Skip Links

Analysts eye revamp of U.K. cybercrime law

By Jeremy Kirk, IDG News Service
June 07, 2006 09:37 AM ET

IDG News Service - The U.K. government is proposing changes to an existing law that it says will bolster the ability to prosecute hackers and put them in prison longer -- but analysts question whether the moves will constrict an explosive growth in costly cybercrime.

The U.K. has sought to tighten the Computer Misuse Act of 1990 to more precisely target denial-of-service attacks, which have been used to extort operators of online gambling sites.

Other legal cases in recent years have also brought into question whether the law, composed of three sections, was keeping up with rapid changes in technology.

In November, a judge threw out a case against David Lennon, who allegedly crashed his former employer's e-mail server in a DOS attack in early 2004 using an automated program to send 5 million messages.

Lennon, who was 16 years old at the time of the attack, told authorities after his arrest he wanted to cause "a bit of a mess up" in the company, court documents said.

The judge said the company's Web site invited users to send e-mail. He ruled the section of the CMA under which Lennon was charged was intended to deal with Trojan horses, worms and viruses that corrupt or change data, not e-mail.

Last month an appeals court judge sent Lennon's case back to trial, ruling the volume of e-mail was unwarranted, even if the Web site solicited e-mail. Lennon's case is pending in Wimbledon Magistrates Court.

The amendments to the CMA are currently being considered in the House of Lords as part of the Police and Justice Bill, a comprehensive law enforcement package.

The changes would increase the maximum penalty for unauthorized modification of a computer, under which DOS attacks could be included, from five to 10 years. The maximum penalty for unauthorized access would be raised to two years, up from six months.

An expanded third section is intended to more thoroughly cover denial-of-service attacks, including new language making it an offense to supply hacking tools knowing the programs might be used to break the law.

But observers view the changes to the CMA as unnecessary. Graham Smith, a partner at law firm Bird and Bird in London and author of "Internet Law and Regulation," said the act is broad enough to cover most breaches. Further, Lennon's case has added clarity to prosecution of denial-of-service attacks, Smith said.

"We already have what is probably the most broadly drafted and all-encompassing antihacking legislation in the entire world," Smith said. "I've always been of the view that what is required is a willingness on the part of the prosecution to bring cases."

The Crown Prosecution Service (CPS) can't comment on pending legislation, a spokesman said. But on Tuesday, the CPS issued a statement saying its lawyers are undergoing special cybercrime training in areas such as Trojan horse programs, viruses and Internet Relay Chat (IRC).

CPS also addressed its ability to bring cases, saying it would use legislation "creatively" to disrupt organized crime. The CPS, which has upward of 150 prosecutors trained in dealing with high-tech crime, does not keep specific statistics on how many people have been prosecuted under the CMA.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News