Does the law understand computer crime?
We have numerous laws which can be used to prosecute computer crime, and it is more than 25 years since the Computer Misuse Act 1990 became law. But even now, do the courts and the judges really understand the nature and impact of computer crime?
Over thirty years ago, In 1985, a prosecution was brought against journalists Robert Schifreen and Stephen Gold for forgery. The pair had hacked into the Prestel Viewdata system (an early form of online information pages and messaging), and accessed Prince Phillip's mailbox. They obtained a root-access password to Prestel by the simple act of shoulder surfing a BT engineer and discovering the username was 22222222 and the password was 1234. They were acquitted on appeal when the court ruled that no existing laws made such action a crime. That case was instrumental in leading to the development of the Computer Misuse Act, 1990, and creating the concept of unauthorised access to a computer system.
In 2005, the courts heard that David Lennon had run a week-long campaign against his former employer, Domestic and General Group plc, during which he sent five million emails, crashing the company's mail server and costing Domestic and General about £30,000 to clean up the mess. The judge ruled that by running a public mail address, the company had invited emails and thus Lennon had done nothing wrong. As a result, of this case, the law was updated in 2006 to make it clear that this and other forms of denial of service were indeed serious criminal offences under the Computer Misuse Act.
Ten years later in present day 2016, Grant Manser, a twenty year old from Worcestershire, pleaded guilty at Birmingham Magistrate's Court to six counts of computer misuse offences. Manser was arrested in 2014 for constructing and selling malicious software (Dejabooter, Vexstresser, Netspoof, and Refinedstresser) which were primarily intended to produce distributed denial of service (DDOS). The prosecutors said these tools had downed some 224,000 websites, had 12,800 registered users, of which 4,000 purchased DDOS services from Manser and carried out 603,499 attacks.
The programmes and services were sold on clandestine hacker websites, (the so-called "Dark Web") for between £5 and £20 each, taking payment through Paypal. The prosecution said that Manser, who was aged 16 and living with his parents, had made some £50,000 out of this operation, and at the time of his arrest was advertising for staff.
Targets of his attacks included included businesses, schools, and government departments from Poland, France, the USA and the Netherlands. In one notable case, a student at Harrogate and Hull College was upset at getting a detention and retaliated by using Manser's malware to disable the college network for 14 hours. The costs to all of the victims in terms of lost productivity is incalculable.
In a novel and somewhat incredible defence, his lawyer argued that Manser wasn't a hacker because he wasn't stealing information, and "only did it for the money". In what amounts to little more than a slap on the wrist in view of the scale of the operation, Judge Nicholas Cole issued a suspended two year sentence, 100 hours of community service, and £800 in costs.
25th April 2016
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.