Olliers’ Toby Wilbraham considers ‘hacking’ offences under the Computer Misuse Act 1990
‘Hacking’ is mainly governed in the UK by the Computer Misuse Act 1990. This is fairly old legislation considering how quickly technology moves on, but it still applies today. The legislation creates five separate offences as follows:
- Unauthorised access to computer material.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
- Unauthorised acts causing, or creating risk of, serious damage
- Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA
The legislation covers a wide spectrum of offending starting at Section 1, which prohibits unauthorised access to a website or computer system to the most serious offence under s3ZA of causing serious damage to a system.
It’s fairly easy to commit a Section 1 offence. If anyone has a ‘poke around’ a computer system or website trying to access areas they know they shouldn’t be, then they could be prosecuted under this section. One example would be using someone else’s password to access their Facebook account to view their personal information. Another example would be to look into a company website to access ‘back areas’ to get information about the company or employees that wasn’t publicly available.
More malicious acts are covered under the other sections whereby someone gains unauthorised access to commit a more malicious act such as to disable the system, alter the system, delete data from the system or even to hold it hostage and demand a ransom to fix it.
Hacking – The Good, The Bad and The Ugly
Hackers are described as wearing different hats depending on what they do. The hats are a nod to Spaghetti westerns where the ‘bad guy’ wore a black hat, the ‘good guy’ wore a white hat and characters somewhere in between wore grey hats.
‘White Hat’ hackers are wholly legitimate people. They are given permission by a company to test the robustness of their IT system. They could work for the company’s IT department, be subcontracted to do the work, else are others given permission to do so. The Company knows what they are doing, but may not precisely be aware of the means they employ to do it. This is often called ‘Pen testing’ (penetration testing) and is done to see if there any vulnerabilities in a system that the company is unaware of. They are legitimate and are unlikely to ever be prosecuted. The only situation I can envisage where they could potentially be prosecuted is if they clearly go outside the ambit of the permission they have been given.
‘Black Hat’ hackers are wholly illegitimate people. These are the types of people seen by the public to be hackers. They only wish to gain access to computer systems for malicious reasons. This could perhaps be to cause deliberate damage to a company’s system, to distort the system or to extort money from the company. It could also be to commit further offences, for example to redirect company payments to themselves rather than the intended person. These hackers also use a variety of tools such as malware, bugs and other malicious scripts to cause damage to a system. They are easy to identify from the tools they use and damage they inflict. Legislation is primarily aimed at this group of people.
‘Grey Hat’ hackers fall between the others. These are people who gain unauthorised access to a system but argue that they are not doing it for a malicious purpose. This could be for a variety of reasons.
Unfortunately for this group they fall under the legislation as much as the ‘black hat’ hackers. There is no defence under the law that excuses their behaviour due to the lack of malicious intent. They could therefore find themselves prosecuted even if their actions was well intended. This could seem unfair, and people who fall into this category feel that their actions should not be prosecuted due to their motivations. They argue that the law is out of date, and there should be an escape route for people in their situation. However their actions are problematic for a number of reasons.
The main problem is that malicious ‘black hat’ hackers could argue that their actions were not malicious and try to suggest they were in fact ‘grey hat’ hackers. This may apply particularly if they were caught at an early stage before they caused the damage they intended.
How to Deal with ‘Grey Hat’ hackers
‘Grey hat’ hackers are likely guilty of Computer Misuse offences if they are caught by the Police. Their suggestion that they are doing it for non-malicious reasons is almost irrelevant. It may provide mitigation if prosecuted, but does not provide a defence.
When dealing with cases of this nature, lawyers are best advised to take pro-active approach at the pre-charge stage and make representations to the Police / CPS that the case should not be prosecuted on a ‘public interest’ basis, arguing that the intervention was non malicious even though their actions would amount to an offence.
Examples of cases recently dealt with by Toby.
- R v X – A case dealt with where the defendant had accessed the computer system at his children’s school. This system monitored pupil’s progress and enabled parents to access it. He was concerned that the system was insecure and ‘probed’ it to test the security. This unauthorised access was discovered and he was investigated by the Police for a s1 unauthorised access case. Toby dealt with this at the pre-charge stage and made submissions to the CPS that he shouldn’t be prosecuted. The CPS accepted the submissions and dealt with this case by allowing a conditional caution, the condition being that he compensate the firm for the money incurred investigating the hack. The defendant would have lost his job had he been prosecuted.
- R v Y – A case Toby dealt with whereby the defendant accessed a computer system belonging to a previous employer. He accidentally deleted hundreds of files causing significant disruption to the computer system and expense to repair. Submissions were made that he shouldn’t be prosecuted and would repay damage to the company. The CPS decided to prosecute due to the extent of the damage to the computer system, but ultimately the Judge sentenced on the basis that the damage was caused recklessly and he received a non-custodial sentence.
Olliers Solicitors – specialist cyber crime solicitors
if you would like to instruct Toby in relation to your case please contact Ruth Peters at Olliers Solicitors on 0161 8341515 or by emailing firstname.lastname@example.org. We are able to deal with cases anywhere in England or Wales.