ALL PARTY INTERNET GROUP APIG REPORT ON THE COMPUTER MISUSE ACT

August 31, 2004

The Computer Misuse Act 1990 (CMA) has been in force for nearly a decade and a half. To get an idea of how long that is in IT terms, think of how many cycles of Moore’s Law the industry has seen over that time – Intel’s 486 processor (cutting-edge stuff in 1990) had just over 1 million transistors; the latest Pentium 4 contains 178 million.

In March this year, the All Party Internet Group (APIG) announced an inquiry into how the CMA has stood the test of time and whether it is still broad enough to “cover the criminality encountered today” or whether there are loopholes which need to be plugged or revisions which need to be made to fulfil international treaty obligations. On 30 June 2004, after considering written and oral evidence from a range of individuals, corporations, organisations and experts, it reported on its findings and the results are encouraging.

Background

Criminal activity involving computers is not new and has been around as long as computers themselves. Up to the end of the 1980s, a number of existing offences were used to prosecute computer-related crime. In R v Whiteley (1998) 93 Cr App R 25 the Court of Appeal upheld a hacker’s conviction for criminal damage (under the Criminal Damage Act 1971, s 1(1)). The defendant had gained unauthorised access to a computer network and had created and deleted files, thereby altering the physical status of the magnetic particles on the computer disks, even though such “damage” was both intangible and invisible to the naked eye.

However, with time, existing legislation proved inadequate to deal with all computer-related offences. The House of Lords in R v Schifreen & Gold [1988] AC 1063 overturned two convictions under the Forgery and Counterfeiting Act 1981, partly on the basis that to make the wording of the statute cover the actual facts of the case would require “Procrustean” effort – a reference to the mythological bandit who cut off or stretched his victims’ limbs to force them to fit a bed.

The increasing inadequacy of non-specific offences to deal with computer-related crime was becoming more and more apparent and led, via an abortive Private Member’s Bill and a Law Commission report in 1989, to the CMA which received Royal Assent on 29 June 1990.

The CMA and APIG

The CMA is short (18 sections in total) and deals with just two types of offence: “unauthorised access to computer material” (ss 1 and 2 detail two varieties of this offence, depending on intent) and “unauthorised modification of computer material” (s 3). It contains no definition of the key terms “programme”, “data” or “computer” and throws its jurisdictional net extremely wide, covering offences affecting computers within the UK as well as those actually committed within the UK.

Perhaps as a reaction to this simplicity of approach, many critics have regarded it as inevitable that the CMA must have become outmoded since it cannot be sufficiently weighty to deal with current criminal behaviour. On at least one issue, “denial of service” attacks (see below), there has been sufficient concern for a Computer Misuse (Amendment) Bill to have been introduced in the House of Lords in 2002 by the Earl of Northesk, a Conservative peer and one of the Lords’ leading authorities on IT matters.

APIG heard evidence on these and other points and considered various suggestions for amending or expanding the CMA.

APIG’s Report

Many commentators have discussed whether the small number of offences created under the CMA is now insufficient to deal with the range of criminal behaviour prevalent on computers and computer networks. APIG heard calls for the CMA to be extended to cover a variety of additional circumstances but, by and large, felt that action was not necessary in relation to the majority of these. Examples include:

· Calls to define various terms used in the CMA so as specifically to cover devices such as PDAs (including mobile phones) and network routers which might not ordinarily be thought of as “computers”.

APIG stated that it had heard no evidence that the lack of explicit definitions had ever caused any problems and described the current arrangement as “perfectly adequate”, recommending that the Government resist calls to introduce any such definitions. It also rejected calls to adopt a new defined term of “information system”, to reflect the language of the EU Framework Decision (see below) and which would include network connections as well as networked computers.

· Calls to extend the CMA to cover unauthorised access where knowledge of such lack of authority cannot be proved.

Although APIG accepted that it could be arguable that the required mens rea under s 1 and s 2 (ie that a defendant knew that his access was unauthorised) would be hard to establish, it was not convinced that this caused practical problems at the current time. In the case of Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the United States of America [2000] 2 AC 216, the House of Lords had upheld a conviction under s 1 where there was no authorisation to access the information in question, despite a general entitlement to access certain other information. APIG was of the opinion that this dealt sufficiently with the issue and that there is no likelihood of any substantial loophole which would require urgent attention.

· Calls to criminalise inadequate security of computer equipment and networks.

It was put to APIG that lax security should be considered a social menace since it can be seen to encourage computer-related crime. This suggestion was first raised during the passage of the CMA through Parliament and is reflected in several other jurisdictions, eg Norway. However, APIG considered that this was best addressed through education and an industry code of practice, together with more proactive measures on the part of ISPs.

· Calls to criminalise “spyware”.

The term “spyware” was used by various contributors to APIG inquiry to refer to “adware” (ie software controlling ”pop-up” advertising) as well as to clandestine software sitting on a PC and reporting on usage, in secret, to a remote system. APIG decided that s 3 of the CMA was sufficient to deal with the latter and recommended that OFCOM undertake programmes to educate end-users about the former, alongside developing codes of practice for the legitimate use of monitoring and advertising software.

Areas requiring consideration

Despite these rejections of calls to action, there were several areas where APIG considered that further legislation would be helpful. There is currently a lacuna in the law relating to dishonesty which allows defendants in certain circumstances to argue that “deceiving a machine” is not an offence (eg within the wording of the Theft Act 1978, s 1). This section describes one person dishonestly obtaining services from another [person] and so the actus reus may not be fulfilled where a fully automated system is involved. APIG recommended that this lacuna should be addressed by Parliament without further delay.

APIG also encouraged the Law Commission to expedite its report on the Misuse of Trade Secrets so as to develop a suitable framework for adequately dealing with “data theft” – currently information cannot be “stolen”, not least because there is often no permanent deprivation (eg where unauthorised copies have been made). Although “theft” of data from a computer may involve an offence under s 1 of the CMA, this is not always the case as in the well-known case of Oxford v Moss [1978] 68 Cr App R 183 where university exam papers were taken, copied and returned.

Denial-of-service

A major area of concern raised by several contributors to APIG’s inquiry relates to denial-of-service (“DoS”) attacks. These occur when a deliberate attempt is made to prevent a machine from performing its usual activities by creating a large amount of traffic to or through it. Difficulties occur because each individual item of traffic may, in itself, be a valid item (or indistinguishable from a valid item) notwithstanding that it is part of an overwhelming volume of such items deliberately designed to cause mischief. Furthermore, such overwhelming volumes can occur legitimately, for example when a ticket hotline is oversubscribed and crashes or when genuine publicity or “cyber-protest” results in a surge of access requests to a server.

DoS attacks may involve traffic from only one computer. A refinement of the standard attack, the “distributed denial-of-service” or “DDoS” attack, involves a large number of remote computers mounting an orchestrated attack. Attacks often involve the hijacking of unprotected PCs connected to broadband and other “always-on” connections and may involve the use of spoofed IP addresses, used to hide the true identity and originating IP addresses of the criminal. Such attacks have been tracked to countries such as Russia, Latvia, Kazakhstan and China.

APIG heard that, at the lower end of a scale of disruption, such attacks are sometimes hardly noticeable – no more than a blip in normal traffic volumes. However, at the upper end of effectiveness, networks can be rendered unusable for hours at a time and defending a network against such attacks can be extremely technically challenging, given the difficulty in differentiating between legitimate and criminal activity.

Evidence was heard from ARGO (the “Association of Remote Gambling Operators” – a recently formed trade body for online bookmakers) whose members are regularly subjected to such attacks. Typically, the attacks are preceded with an e-mail request for money to be transferred via Western Union, the sums in question ranging from $10,000 to $40,000. To date, ARGO members have stuck to the group’s policy not to give in to the blackmail which purports to offer 12 months’ protection from such attacks and promises no further requests for money for two years. Other operators who have paid up have found themselves faced with renewed requests and threats, despite any promises made by previous blackmailers.

BT also identified DoS and DDoS as areas where new legislation was urgently needed. It also told APIG that it tended to rely on legislation other than the CMA to deal with hackers and blackmailers, finding offences relating to the “fraudulent use of a telecommunications system” simpler mechanisms for charging criminals.

One of APIG’s concerns was that the police in general (and the National Hi-Tech Crime Unit in particular) do not have sufficient resources to deal with even a fraction of the DoS attacks which occur each day, even where these are currently covered by the CMA. APIG was worried that it would actually be detrimental to the aims of the CMA regime to include a new offence which might be rarely investigated and prosecuted. However, on balance, APIG recommended that Parliament introduce a new offence of causing a DoS attack, with an “aggravated” offence where the attack was linked to further criminal activity. It also suggested that the Director of Public Prosecutions should adopt a permissive policy towards the bringing of private prosecutions so that, in the absence of police or CPS interest, an aggrieved party has an alternative to a civil law suit.

Miscellaneous cybercrime issues

APIG was also of the opinion that the introduction of a new and serious offence relating to DoS would send an equally useful message to criminals (that their activities would be taken seriously) and to the courts, the CPS and the police (that they should not lightly disregard such activity). This represents a general underlying theme in APIG’s report of the need to emphasise the seriousness of cybercrime and to educate all interested parties about it and the resources available for tackling it.

Noting the present dearth of reliable information, APIG recommended that the Home Office should collect statistics so the police among others can have a more accurate picture of what is going on. It also suggested that police forensic experts create simple and effective checklists and procedures for collecting, preserving and using digital evidence.

Another way in which APIG would like to turn up the heat on criminals is by increasing the maximum sentence under s 1 of the CMA to two years. This would have the added benefit of making it an extraditable offence – APIG heard that, despite the wide jurisdiction of the CMA, the only international effect to date seems to have been to facilitate extraditions from the UK to other countries such as the USA (eg Yarimaka and Zezev [2002] 2 Cr App R 515). In future, perhaps we will see more extraditions to the UK of those whose crimes are caught by the CMA. The increased sentence would also allow prosecutions to be brought for inchoate offences (eg attempting or inciting unauthorised access).

In general, APIG was satisfied with the UK‘s approach to its international obligations in the area of cybercrime. Although the Council of Europe’s Convention on Cybercrime has not yet come into force and has not yet been ratified by the UK, APIG was satisfied that the majority of its mandatory requirements are reflected in UK domestic legislation. The main exception is the creation of an offence covering the misuse in various ways of passwords and other access data. This is currently being considered by the Government which has indicated it would like to be fully compliant by 2005. Given the comprehensive nature of the Convention and its signatories, it is set to be one of the foremost international frameworks in this area of substantive and procedural criminal law.

The EU Framework Decision on “attacks against information systems” (COM (2002) 173 final 19 April 2002) is likely to be formally adopted later in 2004. Member States will then have two years in which to implement it. APIG noted that legal language of the Framework Decision is different to that used in the CMA and in UK case law but called on the Government to resist any temptation to make unnecessary cosmetic changes to existing UK law, believing that the UK already complies with the spirit if not the letter of the Framework Decision.

Summary

APIG was generally of the impression that the CMA is still in good repair and does not need major amendment.

The wide, flexible regime imposed by the CMA has survived recent technological advances respectably and only requires a few minor adjustments. A more pressing concern is to educate all relevant parties about the full extent of the current regime and to encourage them to make full use of it. This should be achieved by a programme of better information gathering, better education and greater awareness of what is currently provided for by the CMA.

The addition of further offences would not necessarily solve perceived problems and, in any case, Parliamentary time is unlikely to be forthcoming unless specific cases can be identified where the CMA does not currently permit a prosecution to be brought but which ought to be controlled by criminal law. The major exception to this is a recommended new offence to tackle DoS attacks.

Graeme Fearon is a partner in Thring Townsend of Bath, Swindon and Newbury.