GreenNet CSIR Toolkit Briefing no. 8

Computer Crime

The law on the misuse of computers and networks

Written by Paul Mobbs for the
GreenNet Civil Society Internet Rights Project, 2002.
http://www.internetrights.org.uk/



Computer crime is an oft-used term that has a very vague meaning. The law on computer crime tends to lag behind the actual practice of computer-based crime much more than is the case in other branches of crime.

Computers are a tool, and, like any other tool, can used by people intent on causing damage or carrying out some form of illegal activity. The nature of today's Internet and computer networks means that criminal activity can be carried out across national borders. This can create problems over the jurisdiction of those investigating the crime, and over differences in the law of the relevant countries where the crime took place; an activity deemed criminal in the home country of the target of the crime, for example, may not be considered so in the country from which the offending action was launched.

There are number of ways in which computers can be used for crime:
  • to commit 'real-world' crimes, such as forgery, fraud or copyright piracy, just like any other technical device; these types of computer-enabled crime are not usually prosecuted using other relevant laws rather than computer crime law;

  • to damage or modify other computerised systems; these are the types of activity that are usually prosecuted using computer crime legislation;

  • used for activities that cannot be prosecuted but that skate around the edges of legality; to the frequent frustration of law makers and security consultants, these sorts of activity cannot be legislated against because they often employ everyday, lawful means on the Internet.

Computers and the Internet are complex, but they function on a very narrow set of technical principles. This provides great flexibility, but makes it very difficult to legislate against certain types of activity without affecting others.

Recent legislation for clamping down on computer-based crime has fallen into just this sort of trap. Provisions in the Regulation of Investigatory Powers (RIP) Act 2000 for mass-surveillance of certain computer networks, for example, means that many innocent people could be covered as part of efforts to control a very small minority of 'Net users.

Governments and security organisations have in the past traded on the general lack of understanding of computers and the Internet to justify a more repressive approach to regulating the Internet, on very flimsy evidence. Examples of this are:
  • The Parliamentary debate on the Computer Misuse Act 1990 (see Hansard, 9th February 1990) - this debate was extremely alarmist, and mischaracterised the threats to online systems as well as the solutions to those threats. Much of the evidence advanced during the debate to justify the need for the Act (which was a Private Member's Bill introduced by Emma Nicholson MP) was poorly researched; a lot of it was merely scare stories promoted by certain sections of the media. It is arguable that at that time there was any need for computer misuse legislation at all.

  • Recent justification for regulation to control the fraudulent use of credit cards on the Internet - credit card abuse on the Internet represents only 2% of all credit card fraud. A wide variety of actions, such as logging all transactions on the Internet by all users, have been proposed to control this problem. 'Net-based credit card fraud is not as easy to carry out as other forms.

Clearly, such debates are not based on the facts of the threats involved. Many of the problems which cause disruption to computers, be it viruses or the cracking of online systems, are actually enabled by poor software.

We must therefore question whether it is more effective to introduce measures with serious civil liberties implications (such as the RIP Act) or require software producers such as Microsoft to plug the serious security holes in their computer software.

The following sections consider the current scope of the law in relation to computer and computer-enabled crime. The last section also looks ahead to the impact of future laws, such as the proposed Cybercrime Convention.



Computer-enabled crime

Computers enable crime - from the scanning of documents as part of a fraud, to the use of office software in managing the proceeds of crime.

Ordinary laws are currently used to prosecute five types of computer-enabled crime:


Fraud

As the Law Commission has noted [1], computer-enabled fraud is not new; it just takes 'real world' frauds and uses the Internet as a means of reaching the victim.

Computer-enabled fraud comes in many forms, from get-rich-quick schemes that don't exist, to emails that demand an additional fee to be paid by credit card via a web site to prevent losing Internet access. Most computer-enabled frauds are able to take place because:
  • People do not understand how the technology works, and so are fooled into taking an action; or

  • People put too much faith in the information they receive via their computer and so undertake actions that they would not ordinarily do in the real world.

Computer-enabled fraud, especially that using the Internet, is difficult to investigate. This is because many fraud-related sites are temporary - operating only for a few days before disappearing. Many frauds are enabled in one country but carried out in another, making it difficult for police to investigate.

In the UK, fraud is characterised as (Section 15, The Theft Act 1968):
    A person who by any deception dishonestly obtains property belonging to another, with the intention of permanently depriving the other of it? For the purposes of this section 'deception' means any deception (whether deliberate or reckless) by words or conduct as to fact or as to law, including a deception as to the present intentions of the person using the deception or any other person.


However, cases involving the use of machines, or the Internet, as part of deceptions [2], have found that a deception, and hence fraud, cannot take place where a machine is manipulated by others to obtain a service (giving a false credit card number when signing-up for an online service, for example).

These means that it is unlawful for you to be defrauded by a computer-related system, but it is not unlawful for you to defraud a computer. The courts do not regard a machine to be 'deceivable' because it is automated. The one exception to this is where the deception involves a licensed telecommunications service, such as dial-up chat lines or pay-per-view TV cards, in which case it would be an offence under section 42 of the Telecommunications Act 1984. The Law Commission (consultation paper 155, noted above) has recommended that new legislation should be drawn up to deal with this anomaly.

Another problem with the current law on fraud is that the courts have not recognised the information stored on computers as constituting 'property'. In a case involving the alteration of mortgage records, and another of a student photocopying an exam paper and then replacing the original, the courts chose to view the information contained in the records as being incidental to the physical property involved. This has implications for the use of information as part of 'fraudulent' actions. In the former case, following the decision of the court the government had to rush through emergency legislation to introduce a new offence of 'obtaining a money transfer by deception'. But the general principle, that obtaining information, providing the original physical article had not been taken, is not unlawful, still applies.


Forgery

Forgery is the art of passing off a copy of something as the real article. Computers can be very useful for passing off documents as real - for example scanning a signature and then laser printing that signature onto another document, or scanning a driving license, altering the required information, and then printing out false driving license using a colour laser printer for use as bogus identities.

Computers are particularly able to forge digital information. This is because digital information can be copied and manipulated with very little evidence of alteration or replication having taken place.

Under UK law (Section 1, Forgery and Counterfeiting Act 1981),
    A person is guilty of forgery if he makes a false instrument with the intention that he or another shall use it to induce somebody to accept it as genuine.


The law on forgery can therefore encompass a whole variety of activities that can be enabled by computer. A 'false instrument' could be a floppy disk, tape, sound track or other device upon which information is recorded, as well as documents, articles and images. Therefore the existing law adequately covers the common uses of computers for forgery and counterfeiting.

The only quirk in the current law exists because of a 1987 case that came before the High Court, before computer misuse legislation was enacted in the UK. The court decided that the passwords sent to a computer could not be considered forgeries since, in the same manner as fraud, it was not possible to ask a computer to determine the difference between a real article and a forgery. The case arose when someone gained access to BT's Prestel service and then to people's mailboxes. It has implications for circumstances where someone uses a forged identity (a copy of a machine-readable card, for example) in order to gain access to a location or online service, but where the use of the forged card does not constitute a fraud or computer misuse.


Obscenity and hate speech

Computer-based pornography and other images or material have been one of the main grounds of calls for greater regulation of the Internet. Current law, however, already covers the distribution of obscene images over the Internet, or by other forms of computer hardware such as disks or CDROMs.

Principle legislation covering computer-enabled obscene publications is:
  • Section 43 of the Telecommunications Act 1984, which prohibits the sending of obscene material over public telephone networks; and

  • The Protection of Children Act 1978, as amended by the Criminal Justice Act 1988 and the Criminal Justice and Public Order Act 1994, on the creation or possession of child pornography.

The other 'obscenity' that pervades computers is hate speech - for example, homophobic or racist material.

The UK law currently addresses racist material through section 17 to 28 of the Public Order Act 1986:
  • Section 17 defines racial hatred as 'hatred against a group of persons defined by reference to colour, race, nationality (including citizenship) or ethnic or national origins';

  • Section 18 makes it a criminal offence to use 'threatening, abusive or insulting words or behaviour' that express racial hatred. The term 'words' also applies to the written word, but with the caveat that the intent of these words must be to incite racial hatred (this exists to differentiate hate speech from literary or dramatic material);

  • Section 19 applies the above terms to the publishing of material that incites racial hatred; and

  • Section 23 makes it an offence to possess material that incites racial hatred.

Currently there is no law that covers action or material that advocates hatred of homosexuality (either via computers or otherwise) unless such action amounts to threatening violence or constitutes a breach of the peace (which it is unlikely to do via computer).


Criminal damage

Prior to the implementation of the Computer Misuse Act 1990, damage to computer systems was prosecuted as criminal damage under the Criminal Damage Act 1977. Although a prosecution for criminal damage is unlikely, it is still possible where the case for 'computer misuse' is tenuous. This might be where an employee deletes files from an employer's computer system as a means of retribution or revenge against the employer, for instance.

For a prosecution to succeed on the basis of criminal damage, it must be demonstrated that the system affected has been physically damaged. The law of criminal damage does not reflect the incidental value of the data on a computer system, only the computer system itself. So, for example, the deletion of an extremely valuable database is not criminal damage. On the other hand, a person causing the electrically programmable ROM BIOS chip (vital for the computer to function) erase itself, and rendering the computer useless, would be guilty of criminal damage.


Copyright

Most offences in relation to copyright are civil offences, and therefore require legal action to be instigated by the owner of the copyright that is being violated.

Certain industrial-scale operations, however, such as the bulk copying of computer software, can be prosecuted as a criminal offence under section 107 of the Copyright, Designs and Patents Act 1988.



The Computer Misuse Act 1990

The Computer Misuse Act 1990 covers certain offences specific to the penetration, alteration and damage to computer systems.

The law itself was drafted very generally, in the hope of ensuring enough scope so that the law would not date, as computer technology developed. However, this means that the Act can be rather a blunt instrument. If, for example, you changed the settings on your neighbour's computerised washing machine without permission, you would technically be in breach of section 3.

Computer crime also raises issues of data protection. Some actions involving computer crime, such as authorised access to data for unauthorised purposes (there have been some prosecutions of police officers who had access to the police national computer on this basis), then the Computer Misuse Act is not applicable. This is because the Act only considers 'unauthorised access'. However, it is possible for authorised access to a computer, for unauthorised purposes, to be prosecuted under the Data Protection Act 1998.

To understand the operation of the Computer Misuse Act it is necessary to consider the three main sections, according to their function. We look briefly at the Data Protection Act after that.


Cyber-trespass - section 1

Section 1 of the Act covers offences in relation to 'unauthorised access'. As noted above, there is a loophole in relation to those who have authorised access, and use it to undertake activities not covered by section 2 or 3 below.

'Access' itself is a broad term. As well as actual unauthorised access or logging onto a system, it could also encompass just turning a computer on. An offence under section 1 is punishable by a £20,000 fine or 6 months imprisonment.

For an offence to be committed you must seek to access the computer in order to use or obtain access to the programs or data it holds. The first prosecution under section 1 of the Act (involving a former company employee who obtained a discount on goods by entering a command on computer when purchasing goods from the erstwhile employer's store) created a serious challenge to the Act. The court accepted the argument that the original drafting of the Act implied that two computers must be involved (such as an Internet-enabled hack attack on another computer, for example). For this reason the Government appealed the decision and had it overturned in the Court of Appeal.

An important aspect of section 1 is the matter of 'intent'. The section is drafted in such a way that intention to access a computer is all that matters. So if you try to access the computer, and fail, then you would still have committed an offence if your intent was to gain access. This creates a problem of proof for those using certain tools on local networks or the Internet for tracing information. For example, using a 'port scanning' program to probe the services available on a computer and whether or not they are working.

Some computer misuse legislation in other countries, such as the Norwegian Penal Code, requires that an attempt be made to pass or circumvent the security measures installed on the system. Indeed, during the passage of the UK Bill there was a proposed amendment to section 1, requiring that it only be used for prosecution where the computer's operators had put measures in place to prevent access. This amendment was defeated.

This section of the act clearly raises the issue of someone innocently stumbling into an unsecured area of a computer/web site, and obtaining or viewing information; Under the current drafting of section 1, the owner of the system could successfully prosecute on the grounds of unauthorised access.


Cyber-theft - section 2

Section 2 of the Act deals with the objectives of unauthorised access.

Many professional hackers do not crack the security of a particular computer with the intent of accessing the information on that computer. Instead, they use that computer as a base, or zombie, from which to carry out attacks on other systems. In this way they can remain one step removed from the computer that they are targeting.

Section 2 covers offences where access is secured to a computer for the commission of a 'relevant offence' (that is, any crime for which the penalty is fixed by law, or which carries a prison term of five years or more), and on conviction carries a sentence of five years' imprisonment.

As with section 1, the section is drafted in such a way that it is the intent that matters, not whether the offence was possible.

For example, if you penetrated a bank's computer system intending to move £10,000 to another account, you would still be guilty of an offence under section 2 even if doing so was actually impossible (because of the configuration of the system).

The drafting of this section also means that the offence need not be committed on a particular occasion. Therefore if someone penetrated a computer with the intention of setting up an account to access the site in the future for some sort of fraud, they would be committing an offence under section 2 even if they never returned to commit the offence.

Under sections 1 and 2, a prosecution can also be on the basis of a conspiracy. For example, if someone penetrated a computer to obtain the identity keys for a number of mobile phones; gave or made available that information to someone else; and that person used it to reprogram mobile phones to obtain calls on someone else's bill - then the person would be guilty not only of unauthorised access under section 1, but also of conspiracy for theft or fraud under section 2.


Cyber-violence and Malware - section 3

Cyber-violence is a general term to describe the wrecking, wiping or deletion of information from a computer system. Malware (i.e., software that causes you harm) usually relates to computer viruses, worms or Trojans which may cause similar damage.

Section 3 covers offences where, having accessed a system, either in person or through the guise of a computer virus or some other automated means, a person modifies the computer system in a manner that 'impairs' its operation. Section 3 carries a sentence of up to five years' imprisonment.

Once again, the drafting of the law in this section is on the basis of intent. Therefore, if someone writes a computer virus with the intent of releasing it to others, they are guilty of an offence at the moment of release, rather than when, or even if, it successfully infects a computer system.

Software program writers need to take careful account of section 3. It means that software should not be designed to delete anything without the express consent or authorisation of the computer's user.

An early prosecution under this section was that of a software writer who distributed software for free; if the user wished to use the programme they had to be licensed for the software within 30 days, or else the program deleted itself. One user presumably complained about this, and the court decided that it constituted 'unauthorised modification' under section 3 and the program writer was successfully prosecuted.


The Data Protection Act and unauthorised access to personal data

The Data Protection Act covers 'unauthorised' access.

The limitations of the Computer Misuse Act were seen in the case of DPP v Bignell, where two serving police officers accessed the police national computer (for which they had authorisation) to obtain information for their personal use. The court decided that the Act protected the computer system as a functioning unit, but not the value of the data stored upon the system.

The Data Protection Act 1998 covers specific offences relating to the processing of data without the authorisation of the data subject, and to the unauthorised procurement of data. Although the operator of a data bureau would usually be responsible, section 61 of the Data Protection Act provides that a director, manager or similar officer can be found personally liable for any wilful or neglectful breach of the Act. Whilst access to the data on a system does not, therefore, constitute a crime under the Computer Misuse Act if it is carried out by an authorised person, it could be an offence if that data were personal data notifiable under the Data Protection Act. (For a more detailed briefing on the workings of the Data Protection Act see the GreenNet CSIR Briefing no.2 on Data Protection.)



New laws for the 'Net

The above laws represent the framework of computer-related law in the UK until 2001. New laws are due to be enacted by early 2002 to take account of the need for a legislative framework for e-commerce and the Internet.

One of the Government's priorities in its first term was to update existing laws on surveillance and telecommunications. The result of this review, the Regulation of Investigatory Powers Act (RIP) 2000, introduced new powers for police and the state to intercept communications via the Internet, and enhanced existing powers to intercept telecommunications.

The RIP Act also created a number of new powers and offences with serious implications for civil rights on the Internet:
  • Under the heading of the maintenance of interception capabilities, the Government, backed up by the courts if necessary, can force an Internet service provider to copy some or all of their traffic, redirecting it to a new computing centre being developed by the security services (MI5). The purpose of this is to aid the collection of traffic data (used to map the movement of communications between persons on the 'Net) and to allow the surveillance of groups or individuals. There is also a proposal to store this information for between four and seven years.

  • The Act creates powers whereby people who hold encryption keys may be forced to disclose them or else face prosecution. It includes a clause which provides that such a person may be prohibited from informing anyone else that they have been served with notice to disclose a key.

The real impact of this legislation remains to be seen, and we will have to wait a few years to see how it affects the operations of Internet service providers and those who are investigated under the Act.



Future developments in legislation

There have been a number of proposals in recent years for some form of international co-operation on computer crime. These have often been made on the basis of economic rather than crime concerns, by groups such as the Organisation for Economic Co-operation and Development (OECD).

Efforts have been made to establish increased co-operation on the use of extradition, and to deal with questions of jurisdiction within that. This does not solve the problem of variation and incompatibility between states' legal codes, however, and there is still no internationally agreed definition of computer crime.

The European Union has made some progress on a co-ordinated approach to computer crime. The Treaty of Rome did not cover police and security activities, but with the Maastricht Treaty the work of the European Union has extended to a new 'Third Pillar' of home affairs and justice. This has spawned a new European project, ENFOPOL [3], part of which involves setting standards for the monitoring and investigation of computer crime.

The new Cybercrime Convention covers the same types of issues outlined earlier - computer intrusion, forgery, copyright and pornography. It also extends the current law. Its definition of offences related to 'aiding and abetting' other offences covered in the treaty has implications far beyond existing conspiracy laws in the UK. It formalises the procedure for the search and seizure of computers (much like the FBI's current policy in the USA). The treaty also incorporates many of the features of the Regulation of Investigatory Powers Act (RIP) 2000 in relation to forcing the disclosure of decryption keys. The treaty also incorporates UK proposals for the monitoring of networks, under proposals for the acquisition and storage of traffic data. Information gathered will be available for exchange between all the national governments signing up to the treaty, potentially creating a seamless web of surveillance of activities using electronic networks across Europe.

The development of the treaty, in the face of opposition from many groups across Europe, will define, to some extent, how the Internet will be used by groups actively working for change - particularly those who use the Internet to organise protest actions. The experience of the interpretation and development of the RIP Act in the UK is a valuable indicator of what we may expect.



Further work

This briefing has been written in the context of the legal framework currently in force in the UK. If you live outside the UK you will need to make yourself aware of the procedures operating in your own country. Key points you will need to find out are:
  • Does your state have specific laws on computer misuse?

  • Do data protection laws define forms of computer misuse?

  • Are there other aspects of the law, particularly in relation to sexual material, racial harassment or defamation that apply additional legal sanctions for the misuse of computers and computer networks;

  • Have there been any significant prosecutions of computer hackers which have defined how systems for tracking and prosecuting computer misuse works?

  • Does your state intend to adopt the proposals contained in the Cybercrime Convention?

You should also contact any civil liberties organisations operating in your country. They may be able to provide you with much of the information you need computer misuse.



The GreenNet Internet Rights Project

GreenNet is the UK member of the Association for Progressive Communications (APC), and is leading the European section of the APC's Civil Society Internet Rights Project. The primary goal of this project is to provide the resources and tools necessary to defend and expand space and opportunities for social campaigning work on the Internet against the emerging threats to civil society's use of the 'Net. This involves developing ways and means of defending threatened material and campaigning, as well as lobbying to ensure a favourable legal situation for free expression on issues of public interest.

Until recently, the social norms of Internet communities, together with a very open architecture based on supporting these norms, regulated the Internet, and was responsible for its openness. The main forces of regulation now, however, are the business sector and government legislation. Corporations and governments are pressing for fundamental changes in legislation and in the architecture of the Internet. Unless challenged, these moves could radically change the nature of the 'Net, making it a place of oppressive controls instead of freedom and openness. It is in this context that APC's Internet Rights project is being developed.

This briefing is one in a series that document different aspects of work and communication across the Internet. Although written from the perspective of the UK, much of its content is applicable to other parts of Europe. There is continuing work on these issues, as part of the European project. If you wish to know more about these briefings, or the European section of the APC Civil Society Internet Rights Project, you should contact GreenNet. You should also check the APC's web site to see if there is already a national APC member in your country who may be able to provide local help, or with whom you may be able to work to develop Internet rights resources for your own country.



References

  1. Paragraph 8.42, Law Commission Consultation Paper No.155 - Legislating the Criminal Code: Fraud and Deception

  2. The Clayman case - see Times Law Reports, 1st July 1972

  3. The purpose of ENFOPOL is specified in a written answer in the Journal of the European Communities [C 13.32 EN 18.1.1999 - 1999/C 13/043] - http://www.heise.de/tp/english/special/enfo/6389/1.html








Free Documentation License:

Copyright © 2001, 2002 GreenNet and Paul Mobbs. Further contributions and editing by Gill Roberts and Karen Banks. The project to develop this series of briefings was managed by GreenNet and funded by the Joseph Rowntree Charitable Trust.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1or any later version (see for a copy of the license).

Please note that the title of the briefing and the 'free documentation license' section are protected as 'invariant sections and should not be modified.

For more information about the Civil Society Internet Rights Project, or if you have questions about the briefings, contact ir@gn.apc.org.