Cybercrime and the law: a review of

UK computer crime legislation

Introduction
At various times over the last few years, weve posted comments on different aspects of UK
computer crime legislation, and the policing of cybercrime, on our weblog (4 November
2005; 12 May 2006; 26 January 2006; 28 July 2006; 15 September 2006). This article is
designed to provide an overview of UK computer crime legislation.

The malware landscape

Its more than 20 years since the first PC viruses appeared. Since then, the nature of the
threat has altered markedly, in response to changes in technology, the spread of computers
into more and more areas of society and their use by ever-increasing numbers of people. In
any field of human activity, one generation stands squarely on the shoulders of those who
went before, learning from what has been done before, re-applying techniques which have
proved successful and also trying to break new ground. This also applies to those who
create malicious code and successive generations of malware authors have re-defined the
threat landscape.
Until a few years ago, viruses and other malicious programs were used to conduct isolated
acts of computer vandalism, anti-social self-expression using hi-tech means. Most viruses
confined themselves to infecting other disks or programs. And damage was largely defined
in terms of loss of data as a virus erased or (less often) corrupted data stored on affected
disks.
This has changed. Today cybercrime is a major concern, with malware being designed to
make money illegally. The evolution of the World Wide Web has been one of the key
factors driving this change. Businesses and individuals now rely heavily on the Internet;
and the number of web-based financial transactions continues to rise. The criminal
underground has realized the huge opportunities for making money from malicious code
and many of todays threats are either written to order or developed expressly for sale to
other criminals.
Crime is an inherent part of modern society and touches almost every aspect of life. Its
hardly surprising, therefore, that the use of computer technology is mirrored by abuse: they
have developed in parallel. Moreover, as more and more areas of our lives become
dependent on computers, there is more scope for criminals to use technology.

In response to any type of crime, society always attempts to find ways to prevent the crime
and punish the perpetrators. In the first instance, this means creating legislation which
makes specific activities illegal.

Computer crime
Computer crimes fall into two main categories. First, there are traditional crimes, where the
use of a computer is not intrinsic to the crime itself, but is simply a tool used to commit an
offence. This could include blackmail, for example, if an email message is sent to a victim
rather than a letter. Second, there are computer-specific crimes.
The case of the Aids Information Trojan illustrates this point. In late 1989 this Trojan was
distributed via floppy disk by a company calling itself PC Cyborg. The Trojan encrypted the
contents of the victims hard disk after 90 re-boots, leaving just a README file containing a
bill and a PO Box address in Panama to which payment was to be sent. Dr Joseph Popp,
the alleged author of the Trojan, was later extradited to the UK to stand trial on charges of
blackmail and damaging computer systems (he was ultimately deemed unfit to stand trial
following his behaviour in court and was released).

Computer Misuse Act

The first piece of UK legislation designed to specifically address computer misuse was the
Computer Misuse Act 1990. The act was a response to growing concern that existing
legislation was inadequate for dealing with hackers. The issue was thrown into sharp relief
by the failure to convict Stephen Gold and Robert Schifreen who gained unauthorized
access to BTs Prestel service in 1984 and were charged under the Forgery and
Counterfeiting Act 1981. However, they were acquitted by the Court of Appeal and the
acquittal decision was later upheld by the House of Lords.
The Computer Misuse Act 1990, an Act to make provision for securing computer material
against unauthorised access or modification; and for connected purposes, set out three
computer misuse offences.
1.

Unauthorised access to computer material

2.

Unauthorised access with intent to commit or facilitate commission of further

offences

3.

Unauthorised modification of computer material

The maximum prison sentences specified by the act for each offence were six months, five
years and five years respectively (Amendments to the Computer Misuse Act, introduced in
the Police and Justice Act 2006, are discussed below).

The first prosecution of an individual for distributing a computer virus came in 1995.
Christopher Pile, aka the Black Baron pleaded guilty to eleven charges under sections 2
and 3 of the Computer Misuse Act and received an 18 month prison sentence. Pile created
the viruses Pathogen and Queeg. Both pieces of malware implemented his SMEG
(Simulated Metamorphic Encryption Generator) polymorphic engine, making them hard to
detect, and both were designed to trash substantial portions of a victims hard drive. He
planted the viruses on bulletin boards disguised as games and, in one case, as an antivirus program. It was estimated that the viruses caused damage amounting to 1 million
(The Independent, 16 November 1995).
Another significant conviction under the act was that of Simon Vallor. He pleaded guilty to
creating and distributing the mass-mailing worms Gokar, Redesi and Admirer, offences
covered by section 3 of the Computer Misuse Act. In January 2003 he received a two year
prison sentence. It was estimated that his worms spread to 27,000 computers in 42
countries (The Register, 21 January 2003).

Spam, malware and the law

Practically everyone with an email account is forced to deal with spam. However, the
problem of spam isnt limited to nuisance value, wasted bandwidth or inappropriate content.
Spam is also used to deliver malicious code; spam messages are often a springboard for
drive-by downloads as they can contain links to web sites which cybercriminals have
infected with malicious code. Spam is also the primary mechanism used by phishers to
direct their victims to fake web sites from which confidential data is then harvested.
To try and address the problem of spam, the Department for Trade and Industry introduced
the (Privacy and Electronic Regulations (EC Directive) 2003). These regulations, the UK
implementation of EU directive 2002/58/EC (each member state of the EU is left to
implement this directive for themselves), are enforced by the Information Commissioners
Office, the UKs independent authority set up to promote access to official information and
to protect personal information (Guidelines relating to the regulations can be found on the
web site of the Information Commissioners Office).
According to the regulations, companies must get an individuals permission before sending
email or SMS messages (the law applies also to telephone calls and faxes). On the subject
of email, the law states that a person shall neither transmit, nor instigate the transmission
of, unsolicited communications for the purposes of direct marketing by means of electronic
mail unless the recipient of the electronic mail has previously notified the sender that he
consents for the time being to such communications being sent by, or at the instigation of,
the sender.

However, there are significant limitations. In the first place, the regulations only apply to
messages sent to individuals email addresses, not business addresses. The penalties are
also limited, when compared to penalties for offences covered by the Computer Misuse Act.
Breaches of the regulations must be reported to the Information Commissioners Office,
which is responsible for deciding whether or not to take the offending organization to court.
The offending organization may be fined up to 5,000 in a magistrates court, or up to an
unlimited amount if the case is referred to trial by jury.
There is also a more serious limitation. The legislation only applies to senders within the
UK. Most spam originates from beyond the UK (Russia and the United States are currently
the top sources of spam) (Source: Kaspersky Security Bulletin: Spam Evolution 2008), so
UK legislation will have little, if any impact, on spammers. This highlights a key problem
with all measures designed to deal with cybercriminals: geo-political restrictions on
legislation and law enforcement bodies mean they are unable to operate across boundaries
and legal jurisdictions, in contrast to cybercriminals.

New wine in old bottles

As mentioned in the introduction, the nature of the threat which malware poses to
businesses and individuals has changed dramatically since PC viruses first appeared in
1986. There has been massive technological change, and technology has come to infiltrate
almost every area of our lives. The evolution of online markets has led to a change in the
motivation of malware authors and the emergence of a dark economy where malicious
programs and personal data are bought and sold for profit
In spite of the fact that laws are framed in general terms in order to cover as many current
and future offences possible, legislation tends to lag behind due to the speed at which
technologies evolve. Legislation developed to deal with cyber vandals intent on installing
viruses or breaking into computer systems is not necessarily appropriate when dealing with
todays more sophisticated malware designed to steal data, send spam or bring down
systems.
In November 2004, a magistrate ruled that a teenager accused of bringing down a server
by sending millions of emails had not breached the Computer Misuse Act, since the activity
had not involved making unauthorised changes to a computer as defined in the Act
(viruslist.com, 4 November 2005). Although the Court of Appeal later overturned this ruling
(viruslist.com, 12 May 2006), this case brought additional support for those questioning the
effectiveness of a law that had been created in an era dominated by now outmoded
technologies such as DOS, floppy disks and bulletin boards.
The Earl of Northesk, a member of the All-Party Parliamentary Internet Group, tabled a
Private Members Bill in 2002 to amend the Computer Misuse Act; in particular, it sought to

clarify the law on DoS (Denial-of-Service) attacks. This attempt failed, but it added further
weight to the calls for an update to existing legislation.
The Police and Justice Act 2006 [PDF 748 b] (which covers broader issues than computer
crime alone) included amendments to the Computer Misuse Act. The maximum prison
sentence under section 1 of the original Act was increased from six months to two years.
Section 3 of the Act (unauthorised modification of computer material) was amended to
read unauthorised acts with intent to impair or with recklessness as to impairing, operation
of computer, etc. and carries a maximum sentence of ten years.
The Act also added another section, Making, supplying or obtaining articles for use in
computer misuse offences, carrying a maximum sentence of two years. This section
states:
1.

A person is guilty of an offence if he makes, adapts, supplies or offers to supply any

article intending it to be used to commit, or to assist in the commission of, an offence
under section 1 or 3.

2.

A person is guilty of an offence if he supplies or offers to supply any article believing

that it is likely to be used to commit, or to assist in the commission of, an offence under
section 1 or 3.

3.

A person is guilty of an offence if he obtains any article with a view to its being
supplied for use to commit, or to assist in the commission of, an offence under section
1 or 3.

4.

In this section article includes any program or data held in electronic form.

This section has drawn a lot of criticism. It is clearly intended to make use of hacking tools
illegal. However, it could equally be applied to the use of legitimate tools that could be
misused to conduct hacking, or riskware programs that could be used either legitimately or
for illegal activities. There are many people, including some in the All-Party Parliamentary
Internet Group, who hope that this section of the Act will be amended.

European Convention on Cybercrime

As mentioned earlier, one of the most serious limitations of computer crime legislation is the
fact that it is limited in its ability to tackle the global phenomenon of cybercrime.
The European Convention on Cybercrime, designed to provide a common international
framework for dealing with cybercrime, was adopted by the EU Committee of Ministers of
the Council of Europe in November 2001.

The treaty is wide-ranging and covers all aspects of cybercrime, including illegal access,
illegal interception of data, data interference, system interference, misuse of devices,
computer-related forgery, computer-related fraud, offences related to child pornography
and offences related to infringements of copyright and related rights. The treaty is also
designed to provide a common law enforcement framework for dealing with cybercriminals
and to foster the sharing of information among all signatories.
So far, 46 countries have signed the treaty (Convention on Cybercrime CETS No. 185,
status as of : 26/3/2009). However, so far only 24 countries have actually ratified it. There
are also some notable absentees among the signatories, including China, several Latin
American countries and Russia all of which rank as the biggest sources of malicious code.
The UK has not yet ratified the treaty, but it is expected to do so in 2009 Hansard [House of
Commons debates], 27 January 2009).

Personal Internet security

Debate on the measures necessary to tackle cybercrime was further fuelled by the
publication of the House of Lords Science and Technology Committee report on Personal
Internet Safety [PDF 2,78b] in August 2007. This report criticized the UK government for
placing the main responsibility for Internet security on individuals: a view, they insisted, that
compounds the perception that the Internet is a lawless wild west. They described the
Internet as the playground for criminals and suggested that many organizations with a
stake in the Internet could do more to promote personal Internet security, including
hardware and software vendors, ISPs, online businesses, banks, police and government.
The committee suggested that all parties should take responsibility for Internet security.
Companies should be obliged to notify anyone affected by a data breach (for example, if
one of the companys servers is hacked). ISPs should take action to deal with
compromised machines used to connect to the Internet via the ISP. Software vendors
should be held liable for security loopholes in their software; and the government should
develop a kite-mark system for applications and online content. Banks should, the
committee argued, be liable for losses incurred due to online fraud. The committee also
urged the government to follow through on its commitment to ratify the European
Convention on Cybercrime.
The governments response [PDF 89,7b], published in October 2007 rejected many of the
committees recommendations. As a result, the House of Lords Science and Technology
Committee published a follow-up report [PDF 713b] in July 2008. This reiterated many of
the previous recommendations, but did note the slightly more positive view of how the
Committees recommendations were to be taken forward by government ministers and the
acknowledgement that the Committees report helped to drive the agenda forward.

Crime and punishment

Its clear that the existence of legislation which addresses specific types of criminal activity
is not, in itself, sufficient to tackle the problem of cybercrime. Its also essential to ensure
that the police understand the problem and have the resources to deal with it.
Unfortunately, in the years following the introduction of the Computer Misuse Act, few UK
police authorities outside the Metropolitan Police area had the knowledge and expertise to
deal with computer crime; and it was only when it became clear that cybercrime was an
issue that wasnt going to go away that resources were put into creating a dedicated
agency to address the problem
In April 2001, the government established the National Hi-Tech Crime Unit. Designed to
provide a co-ordinated response to cybercrime, it worked closely with specialists from a
range of agencies, including the National Crime Squad, HM Revenue and Customs and the
National Criminal Intelligence Service.
The NHTCU had some notable successes. These included the arrest of Russian hackers
responsible for threatening online bookmakers with Distributed-Denial-of-Service (DDoS)
attacks (The Register, 21 July 2004) in a joint operation with Russian law enforcement
agencies; and the arrest of those responsible for trying to steal money from the London
branch of the Japanese Sumitomo Mitsui bank in October 2004 (The Register, 19 March
2009).
In April 2006 the NHTCUs responsibilities were taken over by the Serious Organised Crime
Agency (SOCA). This resulted in growing concern that there would be fewer resources
dedicated to tackling cybercrime as this would only be a small part of SOCAs remit ( SOCA
aims).
In April 2007, the rules on reporting bank fraud were changed. Following the introduction of
the Fraud Act 2006, banks and financial institutions were made the first point of contact for
reporting card, cheque and online banking fraud. The stated aim of this change was to
reduce bureaucracy, but some expressed concern that fraud may be under-reported.
In response to these concerns, changes are underway that will, it is hoped, result in a
greater focus on cybercrime. The first is the creation in 2009 of the Police Central ecrime
Unit (PCeU). This body is not designed to replace SOCA or other police agencies, but to
co-ordinate the response to cybercrime and to provide a national investigative capability for
the most serious e-crime incidents (PCeU mission statement). Second is the introduction,
also planned for late in 2009 (Hansard [House of Commons debates], 26 February 2009),
of the National Fraud Reporting Centre, to provide the public and small businesses with a
way to report non-urgent fraud, online or by telephone.

Of course, even where theres a well-developed legal framework and dedicated law
enforcement agencies designed to tackle cybercrime, criminals can only be arrested and
prosecuted if there is sufficient evidence to bring a case. This is not always straightforward.
Unfortunately, not everyone wants to admit they have fallen victim to cybercriminal activity.
This is especially true of businesses as such an admission could damage the companys
reputation.

Using civil law to deal with cybercriminals

In July 2006, we commented (viruslist.com, 28 July 2006 on a green paper (a consultation
document on proposed legislation) published by the Home Office, New Powers Against
Organised and Financial Crime [PDF 1 b]. In this paper the government proposed to fill a
gap in the criminal law for catching those involved at the edges of organised crime using
the civil courts, including the use of Organised Crime Prevention Orders:
The courts would be able to impose an order if they believe on the balance of probability
that the subject

Has acted in a way which facilitated or was likely to facilitate the commissioning of
serious crime

That the terms of the order are necessary and proportionate to prevent such harms
in future.

Failure to observe the terms of the order would be a criminal offence.

The proposals took final shape in the (Serious Crime Act 2007 [PDF 607 ]), designed to
provide the best possible tools for our law enforcement agencies to ensure they stay one
step ahead of those who commit serious crime and to strengthen their ability to crack
down on criminals and disrupt their operations. (Home Office press release, 30 October
2009)

Balancing security and freedom

On the face of it, the Serious Crime Act can only been seen as a good thing, providing the
police with powers to detect, disrupt and prevent serious crime (Home Office press
release, 30 October 2009). However, some people have raised concerns about the
implications for civil liberties, not least because the burden of proof required in a civil court
is lower than that required in a criminal court and there is consequently more scope for
potential miscarriages of justice.
This debate was brought into sharper relief earlier this year following reports in the press
that the police had the power to hack into the computers of suspects without a warrant (The
Sunday Times, 4 January 2009; The Independent, 5 January 2009).

The UK is not alone in grappling with the problem of balancing personal freedom with
security, as the debate surrounding the so-called BundesTrojan In Germany shows
(viruslist.com, 27 February 2008), but so far, no resolution to this dilemma has been made
public.

Future prospects
Its clear that cybercrime is not going to disappear. This shouldnt surprise us. While
cybercrime is an unwanted side effect of the Internet age, its also part of a broader crime
landscape. If theres a use for something, someone will always find a way to abuse it, and
this includes computer technology and the connectivity provided by the Internet. Crime can
never be eliminated, so tackling cybercrime is less about winning the war than about
mitigating the risks associated with using the Internet.
To manage the risk, the global society clearly needs a legal framework, together with
appropriate and effective law enforcement agencies. Theres little question that law
enforcement agencies have developed increasing expertise in dealing with hi-tech crime
during the last decade, including joint policing operations across national borders. This
must be further developed if we are to deal effectively with cybercrime. In particular, the
extension of international legislation beyond developed countries, and the development of a
cyber-Interpol to pursue criminals across geo-political borders would contribute greatly to
the fight against cybercrime.
Law enforcement, however, is only part of the solution. We also need to ensure that
individuals and businesses understand the risks and have the knowledge and tools to
minimise their exposure to cybercrime. This is particularly important for individuals who are
often technically inexperienced and have little understanding of the potential problems
associated with online shopping, Internet banking and social networking. This problem is
exacerbated by the growing number of people accessing the Internet for the first time.
Society must find imaginative and varied ways of raising public awareness about
cybercrime and about methods which can be used to mitigate the risks.
The information super-highway is no different to any other public road. We need welldesigned roads, safe cars, clear signs and competent drivers. In other words, we need a
blend of appropriate legislation, effective policing and public awareness.

Disclaimer
This paper has been prepared by Kaspersky Lab for information purposes only and is not,
nor is it intended to be, legal advice. This information is not intended to constitute, and
receipt of it does not constitute, a contract for legal advice or the establishment of a
solicitor-client relationship.