LIMITS OF THE LAW IN RESTRICTING COMPUTER MISUSE
================================================
Peter Sommer
MA(Oxon), MBCS
Virtual City Associates, UK
This paper is designed to accompany a presentation to be
made on March 19th 1991 at Compacs 1991 at the London Hilton
Hotel.
In this paper I want to examine how much we can reasonably expect
the legal system to deliver to us by way of safeguarding
computers and what goes on within them. I will be doing so
specifically by looking at the process by which the UK Computer
Misuse Act of 1990 (CMA) arrived on the statute book and in
particular how the pressure for "computer crime" legislation
built up, the claims that were made during the lobbying process
and what the Act actually delivers by way of remedy to potential
victims. But I will also show what it does not deliver and
where all legislation of this type is doomed to disappoint.
I hope what I have to say will go beyond the parochial needs of a
British audience. In the end, the framing of laws has to be a
specific and practical exercise, not the enunciation of
generalised principles. "Computer laws" have to interrelate with
the rest of the law. In turn, all substantive law has to
interact with the facilities available by way of enforcement; and
that means looking at rules of admissibility of evidence,
policing, the prosecution service and the reality of the courts.
These considerations have have been strikingly absent in most of
the recent debates about computer crime legislation wherever
they have been held almost anywhere in the world.
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 2
Problem of public perceptions about "computer crime"
The first problem any proposal for a computer crime statute has
to cope with is public perception of the nature and extent of
computer crime. It is the perception of the problem rather than
the actuality which has such a profound influence on what finally
happens in the determining of public policy, in Parliament,
among law enforcers, and in board rooms.
While the broad public thinks there is a lot of "computer crime"
there turns out to be no agreed definition of what should be
included. Are we talking about anti-social activities in which
computer files are directly manipulated (there is surprisingly
little of that in the attested material in the computer crime
case books) or do we broaden it out to situations in which
computers are physically involved (in which case you also include
theft of computer hardware)? Should we be taking a strict
literalist approach - that the only computer crimes are
transgressions of laws which already mention the word "computer"?
This last provides a bit of dilemma for pressure groups - how
then do you produce evidence for the need for a new computer
crime statute? None of these definitions is more "correct" than
any other - my point is the absence of any agreement as to which
to adopt. Parenthetically one can add that there is even less
agreement as to what "hacking" is - usage of the word varies all
the way from "computer enthusiast" (and with no under- or over-
tones) to "computer criminal" and includes "explorer of computer
networks" and "recreational system cracker" along the way.
In the absence of any consensus, the definition of "computer
crime" can be made to do almost anything you want. If you are in
the computer security business, your marketing strategy must be
to go for as wide a definition as possible. You cheerfully
include all the large electronic funds transfer (EFT) frauds
because, although all the known examples rely on abuse of
(manually-based) authorities or simple impersonation and the
computer systems centrally employed have never been compromised,
the sums involved are always in the millions. On the other hand,
if you are the head of a police force faced with ever more
insistent demands for greater efficiency in all areas of your
remit coupled with complaints about the growth of your annual
budget and the poor quality of your manpower, there is a lot to
said for claiming that computer crime (on a restricted
definition) is only a tiny problem.
The lack of an agreed definition also means that all computer
crime statistics are nonsense - no one knows what is being
measured. Of course the problem with computer crime statistics
goes far beyond that - once you have your definition, how do you
reliably collect your data? The official crime statistics
reflect breaches of specific statutes and common law offences,
not modus operandi. How do you assess unreported crime? We
don't have even the beginnings of an idea of how much of white
collar crime in general goes unreported; this is currently one
of the great gaps in modern criminological research.
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 3
The difficulty with computer crime statistics gets worse when it
comes to estimating the costs of computer crime. What do you
include - sums actually lost, sums the subject of failed
attempts, sums "at risk" (the phrase used by the police fraud
squads, though with no agreement as to whatever that means),
consequential losses (but then how far down the line of causation
do you go?). Again, there is no "correct" answer.
None of these obvious problems have prevented otherwise
respectable organisations and individuals from associating
themselves with quite definite figures. The Confederation of
British Industries, the leading employer's body in the UK,
throughout 1989 and 1990 kept on quoting the figure of �400m
though what this represented - "computer crime" or "hacking"
tended to vary. Pushed hard, they acknowledged they
themselves had done no research but said what they had came from
the London Business School. Enquiries at the library there
showed no LBS-sponsored work; I think I have tracked the
"statistic" down to a press release from a corporate security
security company called Saladin who took advice from an LBS
staff-member but the research, if it exists, remains unpublished.
The Department of Trade and Industry, in figures released just
before the Second Reading of the Computer Misuse Bill in February
1990, said they had verified 270 computer crime incidents over
the previous five years, of which only six had been brought to
court. Enquiries of the DTI showed that they had conducted a
"survey of surveys" - and no, they couldn't offer their working
definition of what they were measuring.
A convenient get out for those who have intellectual doubts about
the figures they quote is the use of the impersonal passive
tense:.. "it is estimated". And if pressed, respond not by
explaining statistical methods but by producing a lurid anecdote
and/or forecast.
A very important component in the formation of public perception
has been the role of media reporting. There is an inevitable
bias in the newspaper and television coverage of anything
towards the unusual - computer crime is no different, except
that, with a few exceptions, the level of verification seems to
be lower than for most stories except perhaps those alleging
scandals among tv soap stars. Among the lazier sort of
journalist, the premium is to get a story which conforms to
stereotypes they have already accepted. I have received the
request "Get me a hacker, the younger the better," from more than
one mass circulation daily newsdesk. A related bias is that the
"experts" quoted are those who are prepared to make the most
outrageous claims and forecasts. The "expert quote" in fact
provides the reporter with an alibi or makeweight for an
otherwise dubious story. It takes courage for an expert in the
contacts book of a national newspaper's newsdesk to forswear the
opportunity of a free appearance in print by killing off a story
which he knows does not make sense.
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 4
Any examination of the actual case material from first-hand or
near-first-hand sources as opposed to the clippings libraries of
the national media - and there is now over twenty years of it -
shows that standards of scholarship in the reporting and
analysis of computer crime are absymally low - but that is a
subject for another paper.
Yet again, sensational claims made by prosecutors and police at
the beginning of trials is news, the failure eventually to
produce evidence for them is usually not. This is a repeating
pattern: we saw it here in the UK in the Prince Philip Prestel
case, in Germany with the Chaos Club/KGB hackers affair and we
have seen it as recently as the end of 1990 in the USA over
Operation Sun Devil and the Legion of Doom. There are still
people who believe that in 1985 New Jersey hackers were able to
move satellites in space, all based on prosecutor claims that in
court were shown to have been the result of hysteria and
ignorance.
I have spent some time talking about public perceptions because
one of the things that new legislation can never do is remedy
situations which substantially do not exist, at least in the
forms in which the public have come to believe. There is one
exception to this to which I will return at the end.
Perceptions about "computer law"
The misperceptions about computer crime are accompanied by
another one - that you need specific new laws to tackle the
generality of computer-related crime. There is a wealth of
obvious rhetoric about the sloth of law reform and the
unworldliness of lawyers, not all of which is justified. So the
"logic" is complete: we have a radically new area of criminal
activity called computer crime, committed by a new class of
person - the computer criminal or hacker, and for which,
obviously, completely new laws - computer crime laws - are
required. Most of the rest of this paper will show the false
directions in which this logic has lead us.
In fact, the "logic" is easily broken down. In its Working Paper
110 published in September 1988, the English Law Commission
(ELC), the official body concerned with reviewing and
recommending law reform, examined Computer Misuse and listed out
the areas where existing English law already delivered remedies.
These included: the Theft Acts which cover both routine street
crimes and fraud and are the means by which most electronic funds
transfer frauds have been prosecuted; Conspiracy, a complex
concept in English Law the essence of which is two or more people
working together for an unlawful purpose; Demanding Money with
Menaces, the actual charge in most cases of blackmail and
extortion; Criminal Damage, which covers the intentional or
reckless damaging of property and which applies in some but
perhaps not all computer situations (we will return to this
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 5
matter); Offences Against the Person, which include physical
wounding, manslaughter and murder, which would presumably apply
if a computer-run machinery were maliciously directed to attack
an individual); Official Secrets, which covers access to
government computers (the only offenders actually charged have
been policemen doing favours for friends or, in one case, trying
to win a competition at a gasoline station); Forgery and
Counterfeiting, which applies to the forging of mag stripe cards
and other authenticators (there are limitations to this which
will also be examined later); there are also limited criminal
sanctions available in the Copyright Acts.
The English Law Commission found some loopholes and exceptions
which I will examine later, but what they showed in an
authoritative and compact form was what was evident to anyone who
had studied the case-books of British computer crime. That is:
that nearly all of the activity that one could include in a
definition of "computer crime" was not only punishable within
existing English law, but that there had been any number of
convictions.
The process of law reform
Working Paper 110 enraged those who wanted tough legislation.
The Law Commission had produced a list of technical reforms
throughout the penal calendar but, on what many had persuaded
themselves was the central issue - a new offence of "unauthorised
access to a computer", the Commission was agnostic, asking for
evidence that any action was necessary.
The English Law Commission had not been the first to comment on
computer law reform. England and Scotland have separate
though similar legal systems and the Scottish Law Commission had
produced a consultative paper in 1986 (which incidentally
contains a useful summary of international legislation) with a
final report following in 1987. The SLC had recommended a new
offence of unauthorised access to a computer:
1 (1) A person commits an offence if, not having authority
to access a program or data stored in a computer, or to a
part of such program or data, he obtains such unauthorised
access in order to inspect or otherwise acquire knowledge of
the program or data or to add to, erase or otherwise alter
the program with the intention -
(a) of procuring an advantage to himself or another
person;
(b) of damaging another person's interests
(2) A person commits an offence, if not having authority
to obtain access to a program or data stored in a computer,
or to part of such program or data, he obtains such
unauthorised access and damages another person's interests
by recklessly adding to, erasing or otherwise altering the
program or data
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 6
To many English lawyers the tests for proof seemed to be too
vague to be practical and left too much to judicial
interpretation.
But what had really stimulated English demand for legislation was
the case of R v Gold & Schifreen, which in 1988 had gone to the
highest court in the land, the House of Lords. Gold and
Schifreen were two out of four hackers who had penetrated British
Telecom's public access database service Prestel in 1984. They
had not employed any great skill in doing so but had exploited
the fact that British Telecom had broken almost every rudimentary
rule in the computer security book. The system manager had an
obvious password (it was discovered by accident and not as a
result of any clever password-cracking program), the test
environment had a password which showed on its log-in page, and
the test environment contained live data. When the hackers
contacted BT they were quickly told the problem was under control,
though in fact the hackers could soon tell it was not.
Eventually the hackers gave the story to the press and BT's
reaction was to "get" the perpetrators. One can only speculate
on what might have happened had the hackers gone to an upmarket
paper instead of a popular one, the Daily Mail. Perhaps we would
have seen high-level sackings in BT rather than the launching of
expensive traps to catch the message-bearers.
Gold and Schifreen were caught after their telephone lines had
been monitored; they were charged under the Forgery and
Counterfeiting Act, 1981. This was, to say the least, a
prosecution experiment as this act had never previously been used
in such a case. No charges were preferred under such easier
headings as theft or conspiracy to defraud - many of us still
don't understand why. The legal problem for the courts was that
whatever they had done wasn't forgery, which in English law
requires that an "instrument" be forged - typing characters into
a computer which then immediately accepts them does not create an
"instrument". This was the point that actually pre-occupied the
House of Lords.
To the lay public, however, the House of Lords seemed to be
saying that anyone can "hack" and get away with it. The English
Law Commission had started work before the Gold and Schifreen
judgement but had delayed publication of its working (that is,
initial consultative) paper until the result was known.
The Confederation of British Industries and the member of
parliament who was to become the strongest advocate of tough
legislation, Emma Nicholson, felt deep disappointment at the
double blow to their perceptions of the "computer crime problem".
People began to speak of English law as providing a Hacker's
Charter. Emma Nicholson introduced an Anti-Hacking Bill in 1989
under a "no hoper" procedure which meant that while it had no
chance of becoming law it would get some publicity, perhaps for
future legislation which would then have proper backing. The
Bill contained phrases picked up from the Scottish Law
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 7
Commission's proposals but also sought to cover electronic
eavesdropping of VDU radiation, a subject which had recently also
captured public imagination. The Anti-Hacking Bill was deeply
impractical but served its main purpose of heightening public
interest, not to say hysteria, in the subject.
In the meantime the English Law Commission was preparing its
final report, and was subject to very heavy lobbying to change
their previously agnostic position. The final report came out
in record time, six months after the ending of the formal
consultative process following its Working Paper. Published in
September 1989 the ELC proposed three new offences, all to do
with "unauthorised access to a computer". Unusually for them,
and as a result of the short time available for report writing,
they included no draft bill, just a set of ideas. We will examine
these in detail shortly.
The conservative government felt unable to make immediate room in
its legislative plans for any new bill along these lines. There
is a procedure by which back-bench MPs can enter a lottery for the
right to introduce a bill which then has considerable chance of
getting on to the statute book. One such successful MP, Michael
Colvin, agreed to take the bill on. In the absence of official
help, he received informal technical support from the Department
of Trade and Industry (who do not normally handle criminal
legislation) and also from the "tough laws needed" lobbyists.
It became very difficult for those who dissented to appear as
anything other than "soft" on computer crime. Start talking
about the existing law in any detail and your audience thought
you were using your cleverness to obscure both the truth and your
"real" agenda. Begin querying the validity of the statistics and
the veracity of the some of the anecdotes and you were soon told
(a) the information came from sources that couldn't possibly be
made public and (b) all respectable people "knew" what was
happening anyway. What "computer crime" was, how it related to
"hacking" and how how all of this related to what the proposed
legislation purported to do became steadily less and less clear.
In fact, what we had was all the classic symptoms of popular
moral panic on a par with fears about rock n'roll music in the
'50s, pschydelia in the '60s, trans-sexual glam-rock in the '70s,
acid house parties in the late '80s and youth-rebellion clothing
styles anytime in the last forty years.
The new law
What had happened was that the English Law Commission had
forgotten the general guidelines for law reform that it had
originally set itself and which in turn had been handed down from
the Home Office back in 1982:
that:
the behaviour is so serious that it goes beyond what it
is proper to deal with on the basis of compensation as
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 8
between one individual and another and concerns the public
interest in general (that is, civil procedures are not
enough)
criminal sanctions should be reserved for dealing with
undesirable behaviour for which other, less drastic means
of control would be ineffective, impracticable or
insufficient
a new offence should be enforceable
The Bill and now the Act has a superficial elegance. There are
three computer misuse offences - section 1: "unauthorised access
to computers and/or computer material", section 2: "unauthorised
access with intent to commit or facilitate the commission of
further offences" and section 3: "unauthorised modification of
computer material". The last of these is intended to catch
designers of logic bombs and viruses. The section 2 offence
is concerned with attempts, involving computers, to commit
further serious offences, such as theft or blackmail. If you have
prepared to commit such an offence but have been unable to
complete the deed, you can be charged under Computer Misuse.
Section 2 and 3 offences attract penalties of up to 5 years in
prison.
Section 1 is the one that aims at "hacking": for a prosecution
to be successful, it must be shown that the person secured access
to a program or data, that the access was unauthorised and that
the perpetrator knew that the access was unauthorised. However,
there is no need to show that the unauthorised access was
directed at any particular bit of data, or program, or even any
particular computer. This section attracts a maximum penalty of
six months. Section 1 may also be used where there is
insufficient evidence to catch an offence under sections 2 or 3.
The Act also attempts to address the problem of international
computer crimes - where computer connections are made across
several national boundaries. In this it anticipates what needs
to be done to cover the growing problem of international fraud of
all kinds.
Closer examination, though, removes much of the initial gloss. To
take the three principle offences in reverse order: Section 3 -
unauthorised alteration of programs and data - was introduced to
overcome a supposed gap in the Criminal Damage Act of 1971 which
was thought by some academic lawyers not to be easily applicable
to "data", data not being "property". In fact there had been
successful prosecutions involving altered computer data - by
showing that the consequence had been damage to some physical
property - Cox v Riley in 1986. (In that case it was program
instructions for an electric saw which had been deliberately
altered). Criminal damage was the charge in two recent logic bomb
cases - R v Tallboys in May 1986 where a prank by a former
computer employee of Dixons went wrong and R v McMahon, which
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 9
concluded at Isleworth Crown Court in January 1988. Moreover as
the Computer Misuse Act was passing through its final stages in
the House of Lords (this time acting as a Second Chamber to the
legislature and not as a final Court of Appeal as in the Gold and
Schifreen case) a "pure" hacking case - that of Nicholas Whiteley
- was successfully concluded with a Criminal Damage conviction in
the precise circumstances that the Law Commission had thought
might not be possible. What we are left with now, though, is
not duplicated legislation but weakened legislation. For the
Computer Misuse Act now forbids the use of the Criminal Damage
Act in cases involving unauthorised access to data. In future
these cases must be put through the tests required of the
Computer Misuse Act, that is, that there must be access to
something which is not precisely defined in the legislation,
namely a computer, and that such access must be unauthorised. I
will return to this matter in moment. What this also does is to
remove from the prosecutor the opportunity to attack reckless
behaviour. The Criminal Damage Act penalises both those who act
deliberately and also those who act with a reckless disregard of
the consequences - "I was just typing the words DEL on the screen
to see what would happen and had no idea that files would be
deleted..." The end effect of section 3 is to weaken what we
had before.
Section 2 - unauthorised access for the purpose of committing a
serious criminal offence looks stern stuff. But it always has
been an offence itself to attempt to commit an offence, even if
the substantive offence remains uncommitted. It is only by a
miniscule sliver that section 2 alters any requirement for the
standard of proof in establishing when such an attempt has taken
place. Section 2 is a makeweight.
With section 1, the simple "unauthorised access" offence, the ELC
had problems. First, they recognised that there were serious
arguments whether these actions should be criminalised at all, as
opposed, say, to making them a civil wrong like trespass to land.
(There is still no equivalent of trespass to a computer). In
making it a criminal offence it was clear that heavy punishment
was not appropriate (though in fact the Act doubles the penalties
the ELC proposed). The ELC spoke of the offence setting
society's mark of disapproval on such activity. The trouble is
this clashed directly with the principles for the justification
for the introduction of new crimes which they had set themselves.
In the UK, as in most countries, police powers of enforcement
tend to be directly related to the penal levels specified for an
offence - the more serious the offence the greater the greater
the freedom the police have to seize potential evidence and
suspects without getting permission first; for most purposes
this is enshrined in the 1984 Police and Criminal Evidence Act.
The unauthorised access crime was not a "serious arrestable"
offence so, despite lobbying by Emma Nicholson, police powers
were limited, though still exceed the usual PACE criteria.
British industry has no idea under what threats it would have
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 10
operated had Ms Nicholson and her colleagues had their way. For
powers of seizure of evidence are not limited to those computers
belonging to alleged perpetrators. In fact the domestic and
small PCs owned by most "hackers" are unreliable sources of
admissible evidence. Often the really useful material comes from
computers owned by the alleged victims and from within any other
computers used as part of the network journey from the alleged
perpertrator to the alleged victim. Under Ms Nicholson's
proposals, a police constable armed with a warrant from a lay
magistrate (respectively the lowest rank of policeman and the
lowest rank of judicial life) would have been able to march into
any company and seize all data, software and hardware that was
deemed necessary for the investigation in hand. The threat
hasn't entirely vanished under the present legislation, but
higher ranks of policemen and a High Court judge must be
involved. Those who think this is a theoretical concern should
examine the US Operation Sun Devil in which 44 separate raids
took place at the end of which there were three limited
convictions and large numbers of quite innocent computer owners
carrying heavy losses because federal authorities acted
foolishly, even hysterically, but within their legal powers.
In any event, section 1 of the Computer Misuse Act is all but
unenforceble, a matter to which I will come back a little later
on.
Let me now return to two matters common to all three clauses -
that access must be shown to be "unauthorised" and that there
must be a "computer" involved. Does this include the secretary
who uses her word-processor in the lunch-hour (she's altering
data so this is a section 3 - five years maximum penalty -
offence)? What about the neighbour to whom you loan your house-
keys and who, because her washing machine has broken down,
borrows yours? The washing machine has a chip and ROM inside it.
Another possible section 3 offence. Or the auto mechanic who
offers you a new performance-boosting chip to add to your
vehicle's engine management system? Section 3 again. Even
private use of a company's PABX may be drawn into the Computer
Misuse Act. Of course that was not the intention, but I can see
no reason why the words shouldn't be made to apply.
So what we have is an act weaker in one important effect than the
legislation it was supposed to correct, new police powers of
seizure which potentially can have many innocent victims and
which introduces at least as many uncertainties in interpretation
as it claims to have solved. Matters do not end here, though.
What the Act left out
In its 1988 Working Paper the English Law Commission had
highlighted a number of defects in the existing law and others
had been noted during the public debates. I can't deal with all
of them here, but there are some matters which should be
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 11
identified.
Deception
The first of these is deception which is covered in sections 15,
16 and 20(2) of the Theft Act 1968 - obtaining goods or services
by deception. The general view among lawyers is that it is only
humans that can be deceived - not machines. The Law Commission
identified the problem in its Working Paper 110 but in their
Final report said that they would have to look at the matter
again sometime in the future. Interestingly enough, a extension
of the law of deception would "solve" many of the simple
unauthorised access cases (including the situation in R v Gold &
Schifreen) in that the usual consequence of unauthorised access
is that computer and database services are thereby obtained.
Admissibility of Evidence
The second important defect in the existing law relates to the
rules of admissibility of evidence of computer-based materials.
It is no good having substantive laws if it is difficult to
produce evidence in a form which is acceptable to the courts. A
number of lawyers believe that the current rules, which are set
out in section 69 of the Police and Criminal Evidence Act, 1984,
can in some circumstances become unworkable. The problem is
this: before evidence can be introduced the court requires a
certificate to say that the computer has at all times been
behaving normally. If the modus operandi of a crime has involved
making a computer behave abnormally (for example by writing to
files directly outside their usual application of by violating
the operating system or access control package) then it looks as
though no evidence from that computer can be admitted.
Information Theft
At the heart of the concern many people have about computers is
the amount of information they hold and process - and the
consequent risks if such information is stolen. Indeed this was
one of the most frequently cited arguments for unauthorised
access legislation. In English law information as such cannot be
stolen, though the medium upon which it is held - a piece of
paper or a floppy disk - can. Although there have been a number
of attempts to make information "a thing capable of being stolen"
so far none of them succeeded. The difficulties should not be
under-estimated - which categories of information should be
protected; how would you test for each category (is it enough
for an originator to label a document "secret" or should there be
some objective measure?); should there be a "public interest"
defence? The problems with using an offence of unauthorised
access to a computer as a substitute are: you confuse the means
with the substance, you run the risk of drawing people into the
ambit of the crime who are not actually stealing information and
who are not causing any readily identifiable social harm, you
are omitting instances of information theft which do not involve
computers such as stealing print-based documents.
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 12
A more direct approach to information theft would also provide a
route to tackling another of Emma Nicholson's concerns - the use
of equipment to eavesdrop on radiation from VDUs.
Law Enforcement
There is little point in placing new crimes on the statue book if
the means to enforce them does not exist. "Law enforcement" is
much more than looking at the quantity and quality of police
officers available in any one specialisation. In the UK, the
decision to prosecute is usually made by the Crown Prosecution
Service. (Different procedures apply for serious frauds which are
then handled by the Serious Fraud Office). The whole process is
as follows:
* a victim decides to report a crime
* reasonable levels of evidence are believed to exist
* the police make enquiries
* the police make a report to the Crown Prosecution
Service
* the Crown Prosecution Service decide that there is a
case which they have a reasonable chance of winning
(that is, better than 50/50)
* the case is presented in court, the skill involved
depending on the lawyers employed
* depending on the seriousness of the offence either a
judge alone or a lay jury advised by a judge have to
understand enough to be able to convict
In most other countries there are a similar set of hurdles.
The present position in the UK is that there is only one Computer
Crime Unit, which is attached to the Fraud Squad run jointly by
the Metropolitan and City Police forces. Its size varies from
four to five officers. Since these are always drawn from the Met
side of the partnership they are on three-year tours of duty,
though one officer has managed to hold on longer. The Met has a
philosophy of the "all-round policeman" and eschews the setting
up of permanent �lite squads. The highest ranking officer is a
detective inspector, the third lowest rank in the force. There
is a twenty-day course in computer crime methods run at the
Bramshill training college. Fewer than 100 officers out of the
total 145,000 policemen and women in England and Wales have ever
been through it. (When I became a MBCS (Member of the British
Computer Society) I did so via a route which recognised that I
had neither passed any of their examinations nor had a university
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 13
degree in a relevant subject - mine was in law. The BCS expects
people like me to be able to show 10 years of industry experience
instead - and this is simply to call yourself a computer
professional.)
The Computer Crime Unit has scant funds to employ external
expertise. In some "hacking" cases it has been able to rely on
the goodwill of British Telecom, but BT will only act where it
thinks that its own networks or resources have been violated or
threatened and the relationship deteriorated during the 1990
Nicholas Whiteley (Mad Hacker) case.
Since October 1986 the police have ceased to be the prosecutors
of crime as well as the investigators. That reform was
introduced to prevent too many fitted up or forced confession
cases getting to court. Prosecution is now handled by the Crown
Prosecution Service. But for the computer crime coppers, whose
training has not equipped them to understand the full range of
criminal sanctions that might be available (and why should it?)
they have lost easy access to friendly lawyers who might help
them frame charges sensibly. The CPS is currently, on its own
figures, 23 per cent understaffed, with a greater problem in
London. They are under great pressure, morale is low.
What about the Serious Fraud Office which handles frauds above �1
million in value? It has 20 lawyers, 17 accountants, a support
staff of 25 and 20 City of London police officers on secondment -
and who are therefore not immediately available for other City of
London policing work. The current work load is around 70 huge
frauds, many of which will take years to work their way through
the courts. By chance, rather than design, it had one senior
officer who was extremely interested in computer crime. But he
had other work also, not the least of which is the use of
graphics computers to clarify complex frauds to lay juries. He
is now in the private sector.
Here is another aside: the SFO came into being in the wake of
the Roskill Report on trials for complex fraud. Roskill
recommended the use of specialist juries; this was rejected,
for reasons which I accept, but no additional resource has ever
been provided to help the SFO with the additional problems of
describing the arcana of, say the insurance world, to men and
women democratically plucked from the voting lists.
These are simply the first hurdles; we are only just beginning
to see a sufficient body of barristers literate in computers.
Police role in white collar crime
Yet it is too easy to blame "the police" for what appears to be a
poor response. The policing of computer crime is simply one item
in a very long agenda of what the public expects of the police.
What is interesting about computer crime is that it highlights
many of the inconsistencies in public attitudes towards the
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 14
police. We are only willing to spend a limited amount on them;
we are only willing to accept a certain density of police
officers per hundred thousand of the population. Here in the UK
the police originated under Sir Robert Peel in a desire for safer
streets and public order. It is clearly important to the public
at large that the police are seen "walking the beat". We
apparently suspect the idea of �lite squads and we resist the
idea of a national force.
Yet this same group of people are expected to cope with the
social and technical complexities of white collar crime. We
wouldn't tolerate any "walking the beat" looking for possible
infractions of the law in our offices and board rooms, yet in
terms of street crime it is this "walking the beat" which is
understood to have a powerful preventative effect. None of us
have really thought through our expectations of the role of the
police in a world where, for each of the last 15 years or so
there has been a 1 per cent transfer from blue collar to white
collar activities and presumably some considerable associated
increase in the opportunities to commit white collar type crimes.
One cannot look at "computer crime", on any definition thereof, in
isolation from these factors.
Making the Case
We must now examine in more detail how well the new Computer
Misuse Act offences will stand up to the rigours of having to
make a case in court. Leaving on one side the particular
hazards of the PACE s69 rules of admissibility in evidence and on
another side the question marks of the extent of actual police
resources, we have to ask ourselves what typical cases will
look like in court. I want to concentrate on the two situations
which most excited people during the run up to the passing of the
CMA - hacking (in the sense of unauthorised access unaccompanied
by any further activity) and viruses.
The chief practical problem in any investigation of "hacking" is
that perpetrators don't use their own names; further, a mere
"confession" unaccompanied by any other evidence is unlikely to
be sufficient. The investigator first has to show that "access"
has taken place. It may not be enough to show that a given
suspect has material in his possession that has come from someone
else's computer - the files may have been collected by some third
party and a copy of them given to the suspect on diskette; the
prosecutor has to prove all the network connections; in many
cases it will be necessary to catch the perpetrator in flagrante
delicto. Now we know this can be done - here in the UK it was
done in the case of Gold and Schifreen and again in that of
Edward Austin Singh. Cliff Stoll wrote in The Cuckoo's Egg how
he did it to members of the Chaos Computer Club. There are
plenty of other examples. They all have a common feature - it is
very time consuming and expensive. You require lots of
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 15
monitoring equipment, a number of skilled technicians
(individuals like Stoll who did what he did out of intellectual
interest and not for a consultancy fee are rare), extensive co-
operation between police, companies, institutions, and
telecommunications suppliers. That co-operation must often
extend across national borders. In addition you have to have
teams of police standing by to pounce when told by the
technicians that the time is right. Investigation costs can
reach �500,000 ($1 million) quite effortlessly.
No sensible police force in the world can justify that amount of
cost and effort for a crime the normal punishment for which is a
fine and for which the maximum penalty is six months.
Let's now look at viruses. No one knows where most viruses come
from. There is no knowledge of the originator even at an
anecdotal level. Very occasionally if the virus is unique and
distributed on a disc there is the possibility of physical
forensics, that is, locating the supplier and hence the purchaser
of a particular batch of diskettes. I have no specific knowledge
of that case, but one possible example is the Panama "Aids"
virus which was allegedly partially distributed on diskette via a
mailing list supplied unwittingly by a magazine. But this very
much the exception. There is another route back to a perpetrator
- if the virus is accompanied by some blackmail or extortion
threat. Here the criminal can be tracked down by the money
collection method - which is the weak point of most attempts
at demanding money with menaces. Again, some reports about the
Panama "Aids" virus allege that this is what happened there.
But for the overwhelming majority of PC and Mac-based viruses
these routes do not exist - and there is no law one can envisage
that will overcome the fundamental problem of anonymity.
Perhaps I should raise one further situation - where the designer
of rogue code decides things have gone more wrong than was
intended and decides to alert potential victims. This is what
happened with Robert Morris and the Internet worm. Now - where
does the public interest lie? Do we believe that the existence
of an "anti-virus" law deters potential offenders in a useful
way, or are we worried that a successor to Morris might say: "I
didn't want things to go this far. However no one yet knows
about me; anything I do to minimise the effects of my rogue code
are likely to lead to my identification and I may then be
punished."
I have no easy answer to this conundrum but ask you to identify
it as yet another limitation of the powers of the legal system to
solve problems of computer security.
The role of law as a deterrent
At this point some people will say that I am mistaken, that the
very existence of a law on the statute book, even it cannot be
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 16
readily enforced, does act as a deterrent to the majority of
people. In fact this was the justification the Law Commission
produced for section 1 of the CMA. At the press conference on
the day their final report was published they spoke of setting
the mark of society's disapproval on such activity.
I am not sure that the position is anywhere nearly as clear as
that. People break laws all the time, particularly if they can
convince themselves that they are not "really" doing any harm.
This is certainly true of many road traffic offences such as
parking on yellow lines and exceeding speed limits. On the
other side, there are a number of instances where people feel
constrained from an activity which is not illegal but is
considered unethical - eavesdropping on a conversation which the
participants regard as private is one example.
In other words there is no absolute correlation between the fact
of illegality and a sense that certain activities should be
restrained.
It might be helpful to recall what happened here in the UK 14
years ago over Citizens Band Radio, another technological hobby
with outlaw connotations. Brits holidaying in the USA discovered
the possibilities of a low-cost general purpose mobile radio
service, imported the equipment and started to use it. In the
UK this was on offence under the 1949 Wireless Telegraphy Act.
The craze grew and grew and officials tried, with scant success,
to make arrests. A campaign for a legal UK CB started;
eventually there were almost 500,000 illegal sets in use.
After a while, a UK CB license became available - and within six
months the craze was effectively dead. Is it possible that it
was, among other things, the illegality of the activity (coupled
with the lack of any real danger of getting caught) that was the
substantive attraction?
Again, I make no final judgement, other than to say that the
existence of a crime on the statute book may not have the
intended effect.
Conclusions
Some of what I have said may suggest that, as a result of
particular incompetence by the English Law Commission,
parliamentarians and police we have a poor computer crime law.
If that is the impression which you take away then I have not
made myself clear.
I think I have shown that for some of the highest profile
computer crime activities, no law is going to provide any sort of
substantive solution because, at a practical level, investigation
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 17
and evidence-gathering is either too expensive and difficult in
relation to the wrongs victims might suffer or is completely
impossible. For such activities as classic hacking and virus-
writing we should forget about the law and concentrate on
preventative measures.
For the rest of the activities that help to make up the
statistics of computer crime, I wonder how far it is useful to
talk about computer crime at all. As I also hope I have shown,
most such activity is conventional crime - chiefly fraud,
extortion and criminal damage - which happens to involve
computers. Talking about "computer crime" lumps them all
together - and with hacking and virus-writing. But each one of
these activities has different risk factors, different modus
operandi and different preventative methods associated with them.
By the same token, I am not sure that is useful to talk about
"computer criminals" as though they all showed the same features.
A computer fraudster is surely best understood within the context
of other types of fraud; the extortionist who locks legitimate
users out of of a computer and demands a fee to rectify the
situation is best comprehended along with other blackmailers.
Network adventurers may be technological pranksters and cause
harm along the way, but they have little in common with any
other sort of criminal.
This misunderstanding leads many computer-owning companies who
have a wholly distorted view of the risks they face. If you
don't analyse the problem properly you'll never get any sort of
viable preventative program.
But this confusion has now resulted in legislation for which I
fear there are doomed expectations. Just as computers have now
infiltrated every facet of commercial life, I would have
preferred an approach to law reform which assumed that most
computer-related crime would continue to be handled under the
framework of existing statute and common law. I would have liked
the Law Commission to have concentrated on strengthening those
areas where conventional law looks weak. As I have tried to
show, a reform of the Criminal Damage Act, 1971 would have been
more effective than what was actually produced in section 3 of
the Computer Misuse Act. A reform of the law of deception within
the Theft Act would have produced some of the results hoped for
in section 1 of the Computer Misuse Act without involving many of
the uncertainties of coverage and interpretation that the new Act
has provided.
Although I don't have time to go into it today, it seems to me
that many people have ignored the many remedies that the civil
law has. For those many crimes involving employees and sub-
contractors, including unauthorised access and information
theft, the law of contract provides many potent remedies,
including dismissal. Student hackers may be more effectively
dealt with under Disciplinary Codes - where the offence may be set
in such vague terms as "conduct likely to bring the university
into disrepute", where the standards of proof are lower and
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 18
where the sanction may be loss of the opportunity to take a
degree. In other situations the civil wrong of breach of
confidentiality, though flawed, can be effective in instances of
information theft. What a pity there has been no follow-up to
the Law Commission's work in this area, which has lain largely
ignored since 1981.
The Computer Misuse Act delivered only one thing - and I return
here to something I hinted at at the beginning - it gave the
illusion that something was being done about a problem which
seemed to exist. Compared with almost anything else that a
country might do - rethinking the role of the police in white
collar crime, providing different career patterns and training
for policemen, keeping your Crown Prosecution Service up to
strength - passing legislation is unbelievably cheap. All it
takes is the time of a few civil servants and Members of
Parliament and a few printing bills. Politicians and pressure
groups love new legislation because that it how they can be most
visibly be seen to getting results. It is also attractive to the
media, where technical legal reform is not.
Finally, the Computer Misuse Act distracts management from
examining in rigorous detail what they can be doing to stay in
control of their computer resources. It develops in their mind
the notion of unpredictable "compurer criminals" whose activities
cannot otherwise be restrained.
The theme of this conference is the Challenge of the Nineties.
Let me tell you what I think it is. We need to make the
discussion of computer security much more sober than it is at the
moment. Legislation born out of panic sets up false expectations
and doesn't get the desired results. Too many in the computer
security business have sought to sell their products and services
on a simple unsophisticated scare story. Effective computer
security means a multi-disciplinary approach, where computer
security is seen as just one aspect of securing the assets -
physical, cash and intellectual - of the business environment
that the computer serves. And where "solutions" come from a
balance of computer-based and administrative controls and where
the law provides remedies only for the most outrageous of
activities. As for the investigation of crime, it is surely
better to talk of experts in computer forensics, who can aid and
support with the "ordinary" investigators when a crime goes
inside a computer and evidence must be extracted in a form in
which it will be useful in legal proceedings.
A fully foot-noted version of this paper is available on
request to the author.
(c) Peter Sommer, 1991
Compacs '91/Sommer/Limits of the Law/ 19
Peter Sommer MA(Oxon), MBCS
Peter Sommer runs Virtual City Associates which specialises
in computer forensics, expert witness activities and
insurance policy development, risk assessment and loss
adjustment. It also provides more broad-based computer
security consultancy. Virtual City Associates often works
in association with other professional firms. Peter Sommer
read law at Oxford and has been both a publisher of books
and of electronic databases. He is better known by his
pseudonym, Hugo Cornwall, under which he wrote the first
three editions of the best-selling Hacker's Handbook as well
as DataTheft (Mandarin) and large quantities of journalism.
A new book, on modern industrial espionage, is due out in
1991. Mr Sommer is frequently asked to appear on tv and
radio.
Virtual City Associates
67 Mount View Road
London N4 4SR
U K
tel: 44 (0)81-340 4139
fax: 44 (0)81-341 3472
CompuServe 100012,2610