Compacs '91/Sommer/Limits of the Law/ 1 Compacs 1991 March 19th 1991 LIMITS OF THE LAW IN RESTRICTING COMPUTER MISUSE ================================================ Peter Sommer MA(Oxon), MBCS Virtual City Associates, UK  This paper is designed to accompany a presentation to be made on March 19th 1991 at Compacs 1991 at the London Hilton Hotel. In this paper I want to examine how much we can reasonably expect the legal system to deliver to us by way of safeguarding computers and what goes on within them. I will be doing so specifically by looking at the process by which the UK Computer Misuse Act of 1990 (CMA) arrived on the statute book and in particular how the pressure for "computer crime" legislation built up, the claims that were made during the lobbying process and what the Act actually delivers by way of remedy to potential victims. But I will also show what it does not deliver and where all legislation of this type is doomed to disappoint. I hope what I have to say will go beyond the parochial needs of a British audience. In the end, the framing of laws has to be a specific and practical exercise, not the enunciation of generalised principles. "Computer laws" have to interrelate with the rest of the law. In turn, all substantive law has to interact with the facilities available by way of enforcement; and that means looking at rules of admissibility of evidence, policing, the prosecution service and the reality of the courts. These considerations have have been strikingly absent in most of the recent debates about computer crime legislation wherever they have been held almost anywhere in the world. (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 2 Problem of public perceptions about "computer crime" The first problem any proposal for a computer crime statute has to cope with is public perception of the nature and extent of computer crime. It is the perception of the problem rather than the actuality which has such a profound influence on what finally happens in the determining of public policy, in Parliament, among law enforcers, and in board rooms. While the broad public thinks there is a lot of "computer crime" there turns out to be no agreed definition of what should be included. Are we talking about anti-social activities in which computer files are directly manipulated (there is surprisingly little of that in the attested material in the computer crime case books) or do we broaden it out to situations in which computers are physically involved (in which case you also include theft of computer hardware)? Should we be taking a strict literalist approach - that the only computer crimes are transgressions of laws which already mention the word "computer"? This last provides a bit of dilemma for pressure groups - how then do you produce evidence for the need for a new computer crime statute? None of these definitions is more "correct" than any other - my point is the absence of any agreement as to which to adopt. Parenthetically one can add that there is even less agreement as to what "hacking" is - usage of the word varies all the way from "computer enthusiast" (and with no under- or over- tones) to "computer criminal" and includes "explorer of computer networks" and "recreational system cracker" along the way. In the absence of any consensus, the definition of "computer crime" can be made to do almost anything you want. If you are in the computer security business, your marketing strategy must be to go for as wide a definition as possible. You cheerfully include all the large electronic funds transfer (EFT) frauds because, although all the known examples rely on abuse of (manually-based) authorities or simple impersonation and the computer systems centrally employed have never been compromised, the sums involved are always in the millions. On the other hand, if you are the head of a police force faced with ever more insistent demands for greater efficiency in all areas of your remit coupled with complaints about the growth of your annual budget and the poor quality of your manpower, there is a lot to said for claiming that computer crime (on a restricted definition) is only a tiny problem. The lack of an agreed definition also means that all computer crime statistics are nonsense - no one knows what is being measured. Of course the problem with computer crime statistics goes far beyond that - once you have your definition, how do you reliably collect your data? The official crime statistics reflect breaches of specific statutes and common law offences, not modus operandi. How do you assess unreported crime? We don't have even the beginnings of an idea of how much of white collar crime in general goes unreported; this is currently one of the great gaps in modern criminological research. (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 3 The difficulty with computer crime statistics gets worse when it comes to estimating the costs of computer crime. What do you include - sums actually lost, sums the subject of failed attempts, sums "at risk" (the phrase used by the police fraud squads, though with no agreement as to whatever that means), consequential losses (but then how far down the line of causation do you go?). Again, there is no "correct" answer. None of these obvious problems have prevented otherwise respectable organisations and individuals from associating themselves with quite definite figures. The Confederation of British Industries, the leading employer's body in the UK, throughout 1989 and 1990 kept on quoting the figure of œ400m though what this represented - "computer crime" or "hacking" tended to vary. Pushed hard, they acknowledged they themselves had done no research but said what they had came from the London Business School. Enquiries at the library there showed no LBS-sponsored work; I think I have tracked the "statistic" down to a press release from a corporate security security company called Saladin who took advice from an LBS staff-member but the research, if it exists, remains unpublished. The Department of Trade and Industry, in figures released just before the Second Reading of the Computer Misuse Bill in February 1990, said they had verified 270 computer crime incidents over the previous five years, of which only six had been brought to court. Enquiries of the DTI showed that they had conducted a "survey of surveys" - and no, they couldn't offer their working definition of what they were measuring. A convenient get out for those who have intellectual doubts about the figures they quote is the use of the impersonal passive tense:.. "it is estimated". And if pressed, respond not by explaining statistical methods but by producing a lurid anecdote and/or forecast. A very important component in the formation of public perception has been the role of media reporting. There is an inevitable bias in the newspaper and television coverage of anything towards the unusual - computer crime is no different, except that, with a few exceptions, the level of verification seems to be lower than for most stories except perhaps those alleging scandals among tv soap stars. Among the lazier sort of journalist, the premium is to get a story which conforms to stereotypes they have already accepted. I have received the request "Get me a hacker, the younger the better," from more than one mass circulation daily newsdesk. A related bias is that the "experts" quoted are those who are prepared to make the most outrageous claims and forecasts. The "expert quote" in fact provides the reporter with an alibi or makeweight for an otherwise dubious story. It takes courage for an expert in the contacts book of a national newspaper's newsdesk to forswear the opportunity of a free appearance in print by killing off a story which he knows does not make sense. (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 4 Any examination of the actual case material from first-hand or near-first-hand sources as opposed to the clippings libraries of the national media - and there is now over twenty years of it - shows that standards of scholarship in the reporting and analysis of computer crime are absymally low - but that is a subject for another paper. Yet again, sensational claims made by prosecutors and police at the beginning of trials is news, the failure eventually to produce evidence for them is usually not. This is a repeating pattern: we saw it here in the UK in the Prince Philip Prestel case, in Germany with the Chaos Club/KGB hackers affair and we have seen it as recently as the end of 1990 in the USA over Operation Sun Devil and the Legion of Doom. There are still people who believe that in 1985 New Jersey hackers were able to move satellites in space, all based on prosecutor claims that in court were shown to have been the result of hysteria and ignorance. I have spent some time talking about public perceptions because one of the things that new legislation can never do is remedy situations which substantially do not exist, at least in the forms in which the public have come to believe. There is one exception to this to which I will return at the end. Perceptions about "computer law" The misperceptions about computer crime are accompanied by another one - that you need specific new laws to tackle the generality of computer-related crime. There is a wealth of obvious rhetoric about the sloth of law reform and the unworldliness of lawyers, not all of which is justified. So the "logic" is complete: we have a radically new area of criminal activity called computer crime, committed by a new class of person - the computer criminal or hacker, and for which, obviously, completely new laws - computer crime laws - are required. Most of the rest of this paper will show the false directions in which this logic has lead us. In fact, the "logic" is easily broken down. In its Working Paper 110 published in September 1988, the English Law Commission (ELC), the official body concerned with reviewing and recommending law reform, examined Computer Misuse and listed out the areas where existing English law already delivered remedies. These included: the Theft Acts which cover both routine street crimes and fraud and are the means by which most electronic funds transfer frauds have been prosecuted; Conspiracy, a complex concept in English Law the essence of which is two or more people working together for an unlawful purpose; Demanding Money with Menaces, the actual charge in most cases of blackmail and extortion; Criminal Damage, which covers the intentional or reckless damaging of property and which applies in some but perhaps not all computer situations (we will return to this (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 5 matter); Offences Against the Person, which include physical wounding, manslaughter and murder, which would presumably apply if a computer-run machinery were maliciously directed to attack an individual); Official Secrets, which covers access to government computers (the only offenders actually charged have been policemen doing favours for friends or, in one case, trying to win a competition at a gasoline station); Forgery and Counterfeiting, which applies to the forging of mag stripe cards and other authenticators (there are limitations to this which will also be examined later); there are also limited criminal sanctions available in the Copyright Acts. The English Law Commission found some loopholes and exceptions which I will examine later, but what they showed in an authoritative and compact form was what was evident to anyone who had studied the case-books of British computer crime. That is: that nearly all of the activity that one could include in a definition of "computer crime" was not only punishable within existing English law, but that there had been any number of convictions. The process of law reform Working Paper 110 enraged those who wanted tough legislation. The Law Commission had produced a list of technical reforms throughout the penal calendar but, on what many had persuaded themselves was the central issue - a new offence of "unauthorised access to a computer", the Commission was agnostic, asking for evidence that any action was necessary. The English Law Commission had not been the first to comment on computer law reform. England and Scotland have separate though similar legal systems and the Scottish Law Commission had produced a consultative paper in 1986 (which incidentally contains a useful summary of international legislation) with a final report following in 1987. The SLC had recommended a new offence of unauthorised access to a computer: 1 (1) A person commits an offence if, not having authority to access a program or data stored in a computer, or to a part of such program or data, he obtains such unauthorised access in order to inspect or otherwise acquire knowledge of the program or data or to add to, erase or otherwise alter the program with the intention - (a) of procuring an advantage to himself or another person; (b) of damaging another person's interests (2) A person commits an offence, if not having authority to obtain access to a program or data stored in a computer, or to part of such program or data, he obtains such unauthorised access and damages another person's interests by recklessly adding to, erasing or otherwise altering the program or data (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 6 To many English lawyers the tests for proof seemed to be too vague to be practical and left too much to judicial interpretation. But what had really stimulated English demand for legislation was the case of R v Gold & Schifreen, which in 1988 had gone to the highest court in the land, the House of Lords. Gold and Schifreen were two out of four hackers who had penetrated British Telecom's public access database service Prestel in 1984. They had not employed any great skill in doing so but had exploited the fact that British Telecom had broken almost every rudimentary rule in the computer security book. The system manager had an obvious password (it was discovered by accident and not as a result of any clever password-cracking program), the test environment had a password which showed on its log-in page, and the test environment contained live data. When the hackers contacted BT they were quickly told the problem was under control, though in fact the hackers could soon tell it was not. Eventually the hackers gave the story to the press and BT's reaction was to "get" the perpetrators. One can only speculate on what might have happened had the hackers gone to an upmarket paper instead of a popular one, the Daily Mail. Perhaps we would have seen high-level sackings in BT rather than the launching of expensive traps to catch the message-bearers. Gold and Schifreen were caught after their telephone lines had been monitored; they were charged under the Forgery and Counterfeiting Act, 1981. This was, to say the least, a prosecution experiment as this act had never previously been used in such a case. No charges were preferred under such easier headings as theft or conspiracy to defraud - many of us still don't understand why. The legal problem for the courts was that whatever they had done wasn't forgery, which in English law requires that an "instrument" be forged - typing characters into a computer which then immediately accepts them does not create an "instrument". This was the point that actually pre-occupied the House of Lords. To the lay public, however, the House of Lords seemed to be saying that anyone can "hack" and get away with it. The English Law Commission had started work before the Gold and Schifreen judgement but had delayed publication of its working (that is, initial consultative) paper until the result was known. The Confederation of British Industries and the member of parliament who was to become the strongest advocate of tough legislation, Emma Nicholson, felt deep disappointment at the double blow to their perceptions of the "computer crime problem". People began to speak of English law as providing a Hacker's Charter. Emma Nicholson introduced an Anti-Hacking Bill in 1989 under a "no hoper" procedure which meant that while it had no chance of becoming law it would get some publicity, perhaps for future legislation which would then have proper backing. The Bill contained phrases picked up from the Scottish Law (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 7 Commission's proposals but also sought to cover electronic eavesdropping of VDU radiation, a subject which had recently also captured public imagination. The Anti-Hacking Bill was deeply impractical but served its main purpose of heightening public interest, not to say hysteria, in the subject. In the meantime the English Law Commission was preparing its final report, and was subject to very heavy lobbying to change their previously agnostic position. The final report came out in record time, six months after the ending of the formal consultative process following its Working Paper. Published in September 1989 the ELC proposed three new offences, all to do with "unauthorised access to a computer". Unusually for them, and as a result of the short time available for report writing, they included no draft bill, just a set of ideas. We will examine these in detail shortly. The conservative government felt unable to make immediate room in its legislative plans for any new bill along these lines. There is a procedure by which back-bench MPs can enter a lottery for the right to introduce a bill which then has considerable chance of getting on to the statute book. One such successful MP, Michael Colvin, agreed to take the bill on. In the absence of official help, he received informal technical support from the Department of Trade and Industry (who do not normally handle criminal legislation) and also from the "tough laws needed" lobbyists. It became very difficult for those who dissented to appear as anything other than "soft" on computer crime. Start talking about the existing law in any detail and your audience thought you were using your cleverness to obscure both the truth and your "real" agenda. Begin querying the validity of the statistics and the veracity of the some of the anecdotes and you were soon told (a) the information came from sources that couldn't possibly be made public and (b) all respectable people "knew" what was happening anyway. What "computer crime" was, how it related to "hacking" and how how all of this related to what the proposed legislation purported to do became steadily less and less clear. In fact, what we had was all the classic symptoms of popular moral panic on a par with fears about rock n'roll music in the '50s, pschydelia in the '60s, trans-sexual glam-rock in the '70s, acid house parties in the late '80s and youth-rebellion clothing styles anytime in the last forty years. The new law What had happened was that the English Law Commission had forgotten the general guidelines for law reform that it had originally set itself and which in turn had been handed down from the Home Office back in 1982: that: the behaviour is so serious that it goes beyond what it is proper to deal with on the basis of compensation as (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 8 between one individual and another and concerns the public interest in general (that is, civil procedures are not enough) criminal sanctions should be reserved for dealing with undesirable behaviour for which other, less drastic means of control would be ineffective, impracticable or insufficient a new offence should be enforceable The Bill and now the Act has a superficial elegance. There are three computer misuse offences - section 1: "unauthorised access to computers and/or computer material", section 2: "unauthorised access with intent to commit or facilitate the commission of further offences" and section 3: "unauthorised modification of computer material". The last of these is intended to catch designers of logic bombs and viruses. The section 2 offence is concerned with attempts,  involving computers, to commit further serious offences, such as theft or blackmail. If you have prepared to commit such an offence but have been unable to complete the deed, you can be charged under Computer Misuse. Section 2 and 3 offences attract penalties of up to 5 years in prison. Section 1 is the one that aims at "hacking": for a prosecution to be successful, it must be shown that the person secured access to a program or data, that the access was unauthorised and that the perpetrator knew that the access was unauthorised. However, there is no need to show that the unauthorised access was directed at any particular bit of data, or program, or even any particular computer. This section attracts a maximum penalty of six months. Section 1 may also be used where there is insufficient evidence to catch an offence under sections 2 or 3. The Act also attempts to address the problem of international computer crimes - where computer connections are made across several national boundaries. In this it anticipates what needs to be done to cover the growing problem of international fraud of all kinds. Closer examination, though, removes much of the initial gloss. To take the three principle offences in reverse order: Section 3 - unauthorised alteration of programs and data - was introduced to overcome a supposed gap in the Criminal Damage Act of 1971 which was thought by some academic lawyers not to be easily applicable to "data", data not being "property". In fact there had been successful prosecutions involving altered computer data - by showing that the consequence had been damage to some physical property - Cox v Riley in 1986. (In that case it was program instructions for an electric saw which had been deliberately altered). Criminal damage was the charge in two recent logic bomb cases - R v Tallboys in May 1986 where a prank by a former computer employee of Dixons went wrong and R v McMahon, which (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 9 concluded at Isleworth Crown Court in January 1988. Moreover as the Computer Misuse Act was passing through its final stages in the House of Lords (this time acting as a Second Chamber to the legislature and not as a final Court of Appeal as in the Gold and Schifreen case) a "pure" hacking case - that of Nicholas Whiteley - was successfully concluded with a Criminal Damage conviction in the precise circumstances that the Law Commission had thought might not be possible. What we are left with now, though, is not duplicated legislation but weakened legislation. For the Computer Misuse Act now forbids the use of the Criminal Damage Act in cases involving unauthorised access to data. In future these cases must be put through the tests required of the Computer Misuse Act, that is, that there must be access to something which is not precisely defined in the legislation, namely a computer, and that such access must be unauthorised. I will return to this matter in moment. What this also does is to remove from the prosecutor the opportunity to attack reckless behaviour. The Criminal Damage Act penalises both those who act deliberately and also those who act with a reckless disregard of the consequences - "I was just typing the words DEL on the screen to see what would happen and had no idea that files would be deleted..." The end effect of section 3 is to weaken what we had before. Section 2 - unauthorised access for the purpose of committing a serious criminal offence looks stern stuff. But it always has been an offence itself to attempt to commit an offence, even if the substantive offence remains uncommitted. It is only by a miniscule sliver that section 2 alters any requirement for the standard of proof in establishing when such an attempt has taken place. Section 2 is a makeweight. With section 1, the simple "unauthorised access" offence, the ELC had problems. First, they recognised that there were serious arguments whether these actions should be criminalised at all, as opposed, say, to making them a civil wrong like trespass to land. (There is still no equivalent of trespass to a computer). In making it a criminal offence it was clear that heavy punishment was not appropriate (though in fact the Act doubles the penalties the ELC proposed). The ELC spoke of the offence setting society's mark of disapproval on such activity. The trouble is this clashed directly with the principles for the justification for the introduction of new crimes which they had set themselves. In the UK, as in most countries, police powers of enforcement tend to be directly related to the penal levels specified for an offence - the more serious the offence the greater the greater the freedom the police have to seize potential evidence and suspects without getting permission first; for most purposes this is enshrined in the 1984 Police and Criminal Evidence Act. The unauthorised access crime was not a "serious arrestable" offence so, despite lobbying by Emma Nicholson, police powers were limited, though still exceed the usual PACE criteria. British industry has no idea under what threats it would have (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 10 operated had Ms Nicholson and her colleagues had their way. For powers of seizure of evidence are not limited to those computers belonging to alleged perpetrators. In fact the domestic and small PCs owned by most "hackers" are unreliable sources of admissible evidence. Often the really useful material comes from computers owned by the alleged victims and from within any other computers used as part of the network journey from the alleged perpertrator to the alleged victim. Under Ms Nicholson's proposals, a police constable armed with a warrant from a lay magistrate (respectively the lowest rank of policeman and the lowest rank of judicial life) would have been able to march into any company and seize all data, software and hardware that was deemed necessary for the investigation in hand. The threat hasn't entirely vanished under the present legislation, but higher ranks of policemen and a High Court judge must be involved. Those who think this is a theoretical concern should examine the US Operation Sun Devil in which 44 separate raids took place at the end of which there were three limited convictions and large numbers of quite innocent computer owners carrying heavy losses because federal authorities acted foolishly, even hysterically, but within their legal powers. In any event, section 1 of the Computer Misuse Act is all but unenforceble, a matter to which I will come back a little later on. Let me now return to two matters common to all three clauses - that access must be shown to be "unauthorised" and that there must be a "computer" involved. Does this include the secretary who uses her word-processor in the lunch-hour (she's altering data so this is a section 3 - five years maximum penalty - offence)? What about the neighbour to whom you loan your house- keys and who, because her washing machine has broken down, borrows yours? The washing machine has a chip and ROM inside it. Another possible section 3 offence. Or the auto mechanic who offers you a new performance-boosting chip to add to your vehicle's engine management system? Section 3 again. Even private use of a company's PABX may be drawn into the Computer Misuse Act. Of course that was not the intention, but I can see no reason why the words shouldn't be made to apply. So what we have is an act weaker in one important effect than the legislation it was supposed to correct, new police powers of seizure which potentially can have many innocent victims and which introduces at least as many uncertainties in interpretation as it claims to have solved. Matters do not end here, though.  What the Act left out In its 1988 Working Paper the English Law Commission had highlighted a number of defects in the existing law and others had been noted during the public debates. I can't deal with all of them here, but there are some matters which should be (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 11 identified. Deception The first of these is deception which is covered in sections 15, 16 and 20(2) of the Theft Act 1968 - obtaining goods or services by deception. The general view among lawyers is that it is only humans that can be deceived - not machines. The Law Commission identified the problem in its Working Paper 110 but in their Final report said that they would have to look at the matter again sometime in the future. Interestingly enough, a extension of the law of deception would "solve" many of the simple unauthorised access cases (including the situation in R v Gold & Schifreen) in that the usual consequence of unauthorised access is that computer and database services are thereby obtained. Admissibility of Evidence The second important defect in the existing law relates to the rules of admissibility of evidence of computer-based materials. It is no good having substantive laws if it is difficult to produce evidence in a form which is acceptable to the courts. A number of lawyers believe that the current rules, which are set out in section 69 of the Police and Criminal Evidence Act, 1984, can in some circumstances become unworkable. The problem is this: before evidence can be introduced the court requires a certificate to say that the computer has at all times been behaving normally. If the modus operandi of a crime has involved making a computer behave abnormally (for example by writing to files directly outside their usual application of by violating the operating system or access control package) then it looks as though no evidence from that computer can be admitted. Information Theft At the heart of the concern many people have about computers is the amount of information they hold and process - and the consequent risks if such information is stolen. Indeed this was one of the most frequently cited arguments for unauthorised access legislation. In English law information as such cannot be stolen, though the medium upon which it is held - a piece of paper or a floppy disk - can. Although there have been a number of attempts to make information "a thing capable of being stolen" so far none of them succeeded. The difficulties should not be under-estimated - which categories of information should be protected; how would you test for each category (is it enough for an originator to label a document "secret" or should there be some objective measure?); should there be a "public interest" defence? The problems with using an offence of unauthorised access to a computer as a substitute are: you confuse the means with the substance, you run the risk of drawing people into the ambit of the crime who are not actually stealing information and who are not causing any readily identifiable social harm, you are omitting instances of information theft which do not involve computers such as stealing print-based documents. (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 12 A more direct approach to information theft would also provide a route to tackling another of Emma Nicholson's concerns - the use of equipment to eavesdrop on radiation from VDUs. Law Enforcement There is little point in placing new crimes on the statue book if the means to enforce them does not exist. "Law enforcement" is much more than looking at the quantity and quality of police officers available in any one specialisation. In the UK, the decision to prosecute is usually made by the Crown Prosecution Service. (Different procedures apply for serious frauds which are then handled by the Serious Fraud Office). The whole process is as follows: * a victim decides to report a crime * reasonable levels of evidence are believed to exist * the police make enquiries * the police make a report to the Crown Prosecution Service * the Crown Prosecution Service decide that there is a case which they have a reasonable chance of winning (that is, better than 50/50) * the case is presented in court, the skill involved depending on the lawyers employed * depending on the seriousness of the offence either a judge alone or a lay jury advised by a judge have to understand enough to be able to convict In most other countries there are a similar set of hurdles. The present position in the UK is that there is only one Computer Crime Unit, which is attached to the Fraud Squad run jointly by the Metropolitan and City Police forces. Its size varies from four to five officers. Since these are always drawn from the Met side of the partnership they are on three-year tours of duty, though one officer has managed to hold on longer. The Met has a philosophy of the "all-round policeman" and eschews the setting up of permanent ‚lite squads. The highest ranking officer is a detective inspector, the third lowest rank in the force. There is a twenty-day course in computer crime methods run at the Bramshill training college. Fewer than 100 officers out of the total 145,000 policemen and women in England and Wales have ever been through it. (When I became a MBCS (Member of the British Computer Society) I did so via a route which recognised that I had neither passed any of their examinations nor had a university (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 13 degree in a relevant subject - mine was in law. The BCS expects people like me to be able to show 10 years of industry experience instead - and this is simply to call yourself a computer professional.) The Computer Crime Unit has scant funds to employ external expertise. In some "hacking" cases it has been able to rely on the goodwill of British Telecom, but BT will only act where it thinks that its own networks or resources have been violated or threatened and the relationship deteriorated during the 1990 Nicholas Whiteley (Mad Hacker) case. Since October 1986 the police have ceased to be the prosecutors of crime as well as the investigators. That reform was introduced to prevent too many fitted up or forced confession cases getting to court. Prosecution is now handled by the Crown Prosecution Service. But for the computer crime coppers, whose training has not equipped them to understand the full range of criminal sanctions that might be available (and why should it?) they have lost easy access to friendly lawyers who might help them frame charges sensibly. The CPS is currently, on its own figures, 23 per cent understaffed, with a greater problem in London. They are under great pressure, morale is low. What about the Serious Fraud Office which handles frauds above œ1 million in value? It has 20 lawyers, 17 accountants, a support staff of 25 and 20 City of London police officers on secondment - and who are therefore not immediately available for other City of London policing work. The current work load is around 70 huge frauds, many of which will take years to work their way through the courts. By chance, rather than design, it had one senior officer who was extremely interested in computer crime. But he had other work also, not the least of which is the use of graphics computers to clarify complex frauds to lay juries. He is now in the private sector. Here is another aside: the SFO came into being in the wake of the Roskill Report on trials for complex fraud. Roskill recommended the use of specialist juries; this was rejected, for reasons which I accept, but no additional resource has ever been provided to help the SFO with the additional problems of describing the arcana of, say the insurance world, to men and women democratically plucked from the voting lists. These are simply the first hurdles; we are only just beginning to see a sufficient body of barristers literate in computers. Police role in white collar crime Yet it is too easy to blame "the police" for what appears to be a poor response. The policing of computer crime is simply one item in a very long agenda of what the public expects of the police. What is interesting about computer crime is that it highlights many of the inconsistencies in public attitudes towards the (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 14 police. We are only willing to spend a limited amount on them; we are only willing to accept a certain density of police officers per hundred thousand of the population. Here in the UK the police originated under Sir Robert Peel in a desire for safer streets and public order. It is clearly important to the public at large that the police are seen "walking the beat". We apparently suspect the idea of ‚lite squads and we resist the idea of a national force. Yet this same group of people are expected to cope with the social and technical complexities of white collar crime. We wouldn't tolerate any "walking the beat" looking for possible infractions of the law in our offices and board rooms, yet in terms of street crime it is this "walking the beat" which is understood to have a powerful preventative effect. None of us have really thought through our expectations of the role of the police in a world where, for each of the last 15 years or so there has been a 1 per cent transfer from blue collar to white collar activities and presumably some considerable associated increase in the opportunities to commit white collar type crimes. One cannot look at "computer crime", on any definition thereof, in isolation from these factors. Making the Case We must now examine in more detail how well the new Computer Misuse Act offences will stand up to the rigours of having to make a case in court. Leaving on one side the particular hazards of the PACE s69 rules of admissibility in evidence and on another side the question marks of the extent of actual police resources, we have to ask ourselves what typical cases will look like in court. I want to concentrate on the two situations which most excited people during the run up to the passing of the CMA - hacking (in the sense of unauthorised access unaccompanied by any further activity) and viruses. The chief practical problem in any investigation of "hacking" is that perpetrators don't use their own names; further, a mere "confession" unaccompanied by any other evidence is unlikely to be sufficient. The investigator first has to show that "access" has taken place. It may not be enough to show that a given suspect has material in his possession that has come from someone else's computer - the files may have been collected by some third party and a copy of them given to the suspect on diskette; the prosecutor has to prove all the network connections; in many cases it will be necessary to catch the perpetrator in flagrante delicto. Now we know this can be done - here in the UK it was done in the case of Gold and Schifreen and again in that of Edward Austin Singh. Cliff Stoll wrote in The Cuckoo's Egg how he did it to members of the Chaos Computer Club. There are plenty of other examples. They all have a common feature - it is very time consuming and expensive. You require lots of (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 15 monitoring equipment, a number of skilled technicians (individuals like Stoll who did what he did out of intellectual interest and not for a consultancy fee are rare), extensive co- operation between police, companies, institutions, and telecommunications suppliers. That co-operation must often extend across national borders. In addition you have to have teams of police standing by to pounce when told by the technicians that the time is right. Investigation costs can reach œ500,000 ($1 million) quite effortlessly. No sensible police force in the world can justify that amount of cost and effort for a crime the normal punishment for which is a fine and for which the maximum penalty is six months. Let's now look at viruses. No one knows where most viruses come from. There is no knowledge of the originator even at an anecdotal level. Very occasionally if the virus is unique and distributed on a disc there is the possibility of physical forensics, that is, locating the supplier and hence the purchaser of a particular batch of diskettes. I have no specific knowledge of that case, but one possible example is the Panama "Aids" virus which was allegedly partially distributed on diskette via a mailing list supplied unwittingly by a magazine. But this very much the exception. There is another route back to a perpetrator - if the virus is accompanied by some blackmail or extortion threat. Here the criminal can be tracked down by the money collection method - which is the weak point of most attempts at demanding money with menaces. Again, some reports about the Panama "Aids" virus allege that this is what happened there. But for the overwhelming majority of PC and Mac-based viruses these routes do not exist - and there is no law one can envisage that will overcome the fundamental problem of anonymity. Perhaps I should raise one further situation - where the designer of rogue code decides things have gone more wrong than was intended and decides to alert potential victims. This is what happened with Robert Morris and the Internet worm. Now - where does the public interest lie? Do we believe that the existence of an "anti-virus" law deters potential offenders in a useful way, or are we worried that a successor to Morris might say: "I didn't want things to go this far. However no one yet knows about me; anything I do to minimise the effects of my rogue code are likely to lead to my identification and I may then be punished." I have no easy answer to this conundrum but ask you to identify it as yet another limitation of the powers of the legal system to solve problems of computer security. The role of law as a deterrent At this point some people will say that I am mistaken, that the very existence of a law on the statute book, even it cannot be (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 16 readily enforced, does act as a deterrent to the majority of people. In fact this was the justification the Law Commission produced for section 1 of the CMA. At the press conference on the day their final report was published they spoke of setting the mark of society's disapproval on such activity. I am not sure that the position is anywhere nearly as clear as that. People break laws all the time, particularly if they can convince themselves that they are not "really" doing any harm. This is certainly true of many road traffic offences such as parking on yellow lines and exceeding speed limits. On the other side, there are a number of instances where people feel constrained from an activity which is not illegal but is considered unethical - eavesdropping on a conversation which the participants regard as private is one example. In other words there is no absolute correlation between the fact of illegality and a sense that certain activities should be restrained. It might be helpful to recall what happened here in the UK 14 years ago over Citizens Band Radio, another technological hobby with outlaw connotations. Brits holidaying in the USA discovered the possibilities of a low-cost general purpose mobile radio service, imported the equipment and started to use it. In the UK this was on offence under the 1949 Wireless Telegraphy Act. The craze grew and grew and officials tried, with scant success, to make arrests. A campaign for a legal UK CB started; eventually there were almost 500,000 illegal sets in use. After a while, a UK CB license became available - and within six months the craze was effectively dead. Is it possible that it was, among other things, the illegality of the activity (coupled with the lack of any real danger of getting caught) that was the substantive attraction? Again, I make no final judgement, other than to say that the existence of a crime on the statute book may not have the intended effect. Conclusions Some of what I have said may suggest that, as a result of particular incompetence by the English Law Commission, parliamentarians and police we have a poor computer crime law. If that is the impression which you take away then I have not made myself clear. I think I have shown that for some of the highest profile computer crime activities, no law is going to provide any sort of substantive solution because, at a practical level, investigation (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 17 and evidence-gathering is either too expensive and difficult in relation to the wrongs victims might suffer or is completely impossible. For such activities as classic hacking and virus- writing we should forget about the law and concentrate on preventative measures. For the rest of the activities that help to make up the statistics of computer crime, I wonder how far it is useful to talk about computer crime at all. As I also hope I have shown, most such activity is conventional crime - chiefly fraud, extortion and criminal damage - which happens to involve computers. Talking about "computer crime" lumps them all together - and with hacking and virus-writing. But each one of these activities has different risk factors, different modus operandi and different preventative methods associated with them. By the same token, I am not sure that is useful to talk about "computer criminals" as though they all showed the same features. A computer fraudster is surely best understood within the context of other types of fraud; the extortionist who locks legitimate users out of of a computer and demands a fee to rectify the situation is best comprehended along with other blackmailers. Network adventurers may be technological pranksters and cause harm along the way, but they have little in common with any other sort of criminal. This misunderstanding leads many computer-owning companies who have a wholly distorted view of the risks they face. If you don't analyse the problem properly you'll never get any sort of viable preventative program. But this confusion has now resulted in legislation for which I fear there are doomed expectations. Just as computers have now infiltrated every facet of commercial life, I would have preferred an approach to law reform which assumed that most computer-related crime would continue to be handled under the framework of existing statute and common law. I would have liked the Law Commission to have concentrated on strengthening those areas where conventional law looks weak. As I have tried to show, a reform of the Criminal Damage Act, 1971 would have been more effective than what was actually produced in section 3 of the Computer Misuse Act. A reform of the law of deception within the Theft Act would have produced some of the results hoped for in section 1 of the Computer Misuse Act without involving many of the uncertainties of coverage and interpretation that the new Act has provided. Although I don't have time to go into it today, it seems to me that many people have ignored the many remedies that the civil law has. For those many crimes involving employees and sub- contractors, including unauthorised access and information theft, the law of contract provides many potent remedies, including dismissal. Student hackers may be more effectively dealt with under Disciplinary Codes - where the offence may be set in such vague terms as "conduct likely to bring the university into disrepute", where the standards of proof are lower and (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 18 where the sanction may be loss of the opportunity to take a degree. In other situations the civil wrong of breach of confidentiality, though flawed, can be effective in instances of information theft. What a pity there has been no follow-up to the Law Commission's work in this area, which has lain largely ignored since 1981. The Computer Misuse Act delivered only one thing - and I return here to something I hinted at at the beginning - it gave the illusion that something was being done about a problem which seemed to exist. Compared with almost anything else that a country might do - rethinking the role of the police in white collar crime, providing different career patterns and training for policemen, keeping your Crown Prosecution Service up to strength - passing legislation is unbelievably cheap. All it takes is the time of a few civil servants and Members of Parliament and a few printing bills. Politicians and pressure groups love new legislation because that it how they can be most visibly be seen to getting results. It is also attractive to the media, where technical legal reform is not. Finally, the Computer Misuse Act distracts management from examining in rigorous detail what they can be doing to stay in control of their computer resources. It develops in their mind the notion of unpredictable "compurer criminals" whose activities cannot otherwise be restrained. The theme of this conference is the Challenge of the Nineties. Let me tell you what I think it is. We need to make the discussion of computer security much more sober than it is at the moment. Legislation born out of panic sets up false expectations and doesn't get the desired results. Too many in the computer security business have sought to sell their products and services on a simple unsophisticated scare story. Effective computer security means a multi-disciplinary approach, where computer security is seen as just one aspect of securing the assets - physical, cash and intellectual - of the business environment that the computer serves. And where "solutions" come from a balance of computer-based and administrative controls and where the law provides remedies only for the most outrageous of activities. As for the investigation of crime, it is surely better to talk of experts in computer forensics, who can aid and support with the "ordinary" investigators when a crime goes inside a computer and evidence must be extracted in a form in which it will be useful in legal proceedings.  A fully foot-noted version of this paper is available on request to the author. (c) Peter Sommer, 1991 Compacs '91/Sommer/Limits of the Law/ 19 Peter Sommer MA(Oxon), MBCS  Peter Sommer runs Virtual City Associates which specialises in computer forensics, expert witness activities and insurance policy development, risk assessment and loss adjustment. It also provides more broad-based computer security consultancy. Virtual City Associates often works in association with other professional firms. Peter Sommer read law at Oxford and has been both a publisher of books and of electronic databases. He is better known by his pseudonym, Hugo Cornwall, under which he wrote the first three editions of the best-selling Hacker's Handbook as well as DataTheft (Mandarin) and large quantities of journalism. A new book, on modern industrial espionage, is due out in 1991. Mr Sommer is frequently asked to appear on tv and radio.  Virtual City Associates 67 Mount View Road London N4 4SR U K tel: 44 (0)81-340 4139 fax: 44 (0)81-341 3472 CompuServe 100012,2610 (c) Peter Sommer, 1991