ANALYSIS
Concluding that the Act has, in most respects, stood the test of time, APIG has recommended that changes be limited to a specific new "denial of service" offence and tougher sentencing for the hacking offence under section 1 of the Act. The report also recommends a number of other initiatives to tackle new forms of computer-related crime such as "phishing" attacks and spyware.
Background
As readers will be aware, the CMA sets out three separate offences: unauthorised access to computer materials (section 1), unauthorised access with intent to commit further offences (section 2) and unauthorised modification of computer material (section 3).
The emergence of new forms of computer crime, in particular Denial of Service attacks, has prompted much speculation over whether there the Act needs an updated "Version 2" to keep pace with today's cybercriminals. APIG's review has also been prompted by a need to ensure that the UK is compliant with new EU rules and international treaty obligations.
A public hearing held in April heard evidence from the Internet industry, the wider business lobby, the Home Office and legal experts. Olswang partner Clive Gringras was among those invited to give evidence. Detailed written submissions were also presented to the hearing. Having assimilated the evidence, APIG announced its
conclusions in a report on 30 June. The report makes a total of sixteen recommendations, the majority of which relate not to the CMA but to other existing or planned criminal legislation and to other initiatives aimed at tackling Internet crime.
General approach
Underlying APIG's specific conclusions are the following broad themes and assumptions:
Despite new types of cybercrime activity "the world is not as different in 2004 from 1990 as some people seem to believe";Not every crime relating to computers needs to be dealt with by the CMA; andParliamentary time should not be wasted "gold-plating" existing legislation that already meets the substance of EU and international obligations.
Reforms to the Computer Misuse Act Recommendations relating to the CMA are as follows:
Creation of a specific "denial of service" offence: although APIG accepted the opinion of academics and industry experts that the majority of DoS attacks do already fall within the CMA offences, it recommends the creation of a specific new offence of rendering data "inaccessible" to encourage would-be criminals, and prosecutors, to take this activity more seriously. Analysing the application of the current law to different types of DOS attacks, the report acknowledges "it is… undesirable to have the illegality of an attack depend on the exact mechanism used." The new offence should carry the same sentence as hacking under section 1 of the CMA, with an aggravated offence where the DoS is part of more extensive criminal activity. The changes could be introduced either via a separate Bill amending the CMA or as part of a wider criminal justice bill.
Private prosecutions: a point made strongly by Clive Gringras and accepted by the Group was that the DPP should facilitate private prosecutions under the CMA to enable private companies to take action in cases which the police and CPS do not intend to pursue, whether through lack of resources or other priorities. The report points out that there is nothing in the current regime to prevent private individuals or companies from bringing such actions. A permissive policy from the DPP would, however, provide encouragement.
Increased sentences: the current maximum penalty of six months and/or a fine of £5,000 for the section 1 offence fails to reflect the serious consequences of hacking and should be increased to two years. This will in turn make the section 1 offence triable in a Crown Court and therefore extraditable, in line with the UK's obligations under the Cybercrime Convention. No changes are proposed to sentences for the more serious offences under sections 2 and 3 that already carry maximum penalties of five years and unlimited fines.
More effective policing: the report details numerous problems with the investigation and prosecution of CMA offences which it attributes to a failure by police "to meet expectations in the investigation of computer crime". It recommends implementation of recent international proposals to address these failings.
Talkback
The guys at <a href="http://www.halflifesource.com">Half-Life Source</a> were talking about this in their technology forum. Laws like cybercrime are mostly international and it should be an international law. This world is way behind the times.