BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Journals


You are here: BAILII >> Databases >> United Kingdom Journals >> Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses!
URL: http://www.bailii.org/uk/other/journals/WebJCLI/1996/issue3/akdeniz3.html
Cite as: Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses!

[New search] [Help]


Web JCLI Searches [1995] 3 Web JCLI Web JCLI Help

Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses!

Yaman Akdeniz LLB *

Research student at the Centre for Criminal Justice Studies
Faculty of Law
University of Leeds
< [email protected]>

Copyright © 1996 Yaman Akdeniz.
First Published in Web Journal of Current Legal Issues in association with Blackstone Press Ltd.

* I would like to thank Professor Clive Walker and Mr. Alan Reed, University of Leeds, for their help with this article.


Summary

This article explores the background of the 'unauthorised modification' offence in section 3 of the Computer Misuse Act 1990 Act. It then examines the response of the courts to the new offence. Finally, the article discusses the first conviction of a computer virus writer in the UK under the Act.


Contents

Background.
The Offence.
Unauthorised Modification in the Courts.
The Pile Case.
Conclusion.

Bibliography .


Background

Before the Computer Misuse Act 1990, damage or erasure of computer programs or data was an offence under Section 1 of the Criminal Damage Act 1971 which states:

"a person is guilty of an offence if, without lawful excuse, he destroys or damages any property belonging to another."

Criminal damage requires that the person intended such consequences to occur or was reckless as to whether property would be destroyed or damaged. The recklessness requirement is objective ie Caldwell recklessness (Caldwell [1981] 1 All ER 961). The difficulty with applying this to viruses is that "property must be destroyed or damaged". The word 'property' is defined by section 10 of the Act as meaning tangible property, which does not seem applicable when data or software is erased or damaged in the computer and the computer disk. However, the courts have disagreed with this possible interpretation.

This was the problem in Cox v Riley (1986) 83 Cr App R 54, in which the accused erased programs from a printed circuit card used to control his employer's computerised saw for cutting out timber sections for window frames. He was charged under the Criminal Damage Act 1971 but argued that the programs were not tangible property within the meaning of the Act. Nevertheless, he was found guilty on the basis that the printed circuit card had been damaged and was now useless.

In the case of Whiteley (1991) 93 Cr App R 25, the Court of Appeal re- examined, in the context of computer hacking, the nature of damage for the purposes of the offence of criminal damage created by s 1(1) of the CDA 1971. Nicholas Whiteley, aged 21, who was known as the 'mad-hacker' was charged with 10 offences of intending or recklessly damaging property by hacking into various university computer networks via the Joint Academic Network (JANET) between March and July 1988. He deleted and added files, made sets of his own users and then deleted any files which would have recorded his activity. He managed to attain the status of a system operator which enabled him to act at will without identification or authority. As a result of his actions, computers failed, were unable to operate properly, or had to be shut down for periods of time. He was convicted and on appeal, Lord Lane CJ dismissing his appeal, stated that:

"the Act required that tangible property had been damaged, not that the damage itself should be tangible."

He added that:

"there could be no doubt that the magnetic particles upon the metal discs were a part of the discs and if the defendant was proved to have altered the particles in such a way as to cause an impairment of the value and usefulness of the disc to the owner, there would be damage within the meaning of section 1."

Lord Lane CJ then referred specifically to the judgment in Morphitis v Salmon [1990] Crim LR 48, where Auld J said:

"damage should be interpreted so as to include not only permanent or temporary physical harm, but also permanent or temporary, impairment of value or usefulness."

Lord Lane CJ's conclusion was that:

"any alteration to the physical nature of the property concerned may amount to damage within the meaning of the section."

The appeal in Whiteley had been heard after the Computer Misuse Act 1990 came into force, but any future similar case of computer misuse would now fall within the scope of the offence of unauthorised modification of computer contents created by s 3(1) of the 1990 Act.

The effect of the new Act is to render the Criminal Damage Act 1971 inappropriate to many instances of modification of the contents of a computer. The Law Commission in its Report Computer Misuse (Law Com No 186), after examining Cox v Riley [1986] 83 Criminal Appeal Reports 54, and Henderson and Battley (Unreported , 29 November 1984 CA, which was followed in Cox v Riley), came to the conclusion that clarification of the law is required with respect to the Criminal Damage Act 1971. They looked at the definition of 'property' in the 1971 Act which equates the concept with the quality of tangibility and said:

"For the commission of a criminal offence to depend on whether it can be proved that data was damaged or destroyed while it was held on identifiable tangible property not only is unduly technical, but also creates an undesirable degree of uncertainty in the operation of the law." (Law Com No 186, para 2.29).

The conclusion was that these authorities did not make the law clear that damage of a non tangible nature can occur. Therefore the Law Commission recommended that:

"the unauthorised alteration or destruction of data or programs, when it is done with intent to impair the operation of the computer or the reliability of data held in a computer, should be a criminal offence." (Law Com No 186, para 2.33).

Top | Contents | Bibliography

The Offence

Section 3(1) of the 1990 Act states:

"A person is guilty of an offence if -

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge."

The word 'modification' is defined in section 17 as the alteration or erasure of any program or data or the addition of any program or data to the contents of a computer. This covers the computer viruses, worms, trojan horses, logic and time bombs.(1)

The first example of the use of a 'trojan horse' was seen in the UK before the enactment of the Computer Misuse Act 1990. At the end of 1989, the FBI arrested a man of 39, who had been involved in an ambitious attempt to blackmail thousands of personal computer users throughout the world. The FBI worked closely with New Scotland Yard's Computer Crime Unit to apprehend Dr Popp, of Ohio who sent free bogus computer diskettes to 20,000 people in London, and around the world containing a program which, Popp claimed, assessed the user's risk of contracting the AIDS/HIV virus. In fact, the diskettes were merely a means of introducing a trojan horse into the user's computer. This device was designed to go into action after the computer had been used approximately 100 times. Recipients were warned that their computers would stop functioning unless they paid the licence fees of £225 to a bank account in Panama. This case is thought to be the world's most ambitious computer crime. Dr Popp was extradited to the UK but his case never came to trial. His counsel presented evidence that Dr Popp's mental state had deteriorated. The Crown Prosecution Service accepted that Popp was mentally unfit to stand trial (Clough & Mungo 1993, p 146). Today, if found fit for trial, it is likely that Popp would have been liable under the section 3 offence.

Section 3(2) states that:

"For the purposes of ss.1(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing -

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data."

Section 3(3) shows that it is immaterial whether the intent is directed at any particular computer, program or data or programs or data of a particular kind or at any particular modification or any modification of any particular kind. The requisite knowledge is knowledge that the intended modification is unauthorised.

Section 3(6) provides:

"For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition."

The 1971 Act will, therefore, still be relevant to cases where modification results in impairment of the physical condition of a computer or computer storage medium, and further, although s 3(6) reverses the effect of Cox and Whiteley in so far as they relate to computers, they should remain relevant authorities in other situations involving the alteration and erasure of information stored in electro- magnetic form such as, on a video or audio tape (Cowley 1992, p 37-38).

The section 3 offence is triable either way and a person found guilty of an offence under section 3 is liable to a maximum sentence of 5 years' imprisonment and/or an unlimited fine in the Crown Court. The accused will be tried summarily if the value of the damaged property does not exceed the relevant sum of £2,000 (Criminal Justice Act 1988, section 38). In this case the maximum penalty that can be imposed is three months imprisonment or a fine of £2,500 (Seago 1994, p 9).

Top | Contents | Bibliography

Unauthorised Modification in the Courts

There have been a number of important cases under the section 3 offence. In Goulden (1992, unreported, Southwark Crown Court, see (Napier 1994, p 525)), the accused pleaded guilty to the section 3 offence of unauthorised modification of computer material. He installed a security package on an Apple workstation for a printing company called Ampersand. The package included a facility to prevent access without use of a password. He was the only one who knew the password, and he made use of this facility as part of a campaign in support of his claim that he was owed fees totalling £2,275. Due to the computerised nature of their printing operations, the company was unable to function for a number of days. They claimed £36,000 for lost business as a result of Goulden's actions, including £1,000 for a specialist to override the access protection. The Court imposed a two-year conditional discharge on Goulden and a £1,650 fine. The judge also commented that Goulden's actions were "at the lowest end of seriousness". Nevertheless, because of Goulden's actions, the company went into liquidation. Susan Singleton has criticised the decision and argues that:

"...the decision in Goulden does not assist in facilitating the use of the 1990 Act as a deterrent." (Singleton 1993, p 181-183).

But Goulden was not the typical hacker with the criminal intention of causing damage to the company's computers, he was only trying to protect his interests.

On 26 June 1991 the police arrested three men who had been cooperating in hacking a number of university, government and commercial computer systems all around the world. They called themselves Eight Legged Groove Machine (8LGM) and they left messages to system managers on some hacked systems signed 8LGM or "eight little green men". They did not meet, or even know each other or their real names until they were introduced by the arresting officers, all their contact was by discussing hacking and swapping passwords on various bulletin boards.

All were arrested at about midnight while engaged in hacking in their own houses. They were charged with conspiracy to commit offences contrary to section 3 of the 1990 Act. They were also charged with conspiracy to make dishonest use of services provided by British Telecom. Karl Strickland and Neil Woods pleaded guilty. Woods also admitted causing £15,000 of damage to a computer owned by the Polytechnic of Central London. Strickland's activities included hacking into NASA and ITN's Oracle network.

In Strickland and Woods, the defendants were each sentenced to six-months in prison at Southwark Crown Court on 21 May 1993 (Ward 1993). Judge Michael Harris stated:

"I have to mark your conduct with prison sentences, both to penalize you for what you have done and for the losses caused, and to deter others who might be similarly tempted."

He went on to say:

"There may be people out there who consider hacking to be harmless, but hacking is not harmless. Computers now form a central role in our lives, containing personal details, financial details, confidential matters of companies and government departments and many business organisations. Some of these services, providing emergency services, depend on their computers to deliver those services. It is essential that the integrity of those systems should be protected and hacking puts that integrity into jeopardy."

The judge also remarked that hackers needed to be given a "clear signal" by the courts that their activities will not and cannot be tolerated. Interestingly, after the case, Detective Sergeant Barry Donovan, formerly attached to Scotland Yard's computer crimes squad, said that, since the publicity surrounding the arrest of Woods and Detective Strickland, the amount of hacking in UK had decreased dramatically, although it was still an international problem (Ward 1993).

Paul Bedworth, then 18, hacked into and made changes to the Financial Times database which cost the newspaper £25,000, and he also left The European Organisation for the Research and Treatment of Cancer with a £10,000 telephone bill. He was charged with two counts of conspiracy under the 1990 Act together with Strickland and Woods and one of conspiring to dishonestly obtain telecommunications services. It is interesting to note that the prosecution charged Bedworth with conspiracy, rather than simple charges of unauthorised access (section 1) and unauthorised modification (section 3). This appears to be the main reason for his acquittal because the prosecution had to prove that he had a 'guilty mind' at the time of the hacking.

In Bedworth, the defendant pleaded not guilty to the charges and as a defence it was claimed that he was addicted to computer use and by virtue of that addiction was unable to form the necessary intent (Charlesworth 1993, pp 540-541). The defence called expert witnesses and tried to impress upon the jury that Bedworth had a kind of addiction which was described as 'computer tendency syndrome' (See Shotton 1989). The jury duly acquitted, despite the fact that Judge Michael Harris had made it clear to the jury that obsession and dependence were no defence to criminal charges (See Charlesworth 1993, p 541). This decision was strongly criticised and Richard Buxton QC (the Law Commissioner who drafted the original report which led to the Computer Misuse Act 1990) is reported to have called the result "a fluke", suggesting that as the judge appears to have directed the jury properly, the verdict was a result of "the jurors having ideas of their own" (Computer Weekly 1993). Some people considered this decision to be a 'Hacker's Charter' (Christian 1993, p 2) or a 'licence to hack' (Charlesworth 1993, pp 540-541). It was also said that if the prosecution had decided to charge Bedworth with a more straightforward section 1 offence they would have been successful (Napier 1994, pp 522-527). The jury may well have taken into account his age and did not want to convict an 18 year old who was planning to go to university.

In the wake of this decision, a book called Hacker's Handbook (2) was withdrawn from publication because of a fear that its contents relating to hacking might constitute the offence of "incitement or conspiracy with others to commit an offence" following the decision in Invicta Plastics Ltd v Clare [1976] RTR 251 which concerned radar detectors.

Another recent case involving the section 3 offence is Whitaker (Unreported, 1993, Scunthorpe Magistrates' Court, (see Napier 1994, pp 522-527)) which involved a software developer and his client. Whitaker initiated a logic bomb designed to prevent the use of the software following a dispute over payment of the software. Whitaker argued that he retained the copyrights to his software so he was allowed to do so, but the court held that this was not provided in the contract and therefore he was guilty of an offence under section 3.

Top | Contents | Bibliography

The Pile Case

On 15 November 1995, at Exeter Crown Court, Christopher Pile, known as the 'Black Baron' in the computer underground, was sentenced to 18 months under Section 3 of the Computer Misuse Act 1990. Pile pleaded guilty to five charges of gaining unauthorised access to computers, five of making unauthorised modifications and one of inciting others to spread the viruses he had written. The Court was told that Pile created two vicious and very dangerous computer viruses named 'Pathogen' and 'Queeg'. Judge Jeremy Griggs said that:

"Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment." (See Uhlig 1995)

Prominent British companies have been affected by the viruses. Microprose estimated its losses to be up to £500,000 and used more than 480 staff hours checking more than a million files (See Uhlig 1995). Pile spread his viruses all around the world through computer bulletin boards, and in most of the cases he has hidden them in computer games. The total damage he has caused will be unquantifiable but undoubtedly serious.

Top | Contents | Bibliography

Conclusion

The Pile case is of great interest because it is the first time a computer virus writer has been prosecuted in England. It also demonstrates that, despite initial difficulties with its application, the Computer Misuse Act 1990 is effective. Nevertheless, it is becoming a lucrative business to write and create viruses and in most cases it is unknown by whom they are written.(3) Evidential difficulties are compounded by the fact that in most cases the viruses destroy themselves as well as damaging the computers leaving no evidence behind.

It is important also to consider the approach of the business community towards computer crime. In 1992, the Department of Trade and Industry published a report on computer misuse. The report revealed that major companies believe that they would not benefit from bringing an action under the Computer Misuse Act 1990 and that the cases would attract unwanted attention and adverse publicity for the company. Another reason for companies' reluctance to report computer misuse to the police is that they would not derive any significant direct benefit themselves, because unlike a civil claim, there is no restitutional element in a Computer Misuse Act 1990 prosecution, nor any possibility of compensation (DTI 1992, p 21, para. 241). As a result of these concerns few cases reach the courts. A solution might be insuring companies against computer crime so that insurance companies put pressure on companies to report cases.(4) But the real encouragement to the companies to report computer misuse incidents would be the effectiveness of the police dealing with computer crime. The business community have expressed concern as to whether the police have the appropriate skills to investigate computer crime cases (DTI 1992, p 29, para 325)

Significant obstacles lie in the way of a successful prosecution for computer misuse. For example, an important issue in prosecuting cases under the Computer Misuse Act 1990 is the acceptability of computer generated evidence under section 69 of the Police and Criminal Evidence Act 1984. Normally defence counsel would insist on proof that the computer was working properly (Shephard [1993] Crim LR 295). This may be difficult to prove in such cases where the hackers damage the hard disks by simply deleting files or introducing viruses with such effect that even getting a print-out is impossible (Vatsal Patel, Unreported 1993, Aylesbury Crown Court, (see Turner 1994, p 4)). The Computer Crime Unit in the Metropolitan Police was established to investigate cases of computer crime but the limited number of cases reported ensures that the police are not provided with the opportunity to develop their skills (see Battcock 1995).

Computers are a part of our lives and damage to computers may mean serious problems. Everything from medical records, to bank accounts are stored in computers and satellite communications and air traffic are controlled by computers (see Jones 1996, p 46). Although the Computer Misuse Act 1990 is a valuable legal weapon to fight computer crime, it remains imperative that practical computer security is taken very seriously by the business community.

Top | Contents


Bibliography

The Audit Commission (1994) Opportunity Makes A Thief: An Analysis of Computer Abuse (London: HMSO).

Battcock, R (1995) 'The Computer Misuse Act 1990: 5 years on' (includes a complete list of cases prosecuted under Computer Misuse Act 1990 up to July 1995) available at http:// www.strath.ac.uk/Departments/Law/student/PERSONAL/R_BATTCOCK/

Charlesworth, A (1993) 'Addiction and Hacking' New Law Journal 540.

Christian, C (1993) 'Down and Out in Cyberspace' 90 Law Society's Gazette 2.

Clough, B & Mungo, P (1993) Approaching Zero: Data Crime and the Computer Underworld (London: Faber and Faber).

Computer Weekly (1993) 'The Case of the Artful Dodger' 25 March 1993.

Corbitt, T (1994) 'Microcomputer Systems: Recovering from virus attack' 158 (38) Justice of the Peace 618 and 158 (39) Justice of the Peace 634.

Cowley, D (1992) 'R v Whiteley' 56 Journal of Criminal Law 37.

Cane, A (1992) 'Computer Security Breaches Cost £1.1 bn' Financial Times, 30 January.

DTI Report (1992) Dealing with Computer Misuse (London: HMSO).

Jones, SC (1996) 'Computer terrorist or mad boffin ?' New Law Journal 46.

Law Com No 186 (1989) Computer Misuse (London: HMSO).

Napier, B (1994) 'Update on the Computer Misuse Act 1990' Journal of Business Law 522.

Seago, P (1994) Criminal Law (London: Sweet & Maxwell).

Shotton, M (1989) Computer Addiction: A study of Computer Dependency ( Taylor & Francis).

Singleton, S (1993) 'Computer Misuse Act 1990 - Recent Developments" 57 Journal of Criminal Law 181.

Turner, M (1994) 'R v Vatsal Patel - the Computer Misuse Act 1990, s. 3(1)' 5 Computers & Law 4.

Uhlig, R (1995) 'Black Baron, computer virus writer jailed for 18 months' The Electronic Telegraph 16 November, available at http://www.telegraph.co.uk

Ward, S (1993) The Financial Times, 23 May 1993.

Watts, S (1993) The Independent, 18 March 1993.

Footnotes

(1) A 'computer virus' is a program which can reproduce itself within computers by attaching itself to other programs. It can be passed from one machine to another by hiding in software files. Usually it is created with malicious intent to damage computer hard disks and erase information. A 'computer worm' is a similar program to a virus, but designed only to reproduce itself (segment by segment like a worm) within computers and across networks. Unlike viruses, a worm is not programmed to erase or alter files, but can create chaos by soaking up machine space and crashing systems. A 'trojan horse' is a program hidden inside apparently normal files or software which is introduced to the host system and can be triggered to cause damage or alter information. A 'logic' or a 'time bomb' is a program inserted into the host computer which is set to go off on a specific date or after a system has been accessed a certain number of times and can be programmed to erase files or perform less malicious tasks. Back to text.

(2) Written by Hugo Cornwall and the edition withdrawn from publication was edited by Steve Gold who was involved in the famous Prestel hacking. Back to text.

(3) Dr Solomon's Anti-Virus Toolkit suggests that there are over 4000 known viruses and over 2000 trojan horses in the world mostly written in Bulgaria. Back to text.

(4) According to the Security Breaches Survey published by the National Computing Centre in 1992, computing security breaches cost £1.1 billion per year to the UK business companies (Crane 1992). According to the Audit Commission's analysis of computer abuse, 1073 organisations suffered a total of £3,822,213 in 1993 (The Audit Commission 1994). Back to text.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/WebJCLI/1996/issue3/akdeniz3.html