On 5 August 1999, the House of Lords ruled on an extraditioncase which has major implications for computer misuse cases. A report taken fromthe Butterworths ‘next-day’ reporting service, All ER Direct is reproducedbelow. The case is now fully reported at [1993] 4 All ER 1.
The applicant was arrested at the request of the United States governmentpursuant to a provisional warrant in respect of offences of conspiracy whichalso involved O, a credit analyst employed by American Express at their officein Plantation, Florida. The three offences on which committal was sought allalleged that the applicant, within the jurisdiction of the USA, had conspiredwith O and others: (i) to secure unauthorised access to the American Expresscomputer system with intent to commit theft; (ii) to secure unauthorised accessto the American Express computer system with intent to commit forgery and (iii)to cause an unauthorised modification of the contents of the American Expresscomputer system. O was authorised to access computer records of those who owedmoney to American Express, and had the ability to access accounts on which shehad not been instructed to work. She did so, and supplied information to theirco-conspirators which enabled them to forge credit cards and obtain large sumsof money. The magistrate decided to commit only on the third offence, holdingthat DPP v Bignell [1998] 1 Cr App R 1, in which it was decided that useof computer data for their own purposes by persons entitled to authorise accessto that data was not ‘unauthorised access’ within s 17(5) of the ComputerMisuse Act 1990, was determinative of the issue in relation to the first twooffences. The US government and the Director of Public Prosecutions soughtjudicial review of the magistrate’s decision not to commit on those offences,and the applicant, by proceedings for habeas corpus, sought to set aside thecommittal on the third offence, and another committal on unrelated offencesconnected with the State of Maryland. The Divisional Court dismissed both thehabeas corpus proceedings and the judicial review proceedings, again followingthe decision in DPP v Bignell. The US government appealed and the issuearose whether the interpretation given to s 17(5) by the court in DPP vBignell was correct.
The appeal would be allowed.
Section 17(5) did not introduce any concept that authority to access onepiece of data should be treated as authority to access other pieces of data‘of the same kind’. The court in DPP v Bignell accepted submissionsmade in relation to s 17(5) which introduced a number of glosses which were notpresent in the Act. The concept of control was changed from that of beingentitled to authorise, to authorised to cause the computer to function. Theconcept of access to a program or data was changed to access to the computer ata particular ‘level’. It was this use of language, departing from thelanguage of the statute and unnecessary to the decision of that case, whichmisled the magistrate and the Divisional Court in the instant case. Section 1 ofthe Act was not concerned with authority to access kinds of data, it wasconcerned with authority to access the actual data involved. Since s 1(1)created an offence which could be committed as result of having an intent tosecure unauthorised access without in fact actually succeeding in accessing anydata, s 1(2) did not require that the relevant intent relate to any specificdata. However, that did not mean that access to the data in question did nothave to be authorised. In the instant case O’s access was unauthorised becauseit was intentional, it was not authorised by a person entitled to authoriseaccess to that particular data and carried out when she knew that access to thatdata was unauthorised.