MPs in the All Party Internet Group have rejected calls for extensive changes to the UK's antihacking statute, the Computer Misuse Act 1990
Concluding that the Act has, in most respects, stood the test of time, APIG has recommended that changes be limited to a specific new "denial of service" offence and tougher sentencing for the hacking offence under section 1 of the Act. The report also recommends a number of other initiatives to tackle new forms of computer-related crime such as "phishing" attacks and spyware.
Background As readers will be aware, the CMA sets out three separate offences: unauthorised access to computer materials (section 1), unauthorised access with intent to commit further offences (section 2) and unauthorised modification of computer material (section 3).
The emergence of new forms of computer crime, in particular Denial of Service attacks, has prompted much speculation over whether there the Act needs an updated "Version 2" to keep pace with today's cybercriminals. APIG's review has also been prompted by a need to ensure that the UK is compliant with new EU rules and international treaty obligations.
A public hearing held in April heard evidence from the Internet industry, the wider business lobby, the Home Office and legal experts. Olswang partner Clive Gringras was among those invited to give evidence. Detailed written submissions were also presented to the hearing. Having assimilated the evidence, APIG announced its conclusions in a report on 30 June. The report makes a total of sixteen recommendations, the majority of which relate not to the CMA but to other existing or planned criminal legislation and to other initiatives aimed at tackling Internet crime.
General approach Underlying APIG's specific conclusions are the following broad themes and assumptions:
Despite new types of cybercrime activity "the world is not as different in 2004 from 1990 as some people seem to believe";
Not every crime relating to computers needs to be dealt with by the CMA; and
Parliamentary time should not be wasted "gold-plating" existing legislation that already meets the substance of EU and international obligations
.
Reforms to the Computer Misuse Act Recommendations relating to the CMA are as follows:
Creation of a specific "denial of service" offence: although APIG accepted the opinion of academics and industry experts that the majority of DoS attacks do already fall within the CMA offences, it recommends the creation of a specific new offence of rendering data "inaccessible" to encourage would-be criminals, and prosecutors, to take this activity more seriously. Analysing the application of the current law to different types of DOS attacks, the report acknowledges "it is… undesirable to have the illegality of an attack depend on the exact mechanism used." The new offence should carry the same sentence as hacking under section 1 of the CMA, with an aggravated offence where the DoS is part of more extensive criminal activity. The changes could be introduced either via a separate Bill amending the CMA or as part of a wider criminal justice bill.
Private prosecutions: a point made strongly by Clive Gringras and accepted by the Group was that the DPP should facilitate private prosecutions under the CMA to enable private companies to take action in cases which the police and CPS do not intend to pursue, whether through lack of resources or other priorities. The report points out that there is nothing in the current regime to prevent private individuals or companies from bringing such actions. A permissive policy from the DPP would, however, provide encouragement.
Increased sentences: the current maximum penalty of six months and/or a fine of £5,000 for the section 1 offence fails to reflect the serious consequences of hacking and should be increased to two years. This will in turn make the section 1 offence triable in a Crown Court and therefore extraditable, in line with the UK's obligations under the Cybercrime Convention. No changes are proposed to sentences for the more serious offences under sections 2 and 3 that already carry maximum penalties of five years and unlimited fines.
More effective policing: the report details numerous problems with the investigation and prosecution of CMA offences which it attributes to a failure by police "to meet expectations in the investigation of computer crime". It recommends implementation of recent international proposals to address these failings.
Reforms rejected: The report details a large number of other issues considered by the enquiry. Suggested changes to the CMA rejected by APIG included:
Definition of "computer" and other terms: the report concludes that the (intentional) absence from the CMA of definitions of terms like "computer", "data" or "program" has not caused difficulty in bringing prosecutions, and on the contrary makes them more "futureproof". It recommends leaving the courts with freedom to interpret these broad terms in line with the times instead of attempting to tie them down to specific contemporary devices.
Changes to reflect the Cybercrime Convention and EU Framework Decision: concludes that most of the Convention's requirements are already reflected by UK Regulation. It opposes implementation of optional requirements to outlaw hacking tools because of the difficulties this would pose for legitimate users of such "dual-use" tools. The introduction of explicit provisions on DoS and the raising of sentences for hacking would address the other outstanding obligations. Regarding the EU's Framework Decision, the report notes a number of definitional "mismatches" between the Decision and the CMA but concludes that UK law meets the spirit if not the letter of the EU requirements. Parliamentary time should not be wasted on unnecessary "gold plating".
"Unauthorised access": some of the responses to the inquiry requested a tightening up of the current definition of "unauthorised access", which causes problems where some access is permitted and some is not. This was an issue in the 1997 case of Bignell, for example. It was suggested that changes to this definition could also assist prosecutions for sending spam email. APIG concluded that the issue does not create practical problems justifying such an amendment at present.
Introduction of security obligations: APIG rejected suggestions that the CMA be used as a mechanism to impose positive security obligations on those responsible for computers, pointing out that such obligations already exist (in respect of personal data) under the Data Protection Act 1998.
Extension to spyware and adware: the report distinguishes between spyware, the use of which may already constitute an offence under the CMA, and less malign adware. APIG rejects the idea of extending the CMA to criminalise adware but recommends further action by OFCOM (see below). The impact of existing data-protection legislation on these programs is not mentioned.
Other recommendations: Although the inquiry had as its focus the Computer Misuse Act, the report makes it clear that many of the weapons to combat current cybercrimes may lie outside the CMA in more general criminal legislation and through a range of other actions. APIG's other recommendations include:
Legislation on Digital Rights Management Systems: rather than attempting to"shoehorn" DRMS systems into the CMA, the report calls on the Government to consult on specific new legislation in this area;
Measures to combat spyware and adware: the key legal issue relating to such programs is that of the user's consent (or lack of consent) to the gathering of his or her data. OFCOM should investigate this issue with a view to educating end-users and promoting codes of practice for software companies to improve awareness of, and reduce exposure to, the privacy risks posed by such programs. Consumer-protection legislation also has a role to play in ensuring that contracts are clear;
Raising awareness on the scope of the CMA: the report notes a "widespread ignorance of the current law" and the scope of activities which it already covers. It calls on the Home Office to promote awareness of the CMA via its website;
Fraud and misuse of trade secrets: many "new" crimes are adequately covered by existing legislation, or will be addressed by legislation already in the pipeline. For example, the Fraud Bill drafted by the Law Commission should be introduced as soon as possible. In particular, this would plug current loopholes in the current offence of obtaining services by deception, which does not cover deceiving a machine; the Law Commission should expedite its proposals on the law relating to misuse of trade secrets to address current loopholes in law relating to identity theft;
Security scanning: ISPs should to take proactive measures to scan to detect vulnerabilities. ISPs should develop best-practice standards in this area;
Reporting and statistics: the inquiry highlighted a dearth of statistics on cybercrime. The report recommends that the Home Office should undertake appropriate sampling to assist future policy formation.
The Olswang view APIG's two key recommendations -- clarifying that DoS attacks are a crime and making private prosecutions simpler -- will help make the UK even more inhospitable for cybercrooks. APIG's pragmatic conclusions reflect Olswang's view that what is required in the fight against cybercrime is not only a change of law but a change of approach. The report implicitly recognises that the CMA is not a "silver bullet", but that it needs to be employed in combination with other existing and planned laws and other measures.
For more information on this issue please contact Clive Gringras clive.gringras@olswang.com The information in this Update is for general interest only and readers should seek appropriate and specific legal advice before taking or refraining from any action.
