electrohippies Occasional Paper No.6, May 2002

The Computer Misuse (Amendment) Bill

Produced by Paul Mobbs/the electrohippie collective.

The Computer Misuse Act (CMA) 1990 created new offences in UK law relating to computer 'cracking' – the unauthorised access, breach of the security, and the damage to any type of computer system.

Now the opposition Conservative Party in the UK's Upper House, the House of Lords, is promoting a new law – The Computer Misuse (Amendment) Bill – that seeks to extend the powers of the CMA to 'denial of service' actions. But in the process it potentially criminalises lobbying or protest via the Internet that causes 'degradation' or 'other impairment' of a computer system. In fact, such a broad definition that it could threaten any online lobbying or protest because it may have the potential to make life difficult for those who are the target of it.

This briefing reviews the Bill, and what it seeks to do, and why the Bill, in the context of how the Internet works, would suppress freedom of expression on the Internet.

The Computer Misuse (Amendment) Bill

On 1st May 2002, The Earl of Northesk introduced the Computer Misuse (Amendment) Bill into the House of Lords. It was immediately accepted for its 'first reading' without any comment [See Hansard, 1st May 2002, Column 691].

It is not a government Bill. It has been introduced by the opposition Conservative Party. Earl Northesk is the Conservative front bench spokesman for Cabinet Office,Treasury, and Work & Pensions in the House of Lords. Government Bills receive support from the relevant government department – to provide additional information to the public such as regulatory impact assessments. Opposition Bills have no such support. Apart from the text of the Bill itself, there is no other material that explains the reasoning behind the Bill. Nor is there any elaboration on the perceived 'threat' to electronic networks from denial of service actions, and a discussion of how this Bill specifically addresses the problem.

The Bill contains one main clause which amends the text of the 1990 Act. There are two proposed amendments:

The problem with this proposed law is that it does not differentiate between different types of denial or service. It treats the actions of criminals blocking sites to affect global markets, or to bankrupt online traders, the same way as online lobbying or protest action that overloads the email in box of a government official.

The important part of the proposed amendment, the new Section 3A to be inserted into the Computer Misuse Act 1990, states:

The effect of subsection (1) is to criminalise any action, proposed or carried out, that impairs the function of an Internet server – whether that was the intent or not. The limitation on this subsection is subsection (2), which would allow the defence that a person was ignorant of the impact of their actions. However, to use this defence it would have to be proven that a person had no possible knowledge that the action would cause impairment to the server's operation. In practice this could be difficult to do, if only because of the publicity given to the potential impacts of online protests.

In our Occasional Paper No.1, 'Distributed Denial of Service', we outline the theory behind distributed denial of service (DDoS) actions. Whilst the means of carrying out actions may have moved on, the theory is still the same. As with the discussion in that paper, in deciding whether the use of DDoS is legally valid we must assess the action by its purpose, not purely by its means.

The likely outcome of legal action under Section 3A is that an individual computer 'cracker', who plans or executes a denial of service action, would be liable to prosecution. the electrohippie collective have no objection to such a law. What we object to is the fact that the law, as currently worded, would also catch the organisers of online lobbying or protest action. As such the law has the potential to restrict freedom of expression, and the exercise of civil and political rights online.

The UK is not alone in trying to regulate on denial of service. But others have taken a less rigid approach. The European Commission is planning to implement a new directive on 'attacks against information systems'. This, in part, follows on from the recent implementation of the Council of Europe's Cybercrime Convention. Whilst this draft directive seeks to address the problems created by high-tech crime, it could potentially impact the rights of people to protest online in ways that cause 'network disruption'. But the drafting of the framework directive provides a more flexible interpretation of online action than the Computer Misuse Amendment Bill.

Article 4 of the draft framework relates to the 'Illegal Interference with Information Systems'. This has a more expanded definition of 'interference' than the current Bill, describing it as:

and –

This definition is further qualified in the explanatory text of Article 4:

The EU's draft framework is not perfect, and needs amendment to specifically recognise the potential impacts upon civil, political and human rights. But it a significant improvement upon the text of the Computer Misuse Amendment Bill. This is because it accepts that many instances of interference with information systems will not be 'serious' in nature – and therefore not actionable.

When implementing European legislation, Parliament must have regard all the terms of that legislation. It is arguable that the current Bill would not comply with the Commission's directive because it would not contain the same flexibility over definitions, and applicability of the law to 'minor nuisances'.

It is also worth noting that the Council of Europe, following on from the criticism of its drafting of the Cybercrime Convention, has recently consulted on a framework on a 'Draft Declaration on Freedom of Communication on the Internet'. This, conforming with Article 19 of the UN Universal Declaration of Human Rights, and Article 10 of the European Declaration of Human Rights, accepts that the public have a right of access to the Internet for communication. However, the Internet is not a point-to-point communication system, it is multi-point – for example, Internet chat rooms. It must then follow, accepting the right of access to the 'Net, that they must also be able to exercise the rights of association and peaceful assembly.

When a Bill is brought before Parliament, it is required that the compatibility of the Bill with the European Convention on Human Rights is assessed. In this case, it would appear that a misunderstanding of the technical principles involved with 'denial of service' has led to the creation of a Bill which will damage the public's Convention rights. Exactly how this Bill was drafted, and what/who influenced its drafting, needs to be established.

Under a critical interpretation, this Bill could actually be used to stifle dissent or protest online. It could be used as a threat to intimidate anyone from using the Internet as a means of protest. Government departments or corporations may respond to online protest by requiring that the police investigate those who organised or participated in the action. In turn, this will dissuade the public from action online. As we move towards a society where electronic networks are one of the major conduits for dialogue and debate, stifling protest online will effectively stifle the rights of the public to take protest action generally.

The problems of regulating against 'denial of service'

'Denial of service' is the exploitation of security flaws, or the manipulation of Internet traffic, to shut down or overload an Internet server. There are a large number of ways this can happen. Denial of service has always been a problem for regulators because, from a technical point of view, it does not always require a breach of security to achieve. This makes legislating for what is, or is not, a denial of service action very difficult. As in the case of this Bill, bad definitions can have impacts beyond the set of actions that the law seeks to prohibit.

The classic Internet denial of service action has always required the hijacking of Internet servers. Therefore denial of service has been traditionally prosecuted as 'computer misuse' rather than an offence in its own right. It is also possible to initiate a denial of service action by exploiting flaws in the security the computer software that runs the Internet server, causing it to crash. But often this will also involve the breach of front-line security.

Either of these methods could be actioned under the existing Computer Misuse Act. But legal action may be difficult where the attack does not involve a breach of front-line security to exploit software flaws. However there is an argument – expressed in the Parliamentary debate on the original Computer Misuse Act – that action that exploits security flaws, without having to breach any preventative security, is the fault of the software developer. The Data Protection Registrar also commented [see the debate of the Computer Misuse Bill, Commons Hansard, 9th February 1990 (columns 1139/1166)], in relation to the Bill that became the Computer Misuse Act 1990, that computer operators should enact minimum security standards to protect systems. It should not be left to the deterrent of legislation.

Recently campaign groups have begun to develop online actions that coordinate actions over the Internet. This can involve people e-mailing a certain address, or using the feedback or information services of a certain web site. If enough people respond to the call for protest it could, wholly or partly, could result in denial of service. In such cases, the effect of this Bill would be to create an inconsistency in the law – where real world lobbying or protest would not be unlawful, but online action may be.

Online activism or 'hacktivism' groups, such as the electrohippie collective, have developed tools that are specifically designed to degrade or deny the service of an Internet server. These are generically described as 'cyber-sit-in' tools, because they have been developed on the same principle as a real world demonstration or 'sit in'. Internet users deliberately block access to an Internet site as a protest against the actions of those who control that site.

One distinction between cracker DDoS, and protest-based DDoS, is the way in which the action is carried out. Cracker-initiated DDoS is almost exclusively 'server-side'. This means that the cracker takes over one or more servers of a similar size to the target server, and then use these to bombard the target server. Protest related DDoS is almost exclusively 'client-side'. That means that the action is mounted from Internet user's own computers. Because the line capacity of a single user's computer is far less than a server, a client-side action takes thousands of users working simultaneously to be effective. This in itself provides an effective filter for 'inappropriate' online actions. Any action which does not have general support will not receive large numbers of participants, and so will not be effective.

Whilst there may be technical similarities between the 'malevolent' forms of denial of service, and protest-oriented denial of service, their method of operation is entirely different. The denial of service action initiated by an individual or a small group for their own gain is almost exclusively covert. They take many measures to hide their identity and location. They will also use methods, such as 'masking' Internet addresses, to hide the true location of the server(s) originating the action. The online actions of campaign groups or hacktivists is not covert. In fact, they take great effort to publicise their action because without the mass participation of the online community, it will not succeed.

If we wish to protect the rights of the public to take action online, we must arrive at a definition of acceptable and unacceptable online action that encompasses the objectives of the action that encompasses its 'democratic accountability'. This involves issues such as openness, and the requirement for wider public participation to make the action effective. In this way we can differentiate the actions of the computer 'crackers' from the online campaigners and 'hacktivists'.

Next steps

The Bill has received its first reading, and was approved. It will now be given Parliamentary time for debate – as yet this has not been announce in the 'future business' of the house. The length of time will depend on how many amendments are put down. Being such a short Bill – 1 page – this may be only a few hours.

To be successful the Bill will need to receive government support. However, given the recent security agenda of the Labour government, even in the face of protest over the civil liberties implications, this support may well be forthcoming. The main problem we have is ensuring that Parliament debates this issue rationally, and that the debate is not dominated by the briefings of computer industry and security lobbyists.

The Parliamentary debate on the original Computer Misuse Act [see Hansard, 9th February 1990] was dominated by industry-fed scare stories. A number of the MPs in the debate declared interests involving the computer industry. There was little debate on the wider implications the law could have for the wholly innocent use of computer networks – for example where someone accidentally gained access to parts of a computer where there was no security to keep them out. The comments of MPs also showed a bias towards the media- or industry-sensationalised stories of computer hackers:

There was certainly no debate on the impact of Microsoft's dominance of the computer industry, and the poor level of security within Microsoft systems which has enabled the spread of security exploits or computer viruses.

A large part of the debate was also skewed by unsubstantiated estimates of the damage being cause by 'computer hackers'. For example:

Much of this information was based upon information from the Confederation of British Industry, and at no point was the accuracy or validity of the information challenged by MPs. Challenging this evidence is important, because we have to question how these figures are arrived at given most companies are reluctant to discuss their problems with computer security. We should also compare the impacts of hacking/denial of service to other costs. For example, some studies state that the majority of data loss in industry is caused by the error of computer operators, or by software faults.

It is important that the online activism community organises to meet the threat of this damaging legislation. The next steps in the campaign, as we see it, are as follows:

Further information and updates will be provided via the electrohippies web site:

© 2002 the electrohippie collective. Produced by Paul Mobbs. Released under the GNU Free Documentation License
(with invariant sections being the document title and author identification, no front-cover texts, and no back-cover texts).