Most people are now comfortable with the concept of “cyber crime” and know that “hacking is an offence”, but few people are really aware of precisely what the offence is and the potential sentences that are available. As computer crime, and indeed the use of computers in general, is a very fast moving area, attempts at making legislation future-proof have been attempted and have failed. It is interesting to consider how the law has evolved in this regard.
The realisation that the law had failed to respond adequately to the growing use (or misuse) of computers was recognised in the 1988 case of Regina –v- Gold and Schifreen. That case is rather interesting and is demonstrative of the problems in attempting to shoehorn new offences into old legislation.
In the mid-80s, British Telecom offered a primitive computer communication system called Prestel. When the computer’s number was dialled, the telephone system connected the dialler to the appropriate Prestel centre. A subscriber, who had paid a rental charge, would then enter their identity number and password and gain access to their respective section of the database.
Robert Schifreen was at a trade show and watched a Prestel engineer enter his details – a username of 22222222 and a password of 1234. Although that sounds ridiculous, the risk of computer hacking then was absolutely negligible and, terrifyingly, 1234 remains one of the most popular passwords that people use (second only to “password”).
Schifreen, along with a friend of his called Stephen Gold, then thoroughly explored the Prestel system. They altered some data that they found and even gained access to the personal messagebox of the Duke of Edinburgh, Prince Phillip, in which they left the witty message, “Good afternoon HRH Duke of Edinburgh”. Schifreen then sold his story to the Daily Mail and even made television appearances discussing his escapade.
Unfortunately for him, the Prestel computer network was used as a secure banking system for Nottingham Building Society and Bank of Scotland and was even used as a standby messaging service in case primary UK military computers were unavailable. It was suggested that the Prestel network could have been used to control and launch the UK’s nuclear missile stock. Predictably, the powers that be were not happy at the breach in security and of the pair courting the media spotlight in this manner.
GCHQ and MI6 became involved and decided to investigate Schifreen and Gold’s activities. Their information passing through their modems was duly monitored and it was quickly decided to be in the interests of national security that they be arrested.
The prosecution were then put in a position – what exactly were they to be charged with?
It was decided to use a liberal interpretation of established statute to try to secure a conviction. The pair were charged with an offence of “making a false instrument” (under the Forgery and Counterfeiting Act 1981). When asked by the Court what the instrument in question was, the prosecution barrister explained that it was “the user segment”. Clear as mud.
The pair did not deny what they had done, but stated that their activities did not constitute the offence that they had been charged with. Nevertheless, they were convicted before a Crown Court where Gold received a £600 fine while Schifreen was slammed with a £900 fine. Hardly hung, drawn and quartered, they nevertheless appealed the convictions to the Court of Appeal who agreed with their point of view and that the hacking was in no way the making of a false instrument. The prosecution then appealed the matter to the House of Lords who again agreed that no offence fitted their acts. The remarks of Lord David Brennan are worth considering:
“We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to have existed in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion that we reach without regret. The Procrustean attempt to force these facts in to the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellant’s conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.”
Effectively, the Court was explaining that it was not for them to allow activity that appeared to be wrong, but which was not actually unlawful, to be made unlawful by an intellectually dishonest distortion of an ill-fitting statute. Parliament swung into action and, within 2 years, the Computer Misuse Act was passed and introduced three new offences into UK law:
1. Unauthorised access to computer material;
2. Unauthorised access to computer material with intent to commit, or facilitate the commission of, a further offence.
3. Unauthorised modification of computer material
The vagueness of the Act is entirely purposeful. “Computer material” is not defined. Even the word “computer” is kept slightly broad – “any device for storing and processing information”. There is also no requirement in the Act for the intent to be directed at a specific program or file – it is enough to prove that the access was unauthorised.
The first type of offence, the simple “unauthorised access”, carries a maximum penalty of six months imprisonment and a £2,000 fine. The other two offences (intent to commit a further offence or modification of computer material) carry a more severe 5 years imprisonment and a £5,000 fine as the maximum sentences.
It must be agreed that these potential sentences are relatively small – the five year custodial sentence being reserved for the most damaging and persistent of offenders. Somebody gaining control of the UK nuclear missiles probably won’t happen again, but still, serious harm (in a financial sense) could easily be the result of a prolonged cyber attack.
This position was recognise by the Terrorism Act 2000 which allowed for an action designed seriously to interfere with, or seriously to disrupt, an electronic system to be categorised as a terrorist action if both of the following conditions are satisfied:
1. It is designed to influence the government or to intimidate the public or a section of the public; and
2. It is made for the purpose of advancing a political, religious or ideological cause.
Clearly, potential sentences would depend on the actions of that hacker or hacking group but, as you can imagine, the potential sentences that the actions of a “terrorist” group would attract are far higher than that for the innocuous vandalism and protesting that such groups may think that they are perpetrating.
Given the actions of the hacking group called, “Anonymous”, and their threats to the banking sector, law enforcement and legislature alike, how remote is the chance that they will be designated a terrorist organisation?