The Police and Justice Act strengthens protections against denial of service attacks but it is unlikely to lead to more convictions
Among other things, the passing of the Police and Justice Act last week closed a perceived loophole in Britain's cyber crime law. I say perceived because, although critics claimed that our Computer Misuse Act ? now 16 years old ? was hopelessly out of date, that was an unfair exaggeration. In fact, the Act had proved itself resilient to the internet's rapid evolution and there was little evidence of criminals exploiting the so-called loophole.
Each week has brought a new scare story of the country's computers being at risk from hacking teenagers, terrorists or teenage terrorists or warnings of a new strain of virus, worm, Trojan or spyware. But along the way, the Act has generally been ready for action. That it hasn't seen much action ? devious geeks are a rarity in our courtrooms ? is not the fault of the legislation but the fault of the authorities for not catching and prosecuting the perpetrators.
The perceived loophole was a small one. The original legislation did not squarely address "denial of service" attacks, in which a company's systems are maliciously bombarded with data to the point of collapse. The furthest the 1990 Act went was to describe an offence of causing "unathorised modification of the contents of any computer" with criminal intent, such as hacking into your bank's computer and changing the balance of your account. But did that actually apply to denial of service attacks?
In November 2005, a district court judge suggested that it did not. Teenager David Lennon was cleared of criminal charges after he sent five million e-mails to his former employer, temporarily crashing the company's server, because the judge felt his actions were not covered by the Act. Mr Lennon's lawyer successfully argued that as the purpose of the company's server was to receive e-mails, the company had consented to the receipt of Mr Lennon's e-mails and their consequent modifications of data. As long as sending e-mails was an authorised act, the reasoning went, the fact that he had sent so many of them was irrelevant.
The need for an amendment to the legislation seemed obvious in the wake of that decision, but then the High Court overturned the ruling on appeal. The original legislation was sufficient to cope with such attacks, Lord Justice Keene and Mr Justice Jack ruled. Yes, the owner of the computer system would ordinarily consent to the sending of e-mails to his computer, they said, but such implied consent is given with limits. The consent was given to e-mails sent for the purpose of communication with the owner, not to interrupt his computer system. In Mr Lennon's case, they ruled, there had in fact been an unathorised modification to the computer by the adding of unauthorised data.
But by the time the High Court had issued that ruling, amendments to the legislation had already been tacked on to the Police and Justice Bill. It received Royal Assent last week, thus widening the Computer Misuse Act. It is now an offence to perform an unauthorised act in relation to a computer with the "requisite intent" and "requisite knowledge".
Will it make a difference? At best, the changes are a timely upgrade that remove any lingering doubts about the law. It is not a radical change. I do not see it resulting in more convictions. On the other hand, we still have only one piece of legislation explicitly and solely focusing on computer crime and for that simplicity we should be grateful. Contrast with the US, where fresh legislative proposals seem to emerge with each new warning about computer security.
Struan Robertson is a lawyer at Pinsent Masons specialising in technology and the editor of Out-Law.com. His column on technology law appears every Wednesday.