Tuesday, December 2, 2008

Computer hacking: how best to solve it

IP Freely is currently watching episode three of 'The Barristers' (a BBC documentary about barristers for those of you who are unaware) and doesn't have time for blogging, so by way of a stop-gap you may be interested to read the following piece that I wrote for my LLM. Enjoy:

Computer hacking, how best to solve it

With computers now such an integral part of society computer related crimes are inevitable and will evolve as quickly as the technology itself. The most well known form of computer crime is known as "hacking" basically this involves unauthorised access to a computer. Hackers themselves take a number of forms and as such have different motives for gaining access to these systems: the recreational hacker, typically does so from his bedroom and may access systems just to have a look around or leave a "signature" (much like a graffiti artist) . Others may have more disruptive motives such as stealing information for commercial use or hacking in order to facilitate further offences such as identity theft or fraud. Such hacking costs UK businesses billions each year and is a major problem. It is in fact a problem that traditional criminal law has struggled to come to terms with.

On 29 August 1990 the Computer Misuse Act 1990 ('The Act') was brought into effect. This followed a Law Commissions report on computer misuse and pressure on the government from businesses. This pressure was brought about because the UK was trailing behind its European neighbours in implementing such legislation and this had the effect of stunting the growth of the UK IT industry.

Before the introduction of the Computer Misuse Act the law did not provide adequate sanctions for computer misuse, instead prosecutors had attempted to force such cases under a range of statutes. Including the Forgery and Counterfeiting Act 1981 under which one of the most famous hacking cases was considered, R v Gold (1988) 2 WLR 984. Section 1 states that a person is guilty of forgery if he makes a false instrument, with the intention that it should be accepted as genuine so as to prejudice some other person (instrument includes disks and tapes) the case was rejected under this act because the hacking in question involved entering a BT employees number which did not constitute a disk or tape. Various sections of the Theft Act 1968 have also been applied to computer misuse offences for example where a false statement has been entered in order to gain an unintitled payment (see R v Thompson (1984) 1 WLR 962). Even the Criminal Damage Act 1971 has been used for instances of computer misuse. There is one major stumbling block here, the damage caused by computer misuse is mostly not 'tangible' (i.e. you can't feel or touch it, it has no physical entity). But in some cases applying the act has been successful. In the case of Cox and Riley (1983) 83 Cr App R 54 the court found that according to the dictionary damage meant "injury impairing value or usefulness" hence damaging computer programs by hacking was brought under the Criminal Damage Act (see also The Mad Hacker: The Mad Hacker (Times 25th May 1990) ).

The Computer Misuse Act introduced three new categories of offence into UK criminal law: Unauthorised access to computer material, unauthorised access with intent to commit a further offence and unauthorised modification.

Unauthorised access is the basic idea of "hacking". The Act makes it an offence for a person to conduct an act which causes a computer to perform a function, when at the time, he possesses an intention to access a program or data held in a computer. The access must be unauthorised and he must known this at the time he makes the computer perform these functions, although under S1(2) the intent does not need to be directed at a particular computer or program (etc). It is interesting to note that the Act does not include a definition of a 'computer', according to the Law Commission this is because such a definition would be:

"so complex, in an endeavour to be all-embracing, that they are likely to produce extensive argument"

Presumably the exclusion of such a definition also effectively 'future-proofs' the legislation by allowing changes to be made as technology advances. At present the definition of a 'computer' in the Civil Evidence Act 1968 is widely recognised as being the accepted definition: "any device for storing and processing informationÉ" .

The offences under Section 1 carry with them the potential of six months imprisonment or a fine of up to £2000 (although there are time limits see Morgans v DPP (1999) 1 WLR 968, DC). They are also the subject of much dispute. It is the view of many commentators that the offences under Section 1 are too wide ranging the Data Protection Registrar for example took the view that hackers who merely Ôtake a look aroundÕ should not be criminalised . In fact there is so much cross over with Sections 2 and 3 that many believe Section 1 to be useless, for example pretty much every hacking offence will be covered by Sections 2 and 3 anyway. I am of the opposite view from many of the commentators, it seems to me that perhaps the most adequate method of legislating against such a complicated field as hacking would be to make penalties for the lower offences i.e. Section 1 harsher thus discouraging people from starting hacking. This is also the point where hackers are easiest to detect.

Section 2 of the Act covers unauthorised access with intent to commit or facilitate the commission of further offences. Much of the remit of this section has been covered in previous legislation as mentioned early in this work but the Act brings all of these into one location and ensures that everything is directly specific to computer misuse. Section 2 (1) imposes criminal sanctions on a person who commits an offence under Section 1 and does so with an intention to commit or facilitate the commission of a further offence. Relevant further offences are those for which the sentence is fixed by law or where imprisonment may be for a term of five years or more . The access and further offences do not have to be intended to be carried out at the same time and it does not even matter if the further offence was impossible . The requirement of 'intent' under Section 2 is what is known as 'ulterior intent' and by application of previous criminal cases it would not be enough to show that the person who gained the unauthorised access was reckless as to whether he was going to commit a further offence . The link between the Criminal Damage Act 1971 and Section 2 of the Act is unmistakable. Section 3(6) of the Criminal Damage Act states that it is an offence to gain unauthorised access to a computer with a view to damaging it. If a person were to be convicted under this section then they could also be convicted under Section 2 of the Act, this is perhaps an issue that should be tidied up and amalgamated into one piece of legislation.

During the drafting of the Act there was an attempt to add a defence for Section 2 offences, this being that the computer users had not implemented security measures . Other jurisdictions such as Norway already have such defences. Whilst the defence was not included in the act at Section 2, the security measures idea was included at Section 17 in determining whether access was considered unauthorised. It would perhaps be prudent to add such a defence to Section 2 in an amendment to the Act or as a whole new statute. I would suggest adding the clause Ôadequate security measures, this would have the effect of forcing businesses to invest in and focus on computer security which in any case would make life harder for hackers and would hopefully prevent hacking rather than punishing people for doing it.

Section 3 of the Act imposes criminal liability on a person who has done three things:

  • Causes an unauthorised modification of the contents of the computer.
  • Intends to make such a modification.
  • Knows that what he intends to do is unauthorised.

Needless to say this Section must be read in conjunction with Sections 1 and 2 of the Act as a person liable for an offence under Section 3 will also be liable for an offence under Section 1 or 2.

A modification is one which impairs the operation of a computer or prevents or hinders access to a program or data or the operation of the program or data or affects its reliability . It also includes alteration or erasure of any program or data held in the computer or adding a program or data to the computer (for example adding a virus). There are a vast number of examples that I could use to illustrate unauthorised modification for example in Scotland hackers accessed the District Treasurers computers and deleted the records of all people over 18 and eligible to pay the Community Charge and substituted those of dead people in their place .

At present society in general does not see computer hacking as a particular problem, films and the entertainment industry promote characters who are often young and perceived in a Robin Hood esque manner attacking the massive "evil" corporations of the world. Whereas the reality is somewhat removed from this, with hackers often working with much more sinister motives. On top of this problem prosecutors face many others. Firstly the difficulty in tracing and gaining enough evidence in order to prosecute offenders, more often than not there is simply not enough backing to do this. Secondly the reluctance of businesses to address computer misuse, this is normally for one of two reasons 1) They do not wish to finance extra computer security and 2) Perhaps the most pertinent point they do not wish to prosecute offenders as this would make public their computer security inadequacies. Finally the Courts have for years struggled with outdated laws against ever changing technology. Looking back at how previous legislation was shoehorned into use against computer misuse offences it is remarkable that it took so long for the Computer Misuse Act itself to come into fruition and given the speed of which technology advances it is equally remarkable that the Act has not been updated or amended. Whilst there are arguments for not changing Statutes too frequently; i.e. with too many changes it is difficult to keep up with the changes in the law for example the numerous Criminal Justice Acts; it has now been nearly two decades since the introduction of the Act. In that time we have seen the dot com boom and the rise of hacking to unprecedented levels. I am of the opinion that it is time for the Act to be updated, bringing into play new technologies such as mobile internet, stiffening sentences for Section 1 esque offences and also ensuring that the Courts themselves are educated as to the nature of these. The best method of deterrence is to increase the number of convictions, this requires work with all of the prosecution services including the police.

However regardless of changes made to the current legislation, the law itself will never keep up with technology it will always be one step behind if for no other reason than that the criminal law is reactive rather than proactive. Therefore it seems prudent that businesses themselves are encouraged to ensure their own computer security is a tight as it can be, this is the best method of deterring hackers. Perhaps legislation could be introduced forcing businesses to reach an adequate level of computer security although this is likely to very unpopular amongst businesses due to the costs associated.

No comments:

Post a Comment