Computer Misuse Act - Coursework Example

Computer Misuse Act 1990 Un ised Access UK Legislation on ified Data [Pick the The foregoing essay examines a decade of legislative policy dedicated to statutory protections under the Computer Misuse Act of 1990 and Police and Justice Act of 2006 in the UK. In the past decade, much attention within policy debates has been dedicated to legislative intervention of technological advancements; especially toward regulatory mitigation of criminal conduct of internet crimes. Amidst widespread public interest directed at the appropriateness and viability of state monitored regulation of computer and telecommunications activities in the Computer Misuse Act (CMA) of 1990 in the past year, were the amendments to the Act came into force last summer that made a crime of ‘making, supplying or obtaining articles likely to be used to commit computer crimes’, as well as the parameters pertaining to denial of service attacks (Computing 2009). Significant to the argument, is the relatively low number of offenders charged and convicted under the existing rules. Part of the challenge seems to lie in what critics argue is the vagueness of the law that is rendered even less clear in court, as it is impossible for a supplier to assess the ‘likelihood’ that an internet or software tool may be used in the commission of a crime. Opponents cite that the CMA does not allow for application of the rules to the cases which are often highly technical, and not readily translatable for jury consideration. The results are near null from a national perspective, which led to prosecution of a mere nineteen cases in 2007, with only ten defendants charged and convicted according to the Ministry of Justice. The most recent conviction numbers contribute to the overall picture of computer misuse enforcement and indicate a reduction in violations since ratification of the Act and instatement as code. Predictability may not be found, then, in the capacity of the number of users that might be knowledgeable enough to intentionally commit violations and only reliant upon enforceability; yet that is to be determined by due process of complaint. Charges rarely occur in a vacuum of random and unintentional incidence in correspondence to the strict liability of the Act, as it pertains to institutional transactions, can only, then, be founded on investigated wrongdoing correspondent to acts and attendant outcomes (i.e. victims). In the UK, the number of computer misuse violations is miniscule, and in fact receding. Prior to 2007, charges under the CMA saw a consecutive decrease over the past three years. Comparatively speaking, the numbers from 2007 are fewer than the past three years, with 18 successful prosecutions from 25 cases in 2006, 16 from 24 in 2005, 12 from 21 in 2004 and only higher in conviction with the same number of cases in 2003 at 5 parties from 19 cases. Although this may be in part due to user awareness of computer misuse and internet communications laws, there may also be substantial avoidance of those activities in response to advancements in technological security, and in part due to subsequent technological surveillance capacity by law enforcement agencies. The foregoing essay looks at the CMA 1990 and examines public dialogue about the importance of furthering the enforceability of current legislation as it pertains to the facts in precedent prosecutions for computer related offences. The Crown Prosecution Service has been instrumental to revision of the original legislation with amendment to the 1990 Act by way of the Police and Justice Act 2006 (PJA). The amendment is directed at clarification of the Act towards enforceability in the UK, and contains five (5) articles of revision which include: Section 1 CMA - Unauthorised Access; Section 35 of the Police and Justice Act 2006; Section 2 CMA - Unauthorised Access with Intent; Section 3 CMA - Unauthorised Acts with Intent to Impair; and Section 3A CMA - Making, supplying or obtaining articles. The amendment changes are contained within Part 5 of the prior Computer Misuse Act 1990. Received by Royal Assent on 8 November 2006, the rules are intended to provide ‘guidance to assist Crown Prosecutors and Designated Caseworkers in the use of their discretion in making decisions in computer misuse cases.’ The main changes incorporate: ‘Section 3A CMA an offence which penalises the making; supplying or obtaining of articles for use in offences contrary to sections 1 or 3 CMA. (Section 37 of the Police and Justice Act 2006); and Increased the penalty for section 1 CMA (Section 35 of the Police and Justice Act 2006)’ (OPSI 2006). Parameters to the amendment include discussion on the definition of the CMA, with no clear provision for statutory definition of ‘a computer’ as it was feared that any definition may soon become obsolete due to the rapid technological developments. Notwithstanding precedent decisions on similar cases, the definition is left to the Courts with expectation that adoption of the meaning of the term is reliant upon customary protocol with expert revision of those elements. Past decision can be reviewed in DPP v McKeown, DPP v Jones ([1997] 2Cr App R, 155, HL at page 163) where Lord Hoffman defines a computer as ‘a device for storing, processing and retrieving information’. Jurisdictional considerations are of the nature of on-site use, and UK investigations and resultant charges are to correspond to prosecution of all CMA offenses according to the rule that if there is ‘at least one significant link with the domestic jurisdiction’ (England and Wales) (see section 4 CMA) in the circumstances of the case. Section 2(5) defines significant link or internet generated relationship to commission of misuse, and to the actual location where the misconduct is found (Archbold 23-88) In the case of R v Waddon, 6 April 2000 the Court of Appeal held that the act persisted in accessing the content, even prior to attendant acts that might charged in relation to the commission of misconduct, preceded by prior review of such a case where the content of American websites could come under British jurisdiction upon download in the United Kingdom. See also R v Perrin [2002] 4 Archbold News 2, CA. Cases reviewed by Parliament toward furtherance of the CMA and the subsequent PJA 2006 are most typically the result of employer-employee contractual relations, and access to secure information. In the case of R v Bow Street Magistrates Court and Allison (AP) Ex parte Government of the United States of America (Allison) [2002]2 AC 216, the House of Lords considered a situation of ‘unauthorised access’ and whether an employee could commit an offence by securing access to a computer contrary to section 1 CMA. Intentional wrongdoing substantiated conviction of the defendant. It was held that the employee’s misconduct had clearly come under provisions of section 1 CMA for determination of intent, and cause in fact related to data retrieval through unauthorised access. Their Lordships found that employee misconduct in regard to CMA rules could only be sustained if the said employer provided evidence of precedent clarification of ‘authorized’ access to a computer related program or data system. In a precedent case, DPP v Bignell [1998] 1 Cr App R8, pertains to involvement of law enforcement employees in authorised request of information from the police national computer (PNC) for policing purposes. The case involved a request to a police computer operator to obtain information from the PNC that was to be covertly used to personal effect. The Divisional Court held that the two officers did not commit the stated Section 1 unauthorised access offence. The House of Lords in Allison cited the case in support of the Divisional Court. Review of by the House of Lords indicated that ‘it was a possible view of the facts that the role of the officers in Bignell had merely been to request another to obtain information by using the computer. The computer operator did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed under section 1 of the CMA’ (OPSI 2006). Accuracy of the review process from the standpoint of legislative inquiry toward policy and further amendment to PJA 2006 is crucial for understanding the limits of jurisprudence from a due process position, and in regard to the stipulations pertaining to definitions of personal and professional use in cases that involve law enforcement or other professionals deployed in response to protecting and serving the public good. The same could also be said of professionals from fields of service that are otherwise derived from revenue procurement capitalization, but equally incumbent toward adequate protections regarding monetary agreements or contracts (i.e. financial institutions). In situations wherein prosecutors are attempting to substantiate charges against defendants whom are believed to be ‘employees’ in violation of the CMS according to code stipulations on unauthorized access, the investigation should and must sustain the complaint with material evidence that indicates that he employee’s contract of employment and all other exampleoral supervision or training on the job, and including employment procedures and protocol supports prior employer allowance and advisement for adequate knowledge of the limits to access. Demonstrated knowledge, according to the PJA 2006, pertaining to unauthorized access by employees, then, circumscribes the liability of the employer to not only provide, but ensure that the employee recognizes the rules and the range of access allowed, and within reasonable constraint according to the position. While court decision also articulates vague discernment in this area, overview of the varied positions on the Act, offer consistency in review of those opinions, and are reflected in both Houses of Parliamentary record. All cases are to be determined according to provision of the CMA, and with sufficient evidence for consideration on a case-by-case basis with application of PJA as it is defined by the Code for Crown Prosecutors. Decisions leading to conviction under the CMA PJA are subject to co-terminus stipulations in Sections 1 and 2 that must be read in conjunction with section 17, which is the interpretation section. (Archbold 23-100). The act of misconduct can include misuse of any technologies according to definition of ‘any computer’ in section 1(1)(a). Under the CMA there is restriction of the offence to a scenario where the defendant has purportedly used one computer to secure unauthorised access to another. Causal implications in commission of misconduct related to computer use can also result if there has been performance of a function with intent to secure unauthorised access to any program or date held in the same computer (Attorney Generals Reference (No 1 of 1991) [1993] QB 94) (OPSI 2006). Attendant to the act of misconduct, the Mens Rea or mental state of the offender must be present in order for the prosecution to sustain charges against the defendant under the PJA amendment of the CMA. The complaint must include proof of the following two elements of intent: 1) knowledge that the intended access was unauthorised; and 2) intention to obtain information about programmed data held in a computer - section 1(2) CMA. In short, the presence of knowledge on the part of the offender must be established in order for ‘unauthorised access’ to be sufficiently evidenced. Mere recklessness may not be sufficient, unless that mental state is proven to have led to the operation of a computer or related system by which intentional access to data resulted. The stated rule elements outlining intent in the CMA PJA obviates inclusion of hackers but also employees ‘who deliberately exceed their authority and access parts of a system officially denied to them,’ and including classified data (OPSI 2006). Convicted parties to crimes committed under the CMA, and whom are guilty of an offence contrary to adherence of the rules, are liable to summary conviction in England and Wales. This means that immediate and irrefutable just cause has been found to convict defendants party to the crime(s) to imprisonment for a limited term, not to exceed ‘12 months, or to a fine not exceeding the statutory maximum or to both’. If not extended the opportunity to summary conviction, or in the case where the defendant has pled ‘not guilty’ upon preliminary trial, upon trial conviction of an indictment under CMA, the offender will be subjected to conviction of imprisonment for ‘a term not exceeding two years or to a fine or to both’ (OPSI 2006). Illusory to the decisions leading to conviction under CMA PJA 2006, is that the commission of the said acts, do not need to entail: 1) any particular program or data; 2) a program or data of any particular kind; or 3) a program or data held in any particular computer. Hence, the stipulations within the CMA PJA leave a gap between the viability of the legislative Act as both codified statute for use by law enforcement, and the furtherance of due process by the prosecution. Data need not be of a particular sort, only that it is considered ‘classified’ for discretionary use by designated parties. Although open ended allowance within the code enables adequate determination for investigative practice in criminal procedure, corresponding court procedure may not support evidentiary statements by the prosecution that may not delimit the terms of authorisation in regard to the data in question. Of particular consideration, are cases involving distributed denial of service attacks DDoS (Denial of Service Attacks) is aimed at specific Web sites. The DDoS rule indicates that suspect to the crime must have been found in the act of attacking websites by way of flooding the webserver (i.e. victim) with endless and repetitive messages. Resultant IT system denial to legitimate users attempting to gain access in the wake of the act must be sustained as: 1) as the term "act" includes a series of acts, 2) there is no need for any modification to have occurred; and (3 the impairment can and may be temporary. For instance, in the mail bombing case of R v Lennon [2006] EWCH 1201, 11 May 2006, the Divisional Court cited that, ‘although the owner of a computer able to receive e-mails ordinarily consents to the receipt of e- mails, such consent did not extend to e-mails that had been sent not for the purpose of communicating with the owner but for the purpose of interrupting the operation of the system’ (OPSI 2006). Other modifications to systems or malicious scripts (i.e. viruses) directed at computer systems or television transmitters, are also covered in Section 3A CMA in provision of supplying or obtaining articles for use in offences contrary to sections 1 or 3 CMA, but it does not criminalise possession per se, without evidence of intent toward use, or commission of related offenses in 1 or 3 CMA is evidenced. All evidentiary statement within the complaint must provide proof that all acts were reliant upon 3A CMA after section 37 Police and Justice Act 2006 came into force. If commission of crime is of import to the substantiation of rules outlining violation of conduct regarding computer misuse in the UK, then it is arguably correct to state that those rules are largely unenforceable from the perspective of prosecution, despite furtherance of the CMA by way of the PJA 2006 toward investigative law enforcement activities. Even still, very few cases are brought to court for magistrate review. From court record, whether or not violation of the computer misuse law persists in great numbers is unknown. This is of course mirrored within the following Parliament record: Jenny Willott: To ask the Secretary of State for Justice how many people were (a) prosecuted for and 16 Sep 2009 : Column 2254W; (b) convicted of each offence relating to the illegal use of electronic communications media in each of the last five years; and if he will make a statement. [288180]i Claire Ward: Information showing the number of persons proceeded against at magistrates courts and found guilty at all courts for offences under the 1990 Computer Misuse Act in England and Wales from 2003 to 2007 (latest available) is shown in the following table. Data for 2008 will be available towards the end of 2009. Number of persons proceeded against at magistrates courts and found guilty at all courts for offences under the Computer Misuse Act 1990, England and Wales, 2003-07( 1, 2) 2003 2004 2005 2006 2007 Offence Statute Proceeded against Found guilty Proceeded against Found guilty Proceeded against Found guilty Proceeded against Found guilty Proceeded against Found guilty Unauthorised access to computer material. Section 1 7 1 5 3 5 4 7 4 8 3 Unauthorised access with intent to commit or facilitate commission of further offences. Section 2 9 3 6 2 11 7 5 4 2 - Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer etc Section 3 and 3A 3 1 10 7 8 5 13 10 9 7 Total 19 5 21 12 24 16 25 18 19 10 (1) The statistics relate to persons for whom these offences were the principal offences for which they were dealt with. When a defendant has been found guilty of two or more offences the principal offence is the offence for which the heaviest penalty is imposed. Where the same disposal is imposed for two or more offences, the offence selected is the offence for which the statutory maximum penalty is the most severe. (2) Every effort is made to ensure that the figures presented are accurate and complete. However, it is important to note that these data have been extracted from large administrative data systems generated by the courts and police forces. As a consequence, care should be taken to ensure data collection processes and their inevitable limitations are taken into account when those data are used. Source: Evidence and Analysis unit-Office for Criminal Justice Reform Although public-private queries into the debate on computer and telecommunications misuse are pervasive throughout the legal arena, and those discussions differ radically from country to county and region to region, interpretive analysis of the current status of Britain’s competence in response to potential occurrence can really only be determined by virtual of law enforcement knowledge, as even magistrate interpretations cannot accord proper precision to statutory codification without insights drawn from the perspective of those who actually enforce through surveillance activities. Much is to be learnt from law enforcement agencies on the international front as well, and the far greater persistence of crimes related to computer misconduct, such as the invasion of privacy and fraudulent conversion of identities and financial assets (i.e. property) whilst commissioning an act of unauthorized access in the context of employment for example, is a rapidly growing area of concern within both UK and international law enforcement, that stands to only expand in terms of number of cases, and in terms of technological sophistication as new products enabling internet security breach emerge on the market. Statistical calculation and dissemination of accurate information on crimes in accordance to the UK’s CMA is still somewhat untenable. Most crimes contributed to acts of identity theft include breach of computer information and privacy. Convictions in those cases are more likely to be found under the Fraud Act of 2006 and related statute employed toward prosecution of identity theft. Court decision is, of course, encumbered by the extra-jurisdictional nature of internet cases, and especially those cases where acts have been commissioned by an organized crime ring with offenders whom are conducting activities transnational in scope. Subsequent proof and arrest of offenders in these cases is often the result of extensive violation, as investigation allows ample time for contiguous crimes to be committed. Cooperation between states may vary, and obviously does, and often based on sheer capacity by the various law enforcement agencies involved in cases of IT network crimes, whereby a system in the UK might be intruded upon by an offender(s) in a jurisdiction that does not or will not monitor nor extradite such suspected parties. The final query to CMA in regard to the efficacy of legislative efforts in this area in the UK, is the propensity of UK residents to commit acts under consideration of the code, and the rate by which law enforcement agencies are able to act on such complaints to the effect that those offenders are subject to arrest and conviction. Customary protections of employees, for example, are certain to incite challenges to definitive rule statements that heighten liability of both employers and employees on the job if the CMA is considered for revision. Furthermore, criminal activity by individuals outside of institutional settings that lead to fraudulent misuse of identity by way of technological transmission may or not support counter arguments in proposition of added constraints. If the application of the CMA has been adequate, and one could effectively argue that at the present time, legislators and magistrates would agree, evidentiary proof in the preceding cases reveals a low persistence of violation, at least by residents in the UK, of the CMA and PJA. Despite growing concerns surrounding the intrusive possibilities afforded through unauthorized access to data within computer networks and internet based website repositories, there is little rationale given within current legal analysis that supports rule allocation beyond existing statutory provisions. It is between the statutory rules that related to computer misuse and fraud, that new legislation and resultant statutory code may be considered to satisfy foregoing instantiations of something akin to ‘regulatory compliance’ and toward mitigation of such integrated violation(s) of rules within institutions. The following comprise the current articles of consideration for determinant of factors by prosecution of cases according to the CMA PJA 2006 and include provision for ‘quasi-contractual’ organizational agreements (i.e. internships): 1) did the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?: 2) were the students, customers and others made aware of the CMA and what is lawful and unlawful?; and 3) did the students, customers or others have to sign a declaration that they do not intend to contravene the CMA? Supplementary articles pertain to the ‘likely’ use value of materials (i.e. data), and to the existence of a ‘closed and vetted list of IT security professionals’ versus open access: 1) ‘Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?; 2) Is the article available on a wide scale commercial basis and sold through legitimate channels?; 3) Is the article widely used for legitimate purposes?4) Does it have a substantial installation base? 5) What was the context in which the article was used to commit the offence compared with its original intended purpose?’ (OPSI 2006). The thoroughness of the CMA PJA 2006 is apparent in regard to level of intensity by which computer misuse is taking place, so respondent enforcement in regard to computer misuse should be negligible. Legal analysts cannot measure what is not there, and lack of reported information on the efficacy of illegal conduct in this area leaves legislative decisions intended as regulatory mitigation of potential violations refutable. Whether or not users of the internet will hold organizations in contempt of the CMA in the future is largely a question of advancement in privacy invasion. Regulation is the provenance of organizations, rather than 1-to-1 users. Hence, a merchant relationship may be governed by regulatory compliance, but back end information or systems access from the outside cannot be regulated, as activities of this sort are only enforceable under criminal statutory code. Is the UK prepared to move toward enhanced constraints on individual rights for the sake of civil protections? What of the real capacity of decision makers within organizations charged with providing public goods? Until we cease chasing the tail that wags the dog, regulatory restrictions will never be able to manifest dominion over the fundamental problem. Criminal intent is effectively elsewhere. Read More