Government Police and Justice Act 2006 - Assignment Example

233439 Question One Michael, a former employee of Amazing books, an on line retailer, was cross at being dismissed for misconduct and decided to takerevenge. He hacked in to the company site http://www.amazingbooksuk.co.uk and defaced the site. He then sent spoof e-mails to clients telling them they owed hundreds of pounds in unpaid debts. Finally, he set up a mail bombing program which overwhelmed the server of Amazing books causing it to crash for two days. In total it cost Amazing books £19,000 to put right the damage Michael caused. Task one Outline the offences which it could be argued have been committed under the Computer Misuse Act 1990 and the Police Justice Act 2006. (30 marks) You must use case law and statutes from England and Wales although comparisons with other jurisdictions is permissible. Academic articles may also be useful as additional authority. Task two Apply the law relating to the offences you have already outlined to the incidents involving Michael. What punishments could Michael face if he were found to be guilty by a criminal court? (Ignore any elements of compensation he might have to pay). (20 marks) Task three Evaluate the offences created by Sections 1, 2 and 3 of the Computer Misuse Act. Are they ‘fit for purpose’ in terms of supporting computer security? How could they be improved? (Include analysis of the recent Government Police and Justice Act 2006 (50 marks) In order to determine the offences that have been committed in the above scenario it is necessary to examine the Computer Misuse Act 1990 and the Police and Justice Act 2006. From an analysis of these two Acts it will be possible to discuss possible charges that could be brought against Michael as well as determine the relevant punishment that might be imposed by the courts for the offences committed. In the final section of this study consideration will be given with regard to improvements that could be made to both of these Acts to provide greater security for computer related crimes. Within this there will be an analysis of the impending changes within the Police and Justice Act 2006 and the impact these changes will have on the Computer Misuse Act 1990 once they have been implemented. To be able to fully decide whether there are any possible criminal charges that can be brought in these circumstances it is also necessary to analyse s17 of the 1990 Act as this section gives guidelines on how the wording of the Act should be interpreted. The starting point in this situation is to consider s1 of the Computer Misuse Act 1990 which makes it an offence for a person to perform any function with intent to secure access to any program or data held in any computer if the access he intends to secure is unauthorised and he know at the time when he causes the computer to perform the function that that is the case. It has been stated above that Michael hacked into the company website. It is obvious from the facts above that such access was not authorised and therefore the act of hacking the site would constitute an offence under the 1990 Act. This was found to be the case in Ellis v DPP [2001]1. In this case the defendant had been specifically told that he was not entitled to use the non open access computers at the University. Despite having been given specific notice of this the defendant used the non-open access computers on at least 3 occasions. The court held in this case that the usage in this manner constituted a breach of s1 of the CMA 1990 and found the defendant guilty of unauthorised access. In this situation it could also be argued that Michael has committed offences under s2 and s3 of the CMA 1990. Having shown from the above that Michael is likely to be charged with unauthorised access to the company website if the courts can prove that he accessed the site with the intent of committing or facilitating the commission of further offences then Michael could face further charges under s2 of the 1990 Act. It could be argued that the sending out of the spoof emails and the subsequent defecation of the website is sufficient proof that Michael had the intention of committing further offences once he had hacked the website. The use of the ‘mail bombing’ program is likely to attract charges against Michael under s3 of the 1990 Act. In the case of DPP v Lennon [2006]2 the defendant used a ‘mail bombing’ program to attack the computers of the company that he had been dismissed from. The defendant attempted to challenge the conviction on the basis that the company had consented to the ‘email bomb’ as the purpose of the company’s server was to receive emails and that they had therefore consented to the receipt of such emails. The court disagreed with this contention stating that the ‘mail bomb’ had the effect of modifying the computers belonging to the company and that the company had not consented to such a modification. The conviction was upheld relying on s17(7) of the 1990 Act on the grounds that the modifications caused by the mail bomb were unauthorised. Applying the above to the present situation it is likely that Michael could face charges for unauthorised access to the computer system as well as charges for unauthorised modification of the system. The defacing of the site as well as the emails sent by Michael would amount to a modification as defined by s17 of the Act. Under this section a person is likely to face charges of modification if by causing a computer to perform any function he (a) alters or erases the program or data. It has been stated above that Michael defaces the site as well as sends out spoof emails about unpaid debts. The defacing of the site is likely to amount to a modification and the courts would therefore be likely to charge Michael accordingly. If Michael is found guilty of unauthorised access as defined under s1 of the CMA 1990 he would be dealt with by the Magistrates court but could still face a prison sentence of up to 6 months as well as a fine. In this case it is likely that Michael could be charged under s2 of the CMA 1990 as the courts should be able to prove that he intended to commit further offences once he had accessed the site. this could be evidenced by the defacing of the site as well as the emails that were sent out to customers. Under this section the courts might decide that the Magistrates lack sufficient power to deal with Michael in respect of an appropriate sentence and commit the case to the Crown Court. Given the large amount that it has cost the company to rectify the modifications there is a bigger probability that the case will be sent to the Crown Court. Under the Magistrates Court Act 1980 s33 Michael could be sentenced for up to 5 years imprisonment if he is found guilty of an offence in breach of s2 of the Act. With an offence charged under s3 of the Act Michael could also face charges under the Criminal Damage Act 1971. A finding of guilty under a charge brought under s3 of the CMA 1990 could result in a sentence of up to 10 years. In a report in The Register 8th November 20063 a man who hacked a dating site and defaced the site as well as sending out mass emailing worms was fortunate enough to be able to avoid a custodial sentence. The hacker was found guilty under s3 of the CMA 1990 and was awarded 8 months imprisonment that was suspended for 2 years. This was in part due to the fact that this was the first criminal charge to be brought against the defendant. The Police and Justice Act 2006 has amended some of the sections of the CMA 1990 although some of the provisions contained within the 2006 Act have yet to take effect. When these are fully implemented an amendment will be inserted into the 1990 Act labelled as s3A. Under this section there will be extra occasions in which charges can be brought against offenders. These will include the making, supplying or obtaining of articles for use in any offence contrary to section 1 or section 3 of the Act. Section 3A will also increase the penalty that can be applied for any offence committed under s1 of the CMA. From the above it can be suggested that Michael is likely to be given a custodial sentence, however, if this is the first time that he has ever been involved in a crime the courts are more likely to be lenient and he may be able to avoid being sent to prison. Although the Computer Misuse Act 1990 and the Police and Justice Act 2006 offer a degree of protection from computer related crime there are very few cases which have actually resulted in the imprisonment of the offender. Prior to the 2006 Act coming into force some hackers avoided any sanctions whatsoever. Such a case was reported in PC Pro in November 20054 where a teenager hacker who sent 5,000,000 emails with the aim of taking down the server avoided prosecution when the District Judge Kenneth Grant ruled that the emails did not constitute unauthorised access or modification of the computer system. As mentioned above, a subsequent case in 2006 reached the opposite conclusion when they judge held that the ‘mail bomb’ did constitute a modification of the computer system. The 2006 Act had the effect of allowing charges to be brought by allowing the prosecution to show that such attacks amounted to a denial of service as they resulted in the collapse of the server and the computer system. Since the changes brought in through the 2006 Act, the prosecution have used the denial of service element to establish that unauthorised access can lead to denial of service. In a paper published by the Government in October 2007 entitled Personal Internet Security5 the Government made recommendations for amendments to be added to the Computer Misuse Act 1990. These amendments include the explicit criminalisation of the sale or purchases of a botnet. A botnet is a collection of software robots that run automatically and autonomously. The vast majority of computers that are infected with a botnet are home based computers and the owners of these computers are often unlikely to know that their computer is being controlled using a botnet. Hackers use worms or Trojans to access these ‘zombie’ computers, many of which are inadequately protected by firewalls or have disabled the firewalls. Once the computer has been accessed the botnet controller can distribute spam emails and other malware to other users. The amendments to be added to s3 have to date not been implemented but it is anticipated that the implementation could lead to an increase in the number of convictions for computer hacking and improve security on the internet due to a heightened awareness of the problem. Successful prosecutions of hackers is anticipated to impact on the level of ecrime as the amendments recommend tougher sentences powers which they hope will act as a deterrent to others. The paper highlights the fact that not all remotely controlled software should be regarded as botnet applications as it recognises that some of these systems are necessary for academic research and security testing purposes. This is likely to cause difficulty for prosecutors as they will have to determine the types of software that belong in the exceptions and should not be criminalised. The European Union has also attempted to tackle the issue of internet security following the Convention on Cybercrime held in Budapest in 2001. As a result of this convention the European Union Framework Decision on Attacks Against Information Systems6 was implemented in February 2005. This Framework requires Member States to take action against illegal access of computer systems and illegal interception of computer transmissions. The aim was to increase criminal sanctions against such offences in the hope of deterring others from becoming involved in cybercrime. Under the framework Member States are given the power to prosecute any person who illegally accesses any computer system, illegally interferes with these systems in any manner including defacing the sites and sending out mass emails and any illegal interference with data. In order to bring charges the prosecution must prove that the illegal access etc was intentional. The Framework also empowers member states to prosecute any person that aids or abets another to commit these offences. Although the government felt that the introduction of the Computer Misuse Act 1990 would help in the fight against computer crime Stanley (1986)7 demonstrated the difficulties involved in the investigation of computer crime. In his research he highlighted the evidential problems involved in proving computer crimes as well as deficiencies in the law terminology problems and the competence of those investigate such crimes. Stanley felt that legislation is unable to deal adequately with such crimes and spoke of the difficulties in tracing the perpetrators as there is no requirement for the hacker to be in the same country or jurisdiction as the victim in order to access their equipment. This difficulty can be evidenced by the relatively low number of convictions that are brought for computer crimes8. Cornwall (1988)9 criticised the training of the police in computer crime investigation techniques as well as the lack of barristers specialised in the prosecution of computer crime. Cornwall believes that it is essential to have such specialists in order for less of these crimes to avoid prosecution. In a follow up to the House of Lords paper on Personal Internet Security10 it was noted that many of the recommendations of the 2007 paper had not been implemented. Following recent incidents were disks containing personal data have been lost in transit the Government has promised a review with regard to increased protection of computer systems11. There are also proposals for changes to protect consumers in line with the rising number of online banking frauds and the cloning of bank cards through equipment used on ATM machines. The Association for Payment Clearing Services were asked to comment on the recommendations that had been made in the initial report in 2007. In response to the recommendation “that the Government establish a cross-departmental group, bringing in experts from industry and academia, to develop a more co-ordinated approach to data collection in future. This should include a classification scheme for the recording of all forms of e-crime12”. ACPAS agreed with the Government that computer crimes were ‘standard offences facilitated by new technology’. As a result of the increase in such crimes the follow up report suggests that this area needs revisiting and the Government need to give serious consideration to the introduction of specialist agencies to deal with these crimes. To an extent this recommendation has been taken on board with the establishment of the Police Central e-Crime Unit although their work has been hampered by lack of funding13 It can be concluded from the above that although the two Acts mentioned do offer a degree of protection against computer crime there needs to be a greater awareness of the issues surrounding computer crime. The Government needs to take further action to ensure that computer crime is dealt with effectively and that specialist teams are established both within the investigative side and the prosecution side in order to be able to fully address the problem. References Computer Misuse Act 1990 Cornwall, H. (1988) Hacking away at computer law reform, New Law Journal 30 (September). Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems Criminal Damage Act 1971 DPP v Lennon [2006] EWHC 1201 (Admin); (2006) 170 J.P. 532; [2006] Info. T.L.R. 311; (2006) 170 J.P.N. 934; (2006) 150 S.J.L.B. 667 House of Lords Science and Technology Committee, 4th Report of Session 2007–08, Personal Internet Security: follow up, London : The Stationery Office Limited, London : The Stationery Office Limited HL Paper 131 House of Lords Science and Technology Committee, 5th Report of Session 2006–07, Personal Internet Security Volume I: Report, London : The Stationery Office Limited, London : The Stationery Office Limited HL Paper John Martin Ellis v Director of Public Prosecutions [2001] EWHC Admin 362 Joint Committee on Human Rights, 14th Report, Session 2007–08, Data Protection and Human Rights (HL Paper 72) (HC 132), p 5; Data Handling Procedures in Government: Final Report, Sir Gus O’Donnell (published 25 June 2008). See http://www.cabinetoffice.gov.uk/ Magistrates Court Act 1980 PC Business World 13 February 1990 Police and Justice Act 2006. Stanley, P. M. (1986) Computer crime investigation and investigators, Computers and Security 5, 309--313. http://www.pcpro.co.uk/news/79505/computer-misuse-act-crumbles-as-dos-attacker-walks-free.html?searchString=kenneth+grant http://www.theregister.co.uk/ Read More