence invitations to look at the wider context of Cuthbert's actual motivation and not the strict wording of the Computer Misuse Act -  in the Wimbledon case, prosecution pleas that the court should consider the obvious malign intent and damage caused were unsuccessful.

Both judges felt it was parliament's job, not theirs, to extend the law. In both cases extensive arguments were made about the history of the Computer Misuse Act, and that the reasoning behind it reflected late-1980s perceptions about how computers might be attacked.

It may be that Cuthbert's case does not call for law reform. Penetration testers should only operate under the explicit permission of the owners of the systems under test, and Cuthbert should have been more immediately straightforward with the police.

But the Wimbledon case is as explicit a justification for a new "denial of service" offence as you could wish. The fact that some denial of service cases, such as those involving zombie intermediate computers, or situations where a logic bomb wipes essential files, can be prosecuted under the existing section three of the Computer Misuse Act, is insufficient reason not to make denial of service a separate offence.

The arguments for reform have now been rehearsed by the Internet Crime Forum, the parliamentary All-Party Internet Group, in 10-minute rule bills from MPs Derek Wyatt and Tom Harris, in campaigns run by Computer Weekly and in numerous individual articles.

Unlike much recent government legislation there is almost no controversy - there is very little disagreement about the specific requirements. The few clauses needed could even be squeezed into one of the frequent "omnibus" Criminal Justice Bills without the need for separate a standalone Computer Misuse (Amendment) Bill.

Now that the tangible case material exists, can we have our legislation, please?

Peter Sommer is senior research fellow in the Information Systems Integrity Group at the London School of Economics. He was instructed by the defence as an expert witness in both the Cuthbert and Wimbledon cases

 

This Content Component encountered an error

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

About Wimbledon court case. Isn't that exactly reverse of what happened in DPP v. Lennon [2006] EWHC 1201 (Admin)? Lennon had used email bombing software and argued that by receiving emails, the recipient had consented to it. And this defense was rejected by the Court.
Cancel
My bad. Missed the original date of the post :|
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close