The amended Computer Misuse Act closes the loophole for DoS attacks, says Tamzin Matthew.
It's a fact of life that the law often to struggles to keep up with technology. The Computer Misuse Act (CMA) 1990 was enacted to deal with computer crime when widespread use of the PC was relatively new. Sixteen years later, the CMA is being amended to deal with the internet age. The changes, contained in the Police and Justice Bill, are likely to become law before 9 November, when the current session of Parliament ends.
The Bill introduces heavier penalties for the current section 1 offence of attempting to gain unauthorised access to computer material, and for the section 3 offence (as amended by the Bill) of committing unauthorised acts to cause impairment of a computer.
The original section 3 of the CMA made it an offence to cause unauthorised modification to the contents of a computer, with the intention of impairing its operation, or that of a program, or of hindering or preventing access to any program or data held in a computer, or affecting the reliability of data held in a computer. The offence had to be committed with intent and the knowledge that the modification was unauthorised.
However, the All-Party Internet Group (APIG), which published its recommendations for reform of the CMA in 2004, felt that while the police considered that section 3 was wide enough to cover denial-of-service attacks, the bill needed to be more specific.
APIG noted widespread concern that criminals could argue that bombarding a website with emails did not constitute a modification because the problem arose from a lack of capacity in the computer and, since a website is designed to receive email traffic, sending emails, regardless of volumes, would not be unauthorised.
In response to the APIG's advice, the new version of the offence covers unauthorised acts committed with intent to impair or recklessness as to impairing. By widening the scope for prosecution by allowing conviction for reckless behaviour, rather than just for intentional acts, the amended section confirms that the impairment or hindrance need only be temporary for an offence to have been committed.
Under the amended Act, an offence can occur even if the contents of a computer have not been modified, alleviating concerns over the original section 3 that a denial-of-service attack might not be covered.
The latest version of the Bill does not address the issue of authorisation. However, in the appeal hearing for the recent case of DPP versus Lennon, a teenager who flooded his former employer with more than five million emails, the High Court, in allowing the appeal of the Director for Public Prosecutions, dismissed the possibility that a denial-of-service bombardment could be authorised.
The penalties for this offence, if it is heard in a magistrates' court, are a prison term of up to 12 months, or a fine of up to £5000, or both. If the matter is heard in a crown court, the maximum prison sentence is two years, and there is no limit on the fine.
This offence would cover the supply of passwords as well as hacker tools. However, and here is the nub, the application of this offence is likely to be tricky. Just as a knife can be used to kill someone, or to carve a Sunday roast, "hacker tools" can be used for completely legitimate purposes.
So far, there have been relatively few prosecutions under the CMA. However, it remains to be seen whether the amendments to the act will in fact increase the prosecution rate under this law, or simply act as more of a deterrent to those launching denial-of-service attacks, hackers or other persons tempted to misuse computer systems. Or, for those with a more pessimistic outlook, there is the possibility that it will not make much of a difference at all.
For the full text of the amendment, go to www.publications.parliament.uk/pa/ld200506/ldbills/104/06104.31-37.html#j381.