Should Computer Misuse Act offences committed in UK be prosecuted in UK?
Take back control... that's the plan, right?
Analysis At this week’s Conservative Party Conference there will be a lot of talk about making Brexit happen, putting the “Great” back in Britain, and taking back control of our laws. However, there is one law where the government is reluctant to express much enthusiasm for sovereignty at all; it is the Computer Misuse Act (CMA) 1990.
Indeed, it has allowed UK officials to defer to the interests of a foreign state (without a murmur) even though serious custodial offences are likely to have been committed in the UK.
In 1990, I can remember that Tam Dalyell MP sought confirmation that the offences in the Computer Misuse Bill (as it then was in 1990) could be tried in the UK, even though the unauthorised access was to a computer outside the UK from someone in the UK. The answer was “yes”.
Lauri Love is a 31-year-old hacker on the autistic spectrum; he is accused of doing some totally stupid/misguided things and has allegedly hacked into all sorts of places that should not have been hacked. He is accused of obtaining information including personal data from computers belonging to various governmental agencies, the US Army, NASA, the Federal Reserve and the Environmental Protection Agency.
Unsurprisingly, these US bodies that have been hacked are hopping mad. The National Crime Agency (NCA) arrested Mr Love in 2013 for CMA offences but then decided not to prosecute, deferring instead to US prosecutors. On 15 July 2015, Mr Love was arrested by UK officials at the behest of the US government and the well-publicised extradition proceedings commenced.
Section 1 of CMA 1990 states that an offence is committed if an individual “causes a computer to perform any function with intent to secure access to any program or data held in any computer” when that individual knows the access is unauthorised.
Section 2 of the CMA also states that the offence becomes far more serious if unauthorised access in Section 1 has occurred with intent to commit or facilitate commission of further offences (eg, an offence connected with terrorism, fraud etc).
The maximum penalty for a Section 2 CMA offence can be really serious. For instance:
- In R v Adam Penny at Kingston Crown Court (12/9/2016) a hacker accessed a gold bullion firm’s website to obtain names, addresses and tracking numbers of customers to enable associates to intercept the gold deliveries. He was sentenced to five years and four months in jail.
- In R v Nazariy Markuta at Southwark Crown Court (22/9/2016) a member of a hacking group obtained 300k usernames and passwords from Yahoo and offered them for sale. He was jailed for two years after guilty pleas to three offences under CMA 1990 (see references).
In other words, if Mr Love were to be found guilty of a Section 2 offence by the UK Courts, he faces a significant custodial sentence as both the CMA offence plus the aggravating offence are taken into account when sentencing occurs. The judgment associated with the extradition proceedings confirms that a Section 2 offence could have been committed by Mr Love (see references).
It is claimed that Mr Love faces a 99-year prison sentence, something that equates hacking with murder and rape. Now I don’t believe that applies in practice, but I do believe that a sentence of a decade or more is possible.
In the US, there is something called plea-bargaining; it means that if the offender pleads guilty, the custodial sentence is reduced by agreement and there is no trial. So suppose you were in Mr Love’s position, and you are offered a plea-bargained eight-year prison sentence. You are also told that the prosecutors would go for a 20-year sentence if you did not accept. What would you do?
In addition, any custodial sentence occurs in the US and not in the UK, thousands of miles away from the support that those on the autistic spectrum need.
The part of the case that has not been tested relates to the security surrounding the websites of the hacked organisations. Since personal data were accessed, if this happened in the UK, any poor website security could attract enforcement action by the Information Commissioner.
- Staysure.co.uk Limited (an online holiday insurance company) was fined £175,000 by the ICO after IT security failings let hackers access customer records (eg, 100,000 live credit card details, medical details, credit card CVV numbers despite industry rules that they should not be stored).
- Worldview Limited (a hotel booking website) was fined £7,500 (reduced from £75,000 as the company was in financial trouble) following a failure to undertake patches that removed a vulnerability on the company’s site (attackers accessed the full payment card details of 3,814 customers).
So if the US had enacted a European Data Protection law, the hacked organisations could have been vulnerable to enforcement action if their website security was at a level that left personal data vulnerable to hacking attacks. That does not negate the fact that Mr Love committed a hacking offence, but clearly if website security was weak, then this allowed Mr Love’s attacks to succeed.
In the UK, a prosecution under the Computer Misuse Act would likely to include consideration of the security procedures implemented by the hacked organisation because of the word “unauthorised” in the CMA offence, meaning that “authorisation” procedures are tested. However, if there is a plea bargain in the US, then any security inadequacies are not even raised.
In other words, there is an uncomfortable suspicion that public officials in the UK are agreeing to the extradition of Mr Love in order to invoke its plea bargaining procedure and avoid any embarrassing exposure of an inadequate level of security procedures adopted by US public bodies. Another possibility is that UK authorities do not want to incur the costs of an investigation and are content for US prosecutors to “take the strain” on costs.
Whatever the reason that underpinned the decision not to prosecute under CMA, it was taken by UK officials at an early stage in the investigation. Why was such a decision taken? Was that decision scrutinised by managers? What level of official is responsible for that decision? The answers to these questions are needed to reassure the public that the decision to extradite is the correct one.
Back in 1990, the UK Parliament voted for the CMA offences to have global effect so that a hacking offence committed in the UK could be prosecuted in the UK. So when Conservatives say this week they are “taking back control of UK laws” remember such statements do not apply to a defendant on the autistic spectrum facing a long time in jail in the US. ®
A really valuable list of CMA offences (including offences which could have been undertaken by S.55 of the DPA) can be found here.
Extradition proceedings which identified CMA offences were committed in the UK (see para 15).
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Becoming a Pragmatic Security Leader