Driving a Trojan Horse and Cart through the Computer Misuse Act

January 1, 2004

Aaron Caffrey, of Shaftesbury Dorset, allegedly launched a denial of service attack against the Port of Houston‘s computer system which prevented access to the port’s information by shipping, mooring and support services. The port is one of the busiest in the world. Caffrey alleged that a trojan was responsible, however, and that it installed itself on his computer without his knowledge. There was no trace of the trojan found on his machine, but he argued that it deleted itself after committing the acts of which he was accused. Despite the prosecution arguing that this technology does not exist, the jury acquitted.

This is not the only recent case where a defence has been built upon allegations of foreign trojan infection. In R v Schofield [2003 unreported] Karl Schofield was cleared of possession of 14 indecent images of children after prosecutors accepted expert evidence that their presence owed itself to a trojan which had installed itself on his PC.

In R v Green [2002 unreported] experts from Vogon found 11 trojan horse programs on Julian Green’s computer which had most likely been downloaded as a result of his opening unsolicited emails. After receiving this expert evidence, prosecutors dropped charges against Green for possession of 172 indecent images of children.

Caffrey’s acquittal came as perhaps something of a surprise to the IT community, and various commentators have put forward suggestions as to why he was in fact acquitted. One conclusion which it is difficult to avoid is that the jury were confused by the evidence put before them. The defence argued that such trojans can delete themselves after they have infected a machine and that this was the reason for the absence of infection when the machine was inspected. The prosecution on the other hand argued that this technology does not exist. Some reports suggest that one juror developed a migraine after hearing the technical evidence!

Other defences

In the case of R v Bedworth [1993] the defence counsel argued that Bedworth was suffering from a psychological condition known as ‘computer tendency syndrome’, which amounted to a form of addiction, and presented expert evidence along those lines. Despite the judge making it clear to the jury that this was not a valid defence, they acquitted. Richard Buxton QC suggested that it was a case of ‘jurors having ideas of their own’.

Although Bedworth concerned a charge of dishonestly obtaining telecommunication services and conspiracy to access a computer without authority under the Computer Misuse Act 1990, s 1, it is likely that the outcome would have been similar had the charge been one of unauthorised modification under s 3.

Computer Misuse Act 1990, s 3

Putting aside defences such as these for one moment, some commentators argue that s 3 does not adequately deal with denial of service attacks. Section 3 states that:

“A person is guilty of an offence if:

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.”

Some commentators argue that a denial of service attack does not modify the contents of the computer in question. If it does not, then the section does not apply and a prosecution should not be successful. Similarly, ss 1 and 2 deal with unauthorised access to a computer, with the key word being ‘access’. Does a denial of service attack amount to someone ‘accessing’ a computer?

During the 2001-2002 Parliamentary session Lord Northesk sponsored the Computer Misuse (Amendment) Bill, which was an attempt to extend the remit of the 1990 Act to cover denial of service attacks. The Bill would have inserted a new s 3A into the 1990 Act as follows:

“3A Denial of service attacks

(1) A person is guilty of an offence if without authorisation he does any act –

(a) which causes; or

(b) which he intends to cause,

direct or indirectly, a degradation, failure or other impairment of function of a

computerised system or any part thereof.

(2) A person is guilty of the offence in subsection (1)(a) even if the act was not intended to cause such an effect, provided that a reasonable person could have anticipated that the Act would have caused such an effect.”

Unfortunately, the Bill ran out of parliamentary time, as of course happens to many Private Member’s Bills. At the time the Home Office admitted that, whilst it was sympathetic to Lord Northesk’s efforts, computer crime was not top of its agenda and it could not offer any support (it is interesting to note that the 1990 Act is one of the few statutes with primarily criminal consequences which started life as a Private Member’s Bill and successfully proceeded through the parliamentary system to become law). The Port of Houston may perhaps be wishing that the Bill had succeeded in finding parliamentary approval.

The fact that the Bill is drafted in such a way as to avoid using language such as ‘access’ and ‘modify’ would suggest that the 1990 Act does not in fact cover the acts being discussed here. It is difficult to easily equate the results of a denial of service attack to ‘an unauthorised modification of the contents of any computer’.

Evidence

Aside from the technical difficulties with the Act, juries can cause problems even when the cases are relatively clear-cut. The decision in Bedworth was, it is probably fair to say, unexpected and this can perhaps be put down to both the foibles of juries, and the technical nature of the evidence being put forward.

The technical nature of the evidence being put forward is not the only evidential problem however. Whether such evidence is or should be admissible is still not an entirely resolved issue. Both the civil and criminal law in this country allow computerised evidence to be submitted. In civil cases, the evidence is usually regarded as hearsay and therefore falls within s 1 of the Civil Evidence Act 1995 (ie it is now generally admissible).

Although the criminal position used to be governed by the Police and Criminal Evidence Act 1984, s 69, this was repealed by the Youth Justice and Criminal Evidence Act 1999, s 60. There are therefore now no statutory provisions relating specifically to computer evidence in computer trials and the position has reverted to common law. The overriding rule is therefore that mechanical instruments were in order when they were in use in the absence of evidence to the contrary.

This concept requires a certain amount of mental gymnastics – as we have already noted, the 1990 Act requires unauthorised modification to the computer in question. By its very nature, this means that the computer which was attacked was not working properly at the time that the evidence was generated. Pursuant to the common law therefore, evidence from the computer which was attacked may not be admissible (some commentators argue that such issues should go to the weight of such evidence and not the admissibility, but at the moment the evidence would be either admissible or not, at the rule of the judge).

The attacked computer is not the only source of evidence of course; the computer from which the attack derived is also fertile ground. However, Caffrey argued that his computer had been the subject of an attack, which puts his computer into the same category as the attacked computer at the Port – it could not be said to be working properly and in compliance with the common-law rule.

In such circumstances, it would be extremely difficult for the judge to rule the evidence inadmissible from one computer and admissible from another.

Judging intention

The question of intention can be another sticking point. As can be seen from the Computer Misuse Act 1990, s 3 (set out above), the offender must have the ‘requisite intent’. Simon Vallor was this year convicted for authoring a number of viruses including Gokar and Redesi. The interesting point here is that Vallor, although he pleaded not guilty, admitted his actions in an online chat room. Without such an admission it seems unlikely that police would have discovered the culprit. Crucially therefore little or no evidence as to responsibility was required in his case. Further, although Vallor alleged that he did not intend to cause any harm and did not therefore have the ‘requisite intent’, the jury was not prepared to acquit. However, in the light of the decision in Bedworth, it is clear that another jury may have come to a different conclusion and acquitted Vallor.

Juries have always, of course, reached surprising verdicts in relatively clear-cut cases. However, the situation cannot be helped if the jury is potentially unclear as to the evidence before them. Some commentators have suggested that the introduction of a specialised ‘computer court’ may be the way forward, but the way that this would work in practice is far from clear. Are we saying that only expert judges would hear such cases? In that case, we are potentially denying the offender his right to be tried by his peers. If we are saying that the 12 jurymen must have an in-depth knowledge of the technology in question, we are moving away from having jurymen and women who try the case on the evidence before them to having 12 experts who will most likely have their own opinions on the evidence which is being presented to them. Given the close nature of the IT community, there is also a fair chance that they will have had knowledge or heard of the defendant prior to the trial!

Review of the law

Aside from the practical difficulties of jury selection and court structure, the way forward has to be a review of the laws in this area. If there is any doubt that s 3 covers denial of service attacks, then the provisions of the amending Bill need to be revisited as soon as possible. On the evidential side, the status of evidence received from potentially infected computers needs to be looked at. To what extent will expert evidence be allowed in cases such as this? Will such evidence continue to be governed by the rules on admissibility or will the virus affect the weight to be given to such evidence instead? Can the average jury be trusted to weigh such evidence against expert testimony? Uncertainty in the law is never a good thing and these issues need to be resolved as soon as possible.

Shelley Hill, PGDip, LLM, is an assistant solicitor in the technology and innovation unit of Robert Muckle Solicitors, a commercial law firm based in Newcastle upon Tyne.