Crime
This article is based on UK law. It was last updated
in June 2009.
Overview
Any business is at risk from online crime. A business can also
be held criminally responsible for the actions of its employees –
so it's worth knowing the risks, even if you are neither a hacker
nor a thief.
Hacking
Hacking is the popular term for what is properly called
'cracking'. We use the term hacking as a synonym for cracking,
though strictly speaking a cracker is one who breaks into someone
else's computer system, while a hacker is just a computer
programmer.
Under the Computer Misuse Act 1990, the following are
offences:
- Unauthorised access to computer material (section 1);
- Unauthorised access with intent to commit or facilitate
commission of further offences (section 2); and
- Unauthorised modification of computer material (section
3).
The maximum penalty for the section 1 offence (unauthorised
access to computer material) is two years' imprisonment and a fine.
For a section 2 offence, the maximum penalty is 5 years'
imprisonment and a fine. For a section 3 offence, the maximum
penalty is 10 years' imprisonment and a fine.
These offences are potentially wide in scope: even guessing the
password to access someone else's webmail account could be
prosecuted as an offence of unauthorised access to computer
material.
Vicarious liability
Depending on the circumstances, an employer could be held
criminally responsible where, say, a member of its IT team hacks
into a third party's system. This is due to the legal concept of
vicarious liability. An employer is vicariously liable for the
wrongful or negligent acts of his or her employee committed within
the general scope of his or her employment. Employers should not
tolerate any unauthorised access by staff to third party
systems.
Penetration testing
When companies commission penetration testing, a contract should
be signed before testing begins, to ensure that the testing
company's actions are authorised. The testing firm's techniques may
include social engineering – where staff are tricked into
disclosing personal details that will provide access to a system. A
contract will help to minimise the risks for both parties. The
contract should put in place a process that, among other things,
helps to distinguish the penetration tester from a criminal – for
example, to avoid a member of staff alerting the police to the
penetration testing due to a misunderstanding. It should also deal
with liability issues: what happens if the tester takes down a
critical part of the organisation's website and the organisation
suffers loss?
How the Computer Misuse Act has changed since 1990
The maximum penalties were lighter when the 1990 Act was passed
(up to six months' imprisonment and a fine for a section 1 offence;
up to 5 years and a fine for either a section 2 or 3 offence). The
Act was amended by The Police and Justice Act 2006, which increased
the penalties. These amendments took effect in Scotland in October
2007 and in England and Wales in October 2008.
The Police and Justice Act 2006 also banned denial of service
attacks and the supply of hacking tools. These issues are addressed
below.
Viruses, worms and Trojan horses
Malware explained
Viruses, worms and Trojan horses are known collectively as
'malware' or malicious software. Malware can cause harm by
corrupting data or slowing the performance of a computer or a
network.
A computer virus is a program that can infect a computer
without the knowledge or permission of the owner and then copy
itself. A virus is only transferred by the owner of the infected
computer, albeit unwittingly – e.g. when emailing an infected file
to another machine.
A worm is like a virus, with the difference that it does not
need to attach itself to an existing program. It can spread among
many computers by itself – i.e. with no need for any action on the
part of the infected computer's owner.
A Trojan horse is a program that appears harmless but has a
hidden agenda – e.g. a program appears to be just a game, but also
monitors all keystrokes on the infected computer and forwards the
information to a criminal who can then work out that user's
passwords.
Malware and the law
Developing a virus or other malware and/or disseminating it is
an offence under the Computer Misuse Act.
Depending on the circumstances, there could be a section 1,
section 2 or section 3 offence (each of which is described above).
The Police and Justice Act 2006 expanded the section 3 offence
(unauthorised modification of computer material) to include actions
designed to impair the operation of any program or computer. The
maximum penalty is 10 years' imprisonment and a fine.
The Computer Misuse Act has also been changed to make it an
offence to make, adapt, supply or offer to supply any article which
is "likely to be used to commit, or to assist in the commission of,
[a hacking or unauthorised modification] offence". It is also an
offence to supply an article "believing that it is likely" to be
used to commit such an offence.
The meaning of 'article' includes any program or data. The
provisions would cover the supply of toolkits designed for
launching Denial of Service attacks (see below) or viruses. Anyone
convicted of breaking this section of the Act could be jailed for
up to two years.
This part of the law has been controversial because security
researchers have said that it could impede their work, restricting
their ability to share information about security vulnerabilities
(on the basis that if criminals use that information to attack a
system, the researcher could be held responsible).
It is possible that malware could also give rise to civil
liability – i.e. a lawsuit rather than a prosecution. If your
company unwittingly introduced a virus to another company's
network, that company could sue, alleging that your company was
negligent in failing to detect and block the dissemination of
viruses. Evidence might be that anti-virus software in use in the
company spreading the virus was not up to date. There is an obvious
defence of contributory negligence, though: if the other company
had up-to-date anti-virus protection in place, the virus should
have been blocked. Accordingly, we have never heard of such a
lawsuit being filed.
Denial of Service attacks
Many organisations have been the victims of Denial of Service
(DoS) attacks. These are deliberate attacks designed to disable a
website or network. A company's email servers can be brought to a
standstill by a barrage of email messages and web servers can be
brought to a standstill by a flood of requests for information,
causing websites to crash.
Such attacks are illegal. They were banned in Scotland in 2007
and in England and Wales in 2008 when section 3 of the Computer
Misuse Act was amended (by the Police and Justice Act 2006).
The old law on Denial of Service attacks
Before the Computer Misuse Act's amendment, there was doubt
about the legality of DoS attacks. The 1990 law criminalised
unauthorised access to or modification of data; but there was an
argument that in a DoS attack there is no such access. Such access
did exist in so-called Distributed Denial of Service (DDoS)
attacks, in which many computers are hijacked and used to launch an
attack on a single target; but in a 'simple' DoS attack, there
might be no such access.
There was a school of thought that, in England and Wales, a DoS
attack could be prosecuted under the Criminal Damage Act. In
Scotland, a DoS attack could be prosecuted as common law 'malicious
mischief'.
The illegality of DoS attacks under the 1990 legislation was
confirmed by the Queen's Bench Division of the High Court in the
case of R v Lennon in 2006. David Lennon had sent five million
email messages to his former employer, causing its server to crash.
See: Denial of Service attacker sentenced to
curfew, OUT-LAW News, 24/08/2006.
The amendments to the Computer Misuse Act put the illegality of
DoS and DDoS attacks beyond doubt.
Using a wireless network without permission
If a Wi-Fi network is hacked, there will be an offence under the
Computer Misuse Act. But using an open wireless network without
permission can also be an offence, under the Communications Act
2003.
Section 125 of the Communications Act describes an offence of
dishonestly obtaining communications services. It states: "A person
who (a) dishonestly obtains an electronic communications service,
and (b) does so with intent to avoid payment of a charge applicable
to the provision of that service, is guilty of an offence."
See: Man arrested for Wi-Fi leeching,
OUT-LAW News, 23/08/2007
Software piracy
According to a study commissioned by the Business Software
Alliance (BSA) in 2008, 27% of software installed
on personal computers in the UK is unlicensed.
The unlicensed use of software is copyright infringement. It is
generally dealt with as a civil matter, resulting in an award of
damages. However, in some circumstances, software piracy will be
prosecuted in a criminal court where the maximum penalty is an
unlimited fine and up to 10 years' imprisonment.
Lawyers acting for the BSA and another trade body, the
Federation Against Software
Theft (FAST), frequently send warning letters to
organisations in the UK that are alleged to be using unlicensed
software. These letters typically demand an audit of the software
in use in the target company. They will seek the total number
of computers and servers in the organisation; an inventory of all
software (including fonts) installed in the organisation; and the
number of licences held, with evidence such as receipts.
Faced with an allegation that unlicensed software is being used,
an organisation might be asked to settle the complaint by paying
for the missing licences. If the matter is taken to court and
infringement is established, the sum of damages payable is likely
to match the sum that should have been paid for the missing
licences.
Damages tend to be compensatory in the UK, not punitive.
However, a court can award "additional damages" under section 97(2)
of the Copyright Designs and Patents Act. These will be determined
with regard to the "flagrancy" of the infringement and "any benefit
accruing to the defendant by reason of the infringement".
The BSA and FAST typically learn of infringements from employees
at infringing organisations. The BSA offers a reward of up to
£10,000 for every report to the BSA that leads to a court judgment
or settlement.
If your organisation receives such a letter, we recommend that
you seek legal advice.
Bear in mind that, even if it is individual employees obtaining
and using software without a licence, your business and/or its
directors and other officers can be held liable.
Guiding employees on software licensing
Large organisations typically put controls in place to prevent
staff downloading software. However, an employee handbook can be
used to explain to each employee, among other matters, that:
- He or she must not copy any program installed on his or her
computer for any purpose without prior written permission;
- He or she must not install any program onto his or her computer
without prior written permission;
- The business will not tolerate any employee making unauthorised
copies of software;
- Any employee found copying software illegally is subject to
disciplinary measures and even dismissal;
- If he or she wants to use software licensed by [the business]
at home, he or she must consult with [a manager] to ensure that
such use is permitted by the relevant licence.
If covering such matters in a handbook or by any other means,
make sure they are read and understood by each employee.
Fraud
Under the Fraud Act 2006 there is a general offence of fraud
which can be committed by false representation, by failing to
disclose information or by abuse of position. The offence carries a
maximum sentence of 10 years' imprisonment. The legislation does
not apply in Scotland, where there is a common law crime of fraud,
committed when someone achieves a practical result by a false
pretence.
Phishing attacks could be prosecuted as fraud. These attacks
usually involve sending thousands of emails that purport to come
from a bank or another trusted brand in the hope that passwords or
account details can be lured from recipients.
The Fraud Act also provides that it is an offence for a person
to be in possession of articles for use in fraud (including
software). The maximum penalty is five years' imprisonment and/or a
fine. It is also an offence under the Fraud Act to make or
supply articles for use in fraud, which is punishable by up to 10
years' imprisonment and/or a fine.
Illegal images
Obscenity
The Obscene Publications Acts of 1959 and 1964 make it an
offence to publish any content whose effect will tend "to deprave
and corrupt persons who are likely … to read, see or hear the
matter contained or embodied in it".
According to the Internet
Watch Foundation (an organisation that operates a
hotline for reporting illegal images), this "could include images
of extreme sexual activity such as bestiality, necrophilia, rape or
torture".
Possession of 'extreme pornographic images' was criminalised in
England and Wales by the Criminal
Justice and Immigration Act 2008. An extreme image is one which
is "grossly offensive, disgusting or otherwise of an obscene
character" and which portrays any of the following in an explicit
and realistic way:
"(a) an act which threatens a person’s life,
(b) an act which results, or is likely to result, in serious
injury to a person’s anus, breasts or genitals,
(c) an act which involves sexual interference with a human
corpse, or
(d) a person performing an act of intercourse or oral sex with
an animal (whether dead or alive),
and a reasonable person looking at the image would think that
any such person or animal was real."
A similar offence has been proposed for the law of Scotland.
Child abuse images
It is an offence to take, permit to be taken, make, possess,
show, distribute or advertise indecent images of children in the UK
under the Protection of Children Act 1978.
The definition of children includes those under the age of 18
and those giving the impression that they are under 18. Prior to
1st May 2004, the relevant age was 16.
Indecent photographs include 'pseudo-photographs' and tracings
of photographs. They also include data that can be converted into
an indecent photograph.
The maximum penalty for possession of an indecent photograph of
a child is five years' imprisonment. The maximum penalty for making
such a photograph is 10 years' imprisonment.
The IWF provides a more detailed summary of
the relevant laws. It uses the term 'child abuse images', not child
pornography, to reflect the gravity of the images involved.
Pornography and illegal content downloaded by employees
Downloading lawful pornography or illegal content may make an
employee liable for summary dismissal. However, this will depend on
whether dismissal is an appropriate sanction in the particular
circumstances, so it should not be considered a general rule. No
dismissal should take place until a full and proper investigation
is carried out and fair disciplinary procedures followed.
Any employer should have a suitable internet and e-mail policy
(read our article, Internet and email
policies). The policy should specifically prohibit
downloading pornography and unlawful content and make it clear to
employees that this behaviour will not be tolerated and is likely
to lead to instant dismissal. Having such a policy not only
clarifies the rules for the employee but might also help the
employer if there is a question of vicarious liability.
Racism on the internet
Threatening, abusive or insulting words or behaviour can be an
offence under the Public Order Act 1986 where these acts are
intended or likely to stir up racial hatred. Racial hatred is
defined (at section 17) as meaning "hatred against a group of
persons in Great Britain defined by reference to colour, race,
nationality (including citizenship) or ethnic or national
origins".
The Act was amended by the Racial and Religious Hatred Act 2006
to criminalise hatred against a person on the grounds of their
religion. Hatred on the grounds of sexual orientation is addressed
by the Criminal Justice and Immigration Act 2008 but is not in
force at the time of writing.
Terrorism on the internet
According to the UK's Terrorism Act of 2000, it is an offence to
provide or receive instructions in the making or use of firearms,
explosives, or chemical, biological or nuclear weapons.
Bomb-making
instructions landed a US webmaster in prison in 2003
under US laws.
ISPs and liability for content
In a well publicised case, German prosecutors brought charges
against the local manager of CompuServe in connection with child
pornography on the internet.
Under the E-commerce Directive and the UK's equivalent
E-commerce Regulations (see our article, The UK's E-commerce
Regulations), generally speaking, ISPs will have no
liability for data content when they only provide access or
transmission services. Even if they take a more active role and
host a website, they will not be liable for the content of that
website, provided that:
- they do not know of any offending material which appears upon
that site; and
- they move swiftly to remove such material once they have
knowledge of its existence.
Cryptography keys
Under UK legislation, the owner of a decryption key can be
prosecuted and sent to jail if he or she fails to comply with a
demand to hand over the key to the police, intelligence services or
customs and excise. This is provided for in the Regulation of
Investigatory Powers Act 2000.
Data Protection
The Data Protection Act 1998 created a criminal offence of
knowingly or recklessly obtaining personal data from a data
controller e.g. by breaking into the computer system of a company
to retrieve information. In addition, there are responsibilities on
website operators to protect the security of their systems.
Data controllers are required by the Data Protection Act to take
"appropriate technical and organisational measures" against
unauthorised or unlawful processing. What is an appropriate level
of security will vary according to the type of information stored.
For example, medical and financial details would demand greater
security than details of interests and hobbies. The business
operating the website is also obliged to ensure the reliability of
any employees with access to personal data.
Failure to comply with the Act can lead to the serving of an
enforcement notice; failure to comply with the notice is a criminal
offence. It is also possible that the directors and other officers
of the company will be guilty of the offence. In addition, the
individual whose data is compromised can sue the business for
compensation and, depending on the circumstances, distress. For
further information on this Act, you should see our legal
information about Data protection.
Jurisdiction
Occasionally, the UK courts have encountered difficulties in
applying domestic law when considering offences, where part of the
activity occurs overseas. However, the Computer Misuse Act deals
with this, provided that at the time of the commission of the
offence there was a significant link to this country.
