On 25 January 2006, the Police and Justice Bill (the ‘Bill’) was introduced in the House of Commons. The Bill includes provisions amending the Computer Misuse Act 1990 (the ‘Act’) in order to bring the Act up to date and to fulfil the United Kingdom’s obligations under the European Cybercrime Convention. In particular the government hopes that the amendments will make clear that denial of service (DoS) attacks are within the scope of the Act. However it is debatable whether the amendments are either necessary in order to achieve this, or adequate to address the main difficulties experienced in applying the Act to DoS attacks.
The current Computer Misuse Act 1990
The Act as it stands contains three main offences to do with unauthorised acts relating to computers:
Section 1 contains the basic ‘hacking’ offence of gaining unauthorised access to any program or data held in a computer.
Section 2 makes it an offence to commit a Section 1 offence with a view to commit, or facilitate the commission of, a further offence.
Section 3 contains the offence of causing unauthorised modification of the contents of a computer with intent:
- to impair the operation of any computer; or
- to prevent or hinder access to any program or data held in any computer; or
- to impair the operation of any such program or the reliability of such data;
knowing that any modification intended to be caused is unauthorised.
As well as increasing the penalties for offences under the Act, the Bill expands the scope of Section 3 and introduces a completely new offence.
The penalty for Sections 1 and 3 would increase from a maximum of six months in prison to a maximum of 12 months (on a summary conviction), and from a maximum of 5 years to a maximum of 10 (on indictment).
The Section 3 offence would in future be committed by “any unauthorised act in relation to a computer”, with the same intent as at present and knowing that the act in question is unauthorised.
A new Section 3A creates various new offences of making, adapting, supplying, offering to supply an article designed or adapted for use in a computer misuse offence, or intending it to be used to commit such an offence. ‘Article’ in this context includes any program or data held in electronic form such as a computer password. There will also be a new offence of obtaining any article with a view to it being supplied for use to commit a computer misuse offence.
The expanded Section 3 offence is intended to catch DoS attacks. A DoS attack uses software to overload a targeted system by sending huge numbers of email messages or requests for information. This overwhelms the server, causing it to crash, which results in e.g. the loss of an email network or the inaccessibility of a website.
Many have suggested that the existing legislation is inadequate to cover DoS attacks. In 2002, the Earl of Northesk tried without success to introduce a Private Member’s Bill that would have introduced a specific denial-of-service (‘DoS’) offence in the Act. Then in June 2004, the All Party Internet Group of MPs (the ‘APIG’) published a report also recommending the creation of a DoS offence of impairing access to data in order to ensure that all, not just some, DoS attacks were caught, and advocating stronger penalties. The report’s recommendations were followed up in March 2005 by Derek Wyatt MP, the APIG chairman, in the form of a 10-minute Rule Bill in the House of Commons. That Bill was also unsuccessful.
Curiously, the real problem with the Act in its application to DoS attacks is not addressed at all by the amendments that the government now proposes. The existing legislation was drawn so widely that the courts have had no difficulty in bringing within Section 3 any activity that causes a computer to record data, which would include DoS attacks. The problem is whether what the hacker does is “unauthorised” if he is only sending messages to a public interface, such as an e-mail address, set up for the purpose of receiving such messages. That difficulty remains, whether the offence is of an ‘unauthorised modification’ or of an ‘unauthorised act’.
This problem was illustrated by a case in November 2005 in Wimbledon Magistrates Court. A disgruntled teenager caused his former employer’s server to crash by sending it five million emails within a short time period. He was charged under Section 3 with making unauthorised modifications to computer material. However, it was held that because the server was set up expressly to receive emails, the modifications made to the computer material were not ‘unauthorised’, so the charges were dismissed. While the case seemed to defy common sense (could it really be said that by creating the e-mail address the employer was impliedly consenting to receive all five million e-mails?), that is what the magistrates decided. It is difficult to see how the revised wording of Section 3 would have led them to a different decision.
The government has introduced the new offences related to articles for use in computer crimes in order to comply with the Cybercrime Convention. As drafted, the clauses will raise concerns over articles that have multiple uses, which could be caught regardless of whether they are intended to be used in the commission of a computer crime.