The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee's fundraising Web site has left security experts leafing through the magistrate's decision to try and understand the full implication of the verdict.
On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year's Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.
During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access.
The defence also pointed out that Cuthbert had not attempted to defraud the site. Security expert Peter Sommer is concerned by the conviction.
"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted,” said Sommer, senior research fellow at the London School of Economics’ Information Systems Integrity Group.
Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site.
As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."
In making his decision, district judge Mr Q. Purdy said that the court would have to take into account Cuthbert’s previous conduct when deciding whether he was guilty.
"This is not an infallible guide," Judge Purdy said. "If it was, there would be no first time offenders." But he indicated that as Cuthbert had no previous convictions and an "unblemished" record he would be inclined to find him not guilty.
This is thought to be the first time that a judge had indicated that — despite the letter of the act — knowingly accessing a system when unauthorised to do so is not necessarily a crime.
Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.
Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.
The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said.
Sommer backed up this point.
"The major problem was that he gave them an overly complex explanation which turned out not to be true, and involved them in a lot more work. That's probably why the judge didn't give him a conditional discharge, which was open to him," Sommer told ZDNet UK.
Sommer is now digesting the implications of the judge’s ruling.
"There are a number of long term issues," said Sommer. "We've now got a very strict interpretation on how Section 1 works and how it might be interpreted in terms of an attempt. Some of the tests you might instinctively want to run to see if a site is valid may fall foul of a strict interpretation."
Sommer added that there are also public policy implications. "Once someone's charged, there's almost no defence. Is it in the public interests to prosecute people who haven't done anything very serious if you know they'll lose their profession as a result?"
"I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help," Sommer said.
You can have your say about Cuthbert's conviction by voting in this poll.
Talkback
How is it that a free thinking society cannot voice their dissatisfaction constructively and effectively? I don't understand and I wish someone would explain it to my as if I'm a three year old.
This seems to be a perfect case to illustrate the point. Any security professional's blood should run cold at the mention of this verdict.
As such, I would expect more than simple grumbling or mild concern. Something more vocal and attention getting should be possible. Perhaps a one-day sick out of all security professionals in the area or nation. This would be much more effective in forcing a reconsideration of the verdict. The basic message is
"You need us to do what we do. Dan did this simply to pretect himself and his contributions and you need to be very thoughful in condemning him for doing his job. If you mean to proceed, consider this a taste of what's to come."
Seriously, I'm not sure how I could perform my duties as a security professional if it suddently became unlawful to test security in a very passive manner. Please correct me if I'm wrong, but he didn't seem to employ any brute-force attacts or elegant procedures to check security at this site.
You've got to consider a more active stance or this will be only the first of many ridiculous rulings. Does anyone have a response or opposing view on this.
It sounds like the lawyer that represented him got him convicted. Would you throw a cop in jail for investigating a crime?
"If you see me laughing, you better have backups!"
"Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done"
That's called perjury!! So now anyone who changes their story is now guilty of whatever trial they're in. Swell.
Pretty scary to think that only a government-authorized security company can legally test a site's security or integrity. You can bet I'll be accepting no more contracts to verify ANY corporate networks. Let's hope the government will protect those industries when malicious hackers are the first sign that their network security was inadequate.
I guess we commoners should likewise not bother reporting security concerns to authorities either - we might be charged with invading the privacy of a terrorist!
If you warn a thief he's being looked at the thief will disappear and change his appearance. This conviction seems to have been based on ignorance. Where do we go from here.
A lot of fuss is being made about him initially lying about his actions.
But surely it is human nature to get scared at the heavy-handed response he was faced with?
After all, his livelihood was on the line even though he had done nothing wrong.
And it looks like he was proved correct.
Somehow I can't see this encouraging a helpful attitude from members of the IT community, it looks like the best response henceforth will be "I've done nothing wrong, and I refuse to say any more than that" - and then cite this case.
The situation has arisen due to the wordings of the statute. Section 1 of the Computer Misuse Act, 1990, considers an unauthorised access to a computer site as a crime if the person accessing the system “knows” that he is not authorised to access the site. The mens rea aspect has been incorporated in the form of “knowledge” aspect and that makes the concerned provision a “strict liability offence” unless the same is justified by law. For example, if an organisation or person is “legally entitled” to adopt “penetration test” as a mode of ethical hacking, then there seems to be no problem. The problem arises only when the person penetrating is not entitled to do so. In that case the provisions of section 1 apply harshly and there seems to be no justification for cursing the same. If the security aspects have to be tested or if the veracity of a site has to be checked, let the authorised person handle the same. If the person performing the penetration test is authorised, then there is no problem. If he is not, then the prosecution is the natural outcome.
Now coming to the conviction aspect, if the offender is a “first time offender” with no malicious intention (as in the present case), then the court must be liberal in his release either on probation or after due admonition. The offending act in this case is due to the language of the statute and whether a different provision must be made is a matter of policy decision by the Government that has to be decided by it in public interest. Till then the provision does not deserve to be criticised as the consequences were foreseeable.
An uneducated verdict. It will spell doom if quoted as a precedence. Must be challenged to ensure that this profession survives
Just goes to show that like the majority of the laws passed by this government, it has little to do with actual wrongdoing and a lot to do with putting the mechanisms in place to protect themselves against future investigation.
The police need computer forensics experts, security audit professionals etc - they do not need "ethical" hackers or pen testers.
There is a difference - it is about time people started to understand this.
Does a forensic expert in DNA need to be able to commit a crime? Do polce recieve training in Burgulary?
Forensic Computing and Pen testing are not the same. Pen Testers who think they know about computer forensics without specialist training are delusional.
His biggest mistakes where, to be British, to live in the UK and not to have fleeced the fund of millions of pounds. Had he been any other race, in any other country, he could have got away with millions as our police and judicial system don't want to chase serious crime. Our police and judicial system looks for honest British citizens that make the odd petty mistake. Another thing that is worrying is that with the terrorism threat etc. any decent person would try to make justification for their actions after being banged up in a cell and interviewed by police that are trained in Psychological skills and tend to note more of what they say rather what the defendant says. What next, a conviction for getting a hole in your pocket and littering the pavement?
What is it that people here don't get?
When I was a kid I always got in more trouble for lying about my transgressions than I did if I came clean and admitted what I'd done.
This was fair as in general like most people the bigger the trouble I thought I was going to be in the more likely I was to try and deny my actions.
Cuthbert's excuse would have been more believable if it had been his first answer. The fact is he tried to lie and worm his way out of what is undeniably a questionable situation.
The only real messages the Judge has given to security professionals here are -
1) If you're going to try and use your knowledge of security for illegal purposes you might get caught so make sure you have a good alibi prepared up front and don't change it.
2) Don't go around testing peoples locks unless they've asked you to.
It is interesting to me that unless you are a known thief, if you walk down a street trying doors - whilst suspicious and probably of interest to the police - you commit no crime, unless you take action thereafter to take advantage of any insecurity you find.
Doing the same over the internet appears to immediately criminalise the activity however. I suspect this speaks volumes for the lack of understanding and knowledge from many sectors of the law enforcement community in the UK, and of the justiciary. A truly stupid judgement which brings into disrepute the entire CMA.
I would love to work for computer forensics. Which is the best pad, public or private??