At this week’s Conservative Party Conference there will be a lot of talk about making Brexit happen, putting the “Great” back in Britain, and taking back control of our laws. However, there is one law where the Government is reluctant to express much enthusiasm for sovereignty at all; it is the Computer Misuse Act (CMA) 1990.
Indeed, it has allowed UK officials to defer to the interests of a foreign state (without a murmur) even though serious custodial offences are likely to have been committed in the UK.
In 1990, I can remember that Tam Dalyell MP sought confirmation that the offences in the Computer Misuse Bill (as it then was in 1990) could be tried in the UK, even though the unauthorised access was to a computer outside the UK from someone in the UK. The answer was “yes”.
Lauri Love is a 31 year-old hacker on the autistic spectrum; he is accused of doing some totally stupid/misguided things and has allegedly hacked into all sorts of places that should not have been hacked. He is accused of obtaining information including personal data from computers belonging to various governmental agencies, the US Army, NASA, the Federal Reserve and the Environmental Protection Agency.
Unsurprisingly these USA bodies that have been hacked are hopping mad. The National Crime Agency (NCA) arrested Mr. Love in 2013 for CMA offences but then decided not to prosecute, deferring instead to USA prosecutors. On 15 July 2015, Mr. Love was arrested by UK officials at the behest of the US government and the well-publicised extradition proceedings commenced.
Section 1 of Computer Misuse Act (CMA) 1990 states that an offence is committed if an individual “causes a computer to perform any function with intent to secure access to any program or data held in any computer” when that individual knows the access is unauthorised.
Section 2 of the CMA also states that the offence becomes far more serious if unauthorised access in Section 1 has been occurred with intent to commit or facilitate commission of further offences (e.g. an offence connected with terrorism, fraud etc).
The maximum penalty for a Section 2 CMA offence can be really serious. For instance:
- In R v Adam Penny at Kingston Crown Court (12/9/2016) a hacker accessed a gold bullion firm’s website to obtain names, addresses and tracking numbers of customers to enable associates to intercept the gold deliveries. He was sentenced to five years and four months in jail.
- In R v Nazariy Markuta at Southwark Crown Court (22/9/2016) a member of a hacking group obtained 300k usernames and passwords from Yahoo and offered them for sale. He was jailed for two years after guilty pleas to three offences under CMA 1990 (see references).
In other words, if Mr. Love were to be found guilty of a Section 2 offence by the UK Courts, he faces a significant custodial sentence as both the CMA offence plus the aggravating offence are taken into account when sentencing occurs. The judgment associated with the extradition proceedings confirms that a Section 2 offence could have been committed by Mr. Love (see references).
It is claimed that Mr. Love faces a 99 year prison sentence, something that equates hacking with murder and rape. Now I don’t believe that applies in practice, but I do believe that a sentence of decade or more is possible.
In the USA, there is something called plea-bargaining; it means that if the offender pleads guilty, the custodial sentence is reduced by agreement and there is no trial. So suppose you were in Mr. Love’s position, and you are offered a plea-bargained 8 year prison sentence. You are also told that the prosecutors would go for 20 years sentence if you did not accept. What would you do?
In addition, any custodial sentence occurs in the USA and not in the UK; thousands of miles away from the support that those on the autistic spectrum need.
The part of case that has not been tested relates to the security surrounding the websites of the hacked organisations. Since personal data were accessed, if this happened in the UK, any poor website security could attract enforcement action by the Information Commissioner. For instance:
- Staysure.co.uk Limited (an online holiday insurance company) was fined £175,000 by the ICO after IT security failings let hackers access customer records (e.g. 100,000 live credit card details, medical details, credit card CVV numbers despite industry rules that they should not be stored).
- Worldview Limited (a hotel booking website) was fined £7,500 (reduced from £75,000 as the company was in financial trouble) following a failure to undertake patches that removed a vulnerability on the company’s site (attackers accessed the full payment card details of 3,814 customers).
So if the USA had enacted a European Data Protection law, the hacked organisations could have been vulnerable to enforcement action if their website security was at a level that left personal data vulnerable to hacking attacks. That does not negate the fact that Mr. Love committed a hacking offence, but clearly if website security was weak, then this allowed Mr. Love’s attacks to succeed.
In the UK, a prosecution under the Computer Misuse Act would likely to include consideration of the security procedures implemented by the hacked organisation because of the word “unauthorised” in the CMA offence, means that “authorisation” procedures are tested. However, if there is a plea bargain in the USA, then any security inadequacies are not even raised.
In other words, there is an uncomfortable suspicion that public officials in the UK are agreeing to the extradition of Mr. Love in order to invoke its plea bargaining procedure and avoid any embarrassing exposure of an inadequate level of security procedures adopted by USA public bodies. Another possibility is that UK authorities do not want to incur the costs of an investigation and is content for US prosecutors to “take the strain” on costs.
Whatever the reason that underpinned the decision not to prosecute under CMA, it was taken by UK officials at an early stage in the investigation. Why was such a decision taken? Was that decision scrutinised by managers? What level of official is responsible for that decision? The answer to these questions are needed to reassure the public that the decision to extradite is the correct one.
Back in 1990, the UK Parliament voted for the CMA offences to have global effect so that a hacking offence committed in the UK could be prosecuted in the UK. So when Conservatives say this week they are “taking back control of UK laws” remember such statements do not apply to a defendant on the autistic spectrum facing a long time in jail in the USA.
For a really valuable list of CMA offences (including offences which could have been undertaken by S.55 of the DPA) can be found on: http://www.computerevidence.co.uk/Cases/CMA.htm
Extradition proceedings which identified CMA offences were committed in the UK (see para 15): https://freelauri.com/wp-content/uploads/2016/09/usa-v-love-judgment.pdfc
See also “What lies beneath the extradition of hacker Gary McKinnon to the USA” on http://amberhawk.typepad.com/amberhawk/2009/10/what-lies-beneath-the-extradition-of-hacker-gary-mckinnon-to-the-usa.html
Forthcoming Amberhawk courses in October:
- GDPR Workshops: 7 October (Edinburgh) and 7 December (London)
- FOI Practitioner Course: Starts 18 October (London)
- DP Practitioner Course: Starts 14 November (BCS syllabus; London)
- CISMP Course: Starts 28 November (BCS syllabus; London)