Computer misuse
- The actions of so-called ‘ethical hacking’ groups such as Anonymous are illegal and clearly in breach of s. 3 of the Computer Misuse Act 1990 (and Art. 5 of the Convention on Cybercrime). There is no defence or justification for their actions. They should be arrested and prosecuted as a matter of urgency.
Discuss.
To answer this question I would expect the student to discuss in order:
- Firstly what is the scope of s.3 of the Computer Misuse Act? This occurs when an individual carries out any act which is intended to impair the operation of a computer, to prevent access to data or to hinder the operation of a program. This seems clearly to cover acts such as DDoS often used by Anonymous.
- What about intent? Surely if Anonymous intend some form of civil disobedience they should have a defence? This is the Klang argument as seen in Civil Disobedience Online and Virtual Sit Ins, Civil Disobedience and Cyberterrorism however there is no such defence under the Computer Misuse Act – see DPP v Lennon and R v Cuthbert (in relation to s.1).
- Students can point to cases where arrests and prosecutions have been made under both s.1 and s.3 of the Act in exactly these circumstances such as the James Jeffery case and the Operation Payback prosecutions.
- This calls for an evaluation of the opposing values. Are the police right to arrest and the CPS to prosecute members of Anonymous under s.3 (or s.1) or as Klang claims should there be protection for those involved clearly in campaigns of civil disobedience? Are DDoS attacks the online equivalent of a sit-in? If they are akin to a sit in should they be protected?
- Finally our Convention on Cybercrime duties have to be remembered – would Art.5 acclo for such a defence should we wish to enact one? In my opinion it would.
- Should Gary McKinnon and/or Lauri Love have been tried in the UK under the Computer Misuse Act?
This is a highly politicised issue and some students may hold strong views. These should not get in the way of objective evaluation.
- Explain in some detail the facts behind the McKinnon case and the legal charges laid against him.
- The first question is did McKinnon commit an extraditable offence in 2002? Why was he re-arrested once the Extradition Act 2003 had passed into law?
- Could McKinnon be tried in the UK? For the Act to apply the act must have a connection with the UK. This is defined under s. 5(2) as being either ‘(a) that the accused was in the home country concerned at the time when he did the act which caused the computer to perform the function; or (b) that any computer containing any program or data to which the accused secured or intended to secure unauthorised access by doing that act was in the home country concerned at that time’. As McKinnon was in London at the relevant time he is clearly liable to the regulation of the CMA 1990 under s. 5(2)(a), even though the computers he hacked into were in the US. See also R v Caffrey and R v McElroy.
- It was claimed while McKinnon was under extradition proceedings that the US was the correct forum for the case as that is where the witnesses were resident who would be called and that is where the evidence was sited. However following his defeat in the House of Lords McKinnon signed a statement admitting offences under the CMA, including under ss. 2 and 3. This would mean no witnesses would need to be called and no evidence would need to be laid (except in relation to sentencing). When the process concluded the Director of Public Prosecutions announced that McKinnon would not be prosecuted in the United Kingdom because of the difficulties involved in bringing a case against him when the evidence was in the United States. This is odd. It did not prevent prosecutions in R v Caffrey and R v McElroy where similarly the evidence was in the United States.
- The conclusion is that there is something highly unusual about the McKinnon case. He was treated differently to Caffrey and McElroy. We must assume there was highly sensitive information involved which the US authorities did not want to disclose to a UK court.
- ‘Insider Hacking’ is a contradictory concept. Discuss.
This question invites a discussion of employee or “insider” hacking.
- The answer should begin with a definition of insider or employee hacking highlighting the risks to businesses, customers and society more widely from such attacks.
- A starting point for the legal analysis is the PNC cases: R v Bennett, R v Bonnett and R v Begley, culminating in R v Bignall.
- A detailed analysis of Bignall is required in particular the defence that “their use of the computer, even if it was found to be for private purposes, was not within the definition of “unauthorised access” provided by s. 17(5) of the Act because the access had been with authority even though that authority was used for an unauthorised purpose”.
- A detailed discussion of the problems of the authorised use for unauthorised purpose defence should be analysed in particular the interplay of s.17(2) and s.17(5).
- The answer should then move on to R v Bow Street Magistrates Court and Allison, ex parte Government of the US of America. A discussion of Lord Hobhouse’s approach to s.17(2) and s.17(5) is important.
- Finally a discussion of more recent cases R v Culbert, R v Carey and R v Curzon should be carried out.