Computer Misuse Act: life in prison for UK hackers
It appears to have gone unnoticed by many that the maximum sentence for someone found guilty of breaching the Computer Misuse Act in the UK has been increased recently from just 10 years to, wait for it, life in prison.
Hacking, in the sense of gaining unauthorised access to a computer system and let’s not start the whole hacking/cracking debate here please folks, is a serious offence these days. But is it really serious enough to warrant a possible maximum sentence of life in prison, when you consider that it puts hacking right up there with murder? Few rapists will get near a life sentence, and espionage only carries a maximum 14 years inside, so what makes hacking so special?
Stories are best told from the beginning, unless they have been turned into some weird conceptual screenplay in which case they are often best not told at all.
Ours starts back in the mid-1980s when my friends, and fellow explorers of online networks at the time, Robert Schifreen and Steve Gold carved their names into security stone by gaining ‘unauthorised access’ to the British Telecom Prestel service. This interactive Viewdata service bore no resemblance to anything that a modern-day hacker might come across online, but back in the day it was something worthy of exploration. Not least, as it turns out, because one of the users was the husband of Her Madge the Queen, Prince Philip, himself.
The pair managed to gain access to the royal message box, and the rest is hacking history. Eventually they were both charged under a section of the ‘Forgery and Counterfeiting Act’ of 1981, for defrauding British Telecom of a measly amount of money that they would have had to have paid if they had accessed the system in the more usual fashion.
Both were found guilty and fined, both appealed to the Criminal Division of the Court of Appeal and were subsequently acquitted.
The story doesn’t end there though, as the prosecution appealed the appeal, as it were, and finally in the House of Lords that acquittal was upheld on the grounds that the Forgery and Counterfeiting Act didn’t apply and that “dishonestly gaining access to the relevant Prestel data bank by a trick… is not a criminal offence.”
The powers that be soon changed that, and the Computer Misuse Act 1990 was born in, erm, 1990. Since then, both Richard and Steve went on to have successful careers within IT security journalism and Steve, who sadly died earlier this year, even ended up editing and edition of the now legendary Hacker’s Handbook which was something of a bible to early network explorers such as myself.
We now need to fast forward 25 years into the here and now, a place where for the most part ‘hacking’ is no longer a matter of harmless exploration and the quenching of a technical knowledge thirst for the explorer; it’s pretty much always not only a malicious, but also an illegal, act. Painted within this modern landscape, where the context is one of either politically motivated activism or financially inspired criminality (although there is a muddy middle ground where hacking is done ‘just for the lolz’), few would argue against the need for some kind of law to define the boundaries of illegality.
For that law to be of any real use in the real world, as a deterrent to those who would follow in the footsteps of their peers, it needs to have bite and that is provided by the teeth of sentencing. In Nigeria the teeth are very sharp indeed, and as from earlier this year anyone found guilty of attacking critical national infrastructure so that it causes death will, according to its cybercrime laws, be hung until dead.
Thankfully the UK has not gone quite as far down that road, however, at around the same time and with the same intent from what I can tell, it did revise the maximum sentencing applicable to the Computer Misuse Act 1990 by way of the Serious Crime Act 2015.
Up until 3 May 2015, the most anyone convicted of a crime under the Computer Misuse Act could have expected was 10 years in prison. Well, I say expected, but to be honest most people coming up before the beak on a hacking charge would be expecting a hell of a lot less than that. Indeed, until recently if my conversations with hackers are anything to go by, most feared being extradited to the USA and/or having their kit confiscated by the Old Bill far more than the sentence a judge would likely lay down for them. Then everything changed, and under certain circumstances that 10 year stretch has turned into a life one instead.
What those certain circumstances are remain rather open to question, as the wording of the revision is somewhat vague and open to individual interpretation to say the least. At its core the sentencing guidelines would appear to follow the Nigerian lead, however, being that the ‘unauthorised act’ is carried out firstly in the full knowledge that the access is actually unauthorised and secondly knowing (or be reckless regarding the same) that it could reasonably be expected to lead to ‘serious damage’ to national security or human welfare. So we are talking about attacks on national critical infrastructure, just like the Nigerians are, apart from the fact that we don’t actually say as much in black and white. Which is where the law becomes if not an ass, then certainly an assumption as to what act is deserving of the full term.
While the IT security industry, for the most part, quite rightly tears David Cameron and Teresa May a collective ‘new one’ for their desire to bring back the Snooper’s Charter and effectively emasculate data encryption, it has been worryingly quiet over the Computer Misuse Act revision. I’m sorry, but both these moves have the same motivation in being a knee jerk reaction to the cyber-terror threat.
Anything that leaves so much interpretation open to the British Judiciary is of concern, especially when that ‘anything’ is in the realms of technology. Judges have a well-earned reputation for not having, how can I put this, a pulse on the finger of the latest technical and cultural trends. I am tempted to say that many are doing well to have a pulse at all, to be fair.
However, understanding both the technology in question and the culture surrounding hacking is at the heart of my misgivings here. It is one thing hitting some wannabe script kid with a fine, or a more serious cybercriminal with a year or two in the clink, but step those sentences up to life and things start to get very complicated indeed when we determine who ‘deserves’ such a harsh punishment.
I appreciate that, as an ex-hacker myself, my views may not go down well across the broad-brush that is the sweep of the IT security profession; but someone has to stand up and shout when the emperor isn’t wearing any clothes! How do you sensibly, and consistently, define either ‘serious damage’ or ‘national security’ in such a way, when it applies to the highly technical world of hacking, that your average judge or jury can be expected to have a proper, balanced, grasp of the facts?
One thing is clear, unlike in Nigeria where a loss of life is part of the requirement for the maximum sentence to be applied, here it could be something that causes damage of a material kind which is defined to include environment, economy or national security.
The latter being the national security of any country, by the way, not just the UK – so leaving the doors nicely open for the potential of a little bit of politically expedient back scratching. Loss of life doesn’t even come into it, but rather damage to ‘human welfare’, which is defined as including the disruption of money supply, fuel supply, water or energy supply; are you getting the gist of it yet?
One cannot help but wonder where Edward Snowden would have fallen amongst this new legislative desire for retribution? Or, indeed, how it may impact upon other whistle blowers thinking about disclosing data that they see as being in the interest of humanity, but the state determines to be a matter of national security that endangers human welfare? Food for thought, don’t you think.