Don't rush to rewrite law until existing Acts have been tested

Campaign: Continuing the cybercrime debate, an IT law specialist argues that UK legislation, provided it is properly applied,...

Campaign: Continuing the cybercrime debate, an IT law specialist argues that UK legislation, provided it is properly applied, already deals with everything the European Convention on Cybercrime proposes to cover

The Computer Misuse Act 1990 is under attack. Critics point to the low number of convictions under the Act and the perceived leniency of sentences handed down to those, relatively few, hackers who have been convicted in the past 10 years. A common means to sabotage Web sites, the denial of service attack (DoS), may not even an offence since criminality is based on a concept of unauthorised access.

Cyber-criminals are an amorphous band of creatures whose activities range from hacking and spreading viruses to fraud and extortion.

Business-critical functions rely increasingly on network connections outside the corporate headquarters and "always-on" links to the Web are becoming the norm. Online businesses are particularly susceptible to anti-competitive activity such as spamming or lower-level DoS attacks designed to degrade the performance of a Web site.

In the information society, information increases in value and vulnerability in similar proportions.

Something more has to be done to tackle the problem - but what? Opinions seem to fall into two camps. There are those who believe that the Computer Misuse Act needs only limited amendment to update it, whereas others want a wholesale change, with a range of new cybercrime offences.

The European Convention on Cybercrime offers an all-embracing legislative solution, should the UK government wish to adopt it.

The convention proposes the introduction of no less than nine cybercrime offences and a series of proposed detection and prosecution powers to assist the relevant national authorities to secure convictions. Without intending to be a comprehensive comparison, the table shows that most of the suggested offences are either already covered by specific offences under existing legislation, or there are similar offences in UK law.

The increased investigatory powers awarded under the convention would impose substantial financial and organisational obligations on Internet service providers, telecommunications companies and other service providers to preserve and retain data.

Telecommunications companies had a taste of one expensive version of the future when they were recruited to assist in data retention following the US terror attacks of 11 September.

The focus of the convention is almost entirely on the prosecution picture, and it is a truism that legislation to protect one person's security may restrict the freedom of another - which is fine for those of us that have unquestioning faith in the integrity and reliability of all prosecuting authorities. It is not that we are being overly sceptical but, if the member states' authorities got it right all the time why would we need a Convention on Human Rights?

Before embarking on a new round of legislation we should be asking, "What are we trying achieve and how have existing laws failed to meet our objectives?" It may be an easier process, and politically more acceptable, to pass yet more laws than to get to the truth about the failure to control cybercrime.

A gap in the Computer Misuse Act that lets DoS slip through tells us nothing about the low number of prosecutions and light sentences for hacking. Distributed DoS attacks are, in fact, already offences under the Act.

Placing cybercrime in its wider context provides some greater perspective: for instance, would one consciously choose to divert police resources away from violent crime to tackling computer offences?

Practically speaking, the Computer Misuse Act has been in force since 1990 and yet it is only in the past year or so that information security has featured near the top of the corporate agenda. It may be disappointing, but cannot be surprising, that successive governments have not allocated money to give technology training and equipment to the police on a national scale.

Nor should it be surprising if juries are reluctant to convict, or judges lenient on sentencing, when, until recently, the hacker's image has been more of a person struggling to be noticed than a notorious criminal.

However, that was then. Today cybercrime has been recognised as a major threat to the financial and governmental infrastructure: so much so that government departments and agencies such as the Office of the E-Envoy, the National Infrastructure Co-ordination Centre and the National High Tech Crime Unit are competing with one another to raise public awareness of information security.

The debate about updating or replacing the Computer Misuse Act raises profound questions of the importance of technology in society. To what lengths are we prepared to go to protect our technical infrastructure in order to provide a safer environment for personal data, to communicate electronically and conduct e-commerce? Are we prepared to accept a new legislative model like the European Convention on Cybercrime, that may push freedom of expression and personal privacy into second place?

We already live in an age of creeping surveillance, with a blurring of the distinction between legitimate corporate and illegitimate criminal activity. Company directors face the unenviable task of threading their way through the myriad legal regulations and obligations while still being expected to derive profit from the bottom line.

Most cybercrimes are still financially motivated. We need to involve the business world and engage in a wider debate about the source of the problems with the Computer Misuse Act before we resort to making more law as a solution.

How existing laws cover proposed new offences

Convention Offence: Illegal access
Existing UK Offence: Section 1 Computer Misuse Act 1990: unauthorised access to computer material

Convention Offence: Illegal interception
Existing UK Offence: Section 44 of Telecommunications Act 1984: intentional modification of messages on a public telecoms system
Section 1 of the Regulation of Investigatory Powers Act 2000: unlawful interception of public/private telecommunications systems
Convention Offence: Data Interference
Existing UK Offence: Section 3 of the Computer Misuse Act: unauthorised modification of computer material

Convention Offence: Systems interference
Existing UK Offence: Section 3 of the Computer Misuse Act as above; The Terrorism Act 2000

Convention Offence: Misuse of devices
Exisitng UK Offence: Section 42A of Telecommunications Act: possession or supply of anything for fraudulent purpose in connection with use of telecommunications system

Convention Offence: Computer-related forgery
Existing UK Offence: No UK offence for entering unauthentic data per se

Convention Offence:
Computer-related fraud
Exisiting UK Offence: No fraud offence as such in UK but various fraud type offences in the Theft Act 1968 and section 2 of the Computer Misuse Act: unauthorised access with intent to commit further offences

Convention Offence:
Offences related to child pornography
Existing UK Offence:
Obscene Publications Act

Convention Offence:
Offences related to infringement of copyright
Existing UK Offence: Copyright Designs and Patents Act.

Peter Wilson is a partner in the dispute resolution department at Tarlo Lyons solicitors. He can be contacted via 020-7814 6850 or [email protected]

Read more on IT legislation and regulation