Previous Section Home Page

Column 1162

insurance company's records were penetrated and aspiring burglars had access to information about items that householders had declared as being of special value. Finally, and perhaps most commonly, there are many known instances of disgruntled employees disrupting their firm's records and perhaps taking commercially confidential product information with them in the hope of attracting a new employer or of selling it to the competitors of their previous firm.

The Department of Trade and Industry has done a great deal of work on the safety of critical systems and it is likely that, in future, systems such as those linked to air traffic control will be much more secure. It is important that such systems should not be accessible via the public network. I believe that we can be assured by a great deal of the work that is being carried out in that area.

Mr. Colvin : As one with an interest in civil aviation, I have investigated this issue and have been assured that the air traffic control system in the United Kingdom is on a closed circuit and that it is therefore virtually impossible for a hacker to gain access. That is vital, because otherwise one might start a lot of alarmist reporting that would give people the feeling that they were in danger in the air. I am assured that our ATC system is safe.

Mr. Waller : I am grateful to my hon. Friend. Whatever the secure system, it is absolutely right that it should be backed by the law. It should be clear that there are severe penalties--such as those provided in my hon. Friend's Bill--to show that society regards such activities as absolutely indefensible.

My hon. Friend and others have already dealt with the question of the intention to cause harm and the beliefs of some people about those who indulge in hacking only as a hobby, without any wish to cause harm. It could be argued that drunken drivers have no intention of causing harm, but that would not be regarded as an excuse. Indeed, my hon. Friend the Member for Corby (Mr. Powell) has said that he has never used the defence in court that a burglar had burgled a house for the public good.

That brings me to my next point, about security. It has been suggested that if the security is not very good, that in some way mitigates the offence. It is interesting that in West Germany, where similar legislative provisions exist, the degree of security is taken into account. It would therefore be possible for a computer hacker or somebody who penetrated a system there to argue that its security was inadequate. However, if my hon. Friend the Member for Corby were presenting a case, I do not think that he would suggest that it was a defence that the house had an inadequate lock. Everybody should be encouraged to apply the maximum security, but the fact that such security does not exist to a sufficient extent is no defence for somebody who might be accused under the Bill.

Reference has been made to the arrival of the single European market in 1992. Much work is being done in the computer sector to prepare for that. Open-systems interconnection work is moving along fast. It is a set of internationally accepted technical standards which enable the computer system to operate across national boundaries with almost any other computer system, irrespective of the national or commercial origin of the hardware or software. That makes it even more urgent not only to press ahead with legislation in this country, but to discuss with our partners within the Community and


Column 1163

indeed, outside it, the need for measures in other countries. It must be generally accepted throughout the Community and internationally--to the extent that that is possible--that computer misuse is a criminal act for which appropriate sanctions must exist. When discussing the damage that can be done, it is worth pointing out that even the police national computer has not been free from penetration. Someone successfully interchanged several criminal records on its database. When he was caught he argued that he had not destroyed, stolen or, indeed, falsified the information, which was still intact. He had simply moved it around. In that case, the person involved was successfully prosecuted for falsifying evidence put before a court. One wonders whether there are other instances where information was not obtained and put before a court because such action was carried out successfully. Here again, we come to the tip of the iceberg syndrome and the need for action to be taken. It is another reason why the Bill is welcome.

I pay tribute to the work of David Frost, who is a partner in the data security group of Price Waterhouse, a company which already has considerable experience in this matter. Mr. Frost has done a great deal of research into the position in other countries. It is interesting that the number of countries with legislative provisions against computer misuse is growing all the time. It includes Australia, Canada, Japan, Holland, the United States of America and West Germany.

Two incidents have arisen recently in north America. In one, four college students were arrested for making $20,000 worth of long-distance telephone calls by using a program that dialled toll-free numbers. The program then took control of the company's electronic switch so that the calls could be re-routed to any part of the world. In another case, a university professor was suspended after making improper use of the university's computer facilities for his own purpose.

A wide range of people are prepared to take advantage of loopholes in the law. My hon Friend the Member for Romsey and Waterside is plugging an important loophole with his Bill. By doing so, he is doing a service not only to the House but to the nation.

11.53 pm

Mr. Harry Cohen (Leyton) : I congratulate the hon. Member for Romsey and Waterside (Mr. Colvin) on winning a high position in the ballot, but he could have chosen a better Bill. I have serious doubts about it, and not because I approve of hackers or believe that those who misuse or gain unauthorised access to a computer are doing something harmless.

The Bill is ill defined. We have heard aleady that it does not define what a computer is. It is lopsided and does not tackle the most important aspects of computer misuse, its implications have not been well thought out. For example, it contains unnecessary criminalisation, and in years to come will affect areas which the sponsor does not envisage.

I wish to make a few comments about the parliamentary process surrounding the Bill and the involvement of the Government and the Law Commission. The Law Commission was harassed by the hon. Member for Torridge and Devon, West (Miss Nicholson) into producing quickly a report on computer


Column 1164

misuse. It is one of the few Law Commission reports that I have seen that has been published without accompanying draft legislation. That haste means that we have no means of comparing the intricate details of the legislative proposals in the Bill with those that would have been produced by the Law Commission.

One difference between the Bill and the Law Commission recommendations that I have noticed is that the sentence has been increased from three months to six months imprisonment. I assume that that is to do with the rate of inflation. Perhaps the sponsor will reply to that point. Is that the only way in which the Bill differs from the Law Commission's proposals? For example, the first sentence of the explanatory memorandum of the Bill says :

"This Bill gives effect, with modifications, to recommendations made by the Law Commission in its Report on Computer Misuse." That sentence is unhelpful. If we do not know how the Commission's proposals have been modified, how can we properly discuss the Bill? The sponsor should furnish a complete list of the modifications when the Bill goes into Committee.

The Minister for Industry (Mr. Douglas Hogg) : The hon. Gentleman asks what the Law Commission would have recommended by way of legislation. If he cares to look at page 35 of the commission's report, he will see a concise and useful summary of the main recommendations. With slight and few exceptions, the Bill reflects those recommendations.

Mr. Cohen : Of course I shall do that. However, the usual process was not employed. Normally the Law Commission produces its own draft legislation which can be compared with the Bill. I take the Minister's point. It testifies to the haste with which the Bill has been brought forward.

On 10 October last year Mr. Peter Casey, the director of computer security at the Department of Trade and Industry, sent out a letter asking for comments on the Law Commission's report by the end of October. He allowed only three weeks for people to respond. The letter said that its purpose was to ask for supporting evidence that would help establish a case for or against legislation. It said that the Government aimed to legislate in the current Session. Clearly he assumed in October that the legislation would be in Government time. In early November something happened. We had smoke signals from the old fag end himself, the Secretary of State for Trade and Industry. They suggested that, because of the pressure of legislation in the Queen's speech, Government time would not be found for the Bill. In true Marie-Antoinette fashion, he was quoted in the press as saying something like, "Let them find a private Member to promote the Bill."

Private Members' time is precious. It should not be taken over by the Government. The Government may rewrite and help with the Bill, but they should not use a private Member to promote their Bill. We are dealing with a 19-clause Government Bill promoted by a private Member. That is an encroachment on our time by the Government.

Mr. Colvin : The hon. Gentleman should direct his remarks at me rather than at my hon. Friend the Minister. If he had been in the Chamber earlier, he would have heard me say that I believe that there is decided merit in the Bill


Column 1165

being introduced by a Back Bencher. If the Bill was introduced by the Government, they might be persuaded to exceed the recommendations of the Law Commission's report, especially with regard to police powers. Perhaps my hon. and learned Friend the Minister will comment on that. My Bill has stuck closely to the Law Commission's recommendations, which have been debated at great length, just as the working paper No. 110 on which the Law Commission based its recommendations has been the subject of debate for some time. Many people gave evidence and many have written in support of those recommendations.

The hon. Gentleman is a strong supporter of the rights and privileges of Back Benchers to introduce legislation. I am sure he would be the first to agree that, as a Back Bencher is promoting this Bill, any temptation to add to police powers--about which we must all think carefully--could be resisted.

Mr. Cohen : I accept that point, and I agree that any Back Bencher may introduce any Bill that he likes, but the signs suggest that this is a Government Bill. It is a big Bill and I agree with my hon. Friend the Member for Kirkcaldy (Dr. Moonie) that there would have been advantages in the Government presenting it. It then would have been subject to scrutiny and the Government would have been obliged to defend its proposals, whether or not they went beyond the Law Commission's recommendations. A barrage of civil servants would also be available to provide information. When the Bill goes to Committee, the hon. Member for Romsey and Waterside and his colleagues may not have all the detailed facts available. The Government, however, could present such details about the change in the law.

It is worth noting the contents of early-day motion 412, which condemns :

"the unprecedented taking of Back Benchers' rare prime debating time by a Front Bench Member"--

referring to my hon. Friend the Member for Livingston (Mr. Cook), who introduced a ten-minute Bill on the ambulance dispute in an attempt to get it settled--

"thereby usurping a Back Bencher's customary prerogative." The Government, however, are using Back Benchers' time to introduce this Bill. The hon. Member for Romsey and Waterside and the hon. Members for Torridge and Devon, West (Miss Nicholson) and for Coventry, South West (Mr. Butcher), who are sponsors of the Bill, signed the EDM about Back Benchers' time being usurped, yet here they are supporting a Bill that does just that.

The Bill criminalises the act of unauthorised access to a computer, irrespective of the circumstances in which that is done. A person might access a computer to read something that he could obtain in a library--for example, a Shakespearean sonnet. Such an act will become a criminal offence subject to six-months' imprisonment. By contrast, an unauthorised person who reads the most sensitive manual files can get away with it, but such action is far more offensive.

We would be misleading ourselves if we believed that the Bill is anodyne or uncontroversial. The heated argument that occurred when the British Computer Society had a meeting on 27 November in a Committee Room of the House demonstrated that. That argument was between Professor Brian Niblett, a Home Office adviser and an eminent specialist in computer law, and the hon. Member for Torridge and Devon, West. My researcher, together with about 130 computer specialists


Column 1166

and barristers, was present. At the end of the debate the vote was close, 3 : 2 in favour of the Law Commission's proposals, which demonstrates the depth of division about the Bill.

That division was highlighted by the press release from the Data Protection Registrar, whose job is to achieve a balance between the users of personal data and the individuals affected. The headline ran :

"Some Hacking Should Be A Crime"--

not all--

"But exclude younsters for simply misbehaving".

The Bill is all about hacking and the press release stated : "In response to the Law Commission, the Data Protection Registrar has given his views on hacking' into computer files. The CBI recently commented on these views. The Registrar, Mr. Eric Howe, supports the criminalisation of some cases of hacking, but emphasises the duty of computer users to protect their own systems and data adequately. This is not a simple issue', Mr. Howe said." The promoter of the Bill is treating it as such because he is treating all hacking as illegal. Mr. Howe continued :

"I take the view that, rather than creating a single blanket offence, a selective approach is more appropriate.

One offence should be related to an intent on the part of the hacker' to gain some advantage for himself or another, or to damage another person's interests. A second category could arise when actual damage is caused to data or software, whether inadvertently or not. And finally an offence barrier should be established for some particular kinds of systems which affect the health or safety of individuals and with which any attempt to interfere might endanger life. These could include, for example, air traffic control and medical systems.

Mere misbehaviour, for example by youngsters, is not a matter which we normally would seek to criminalise unless it has some significant effect. To criminalise all unauthorised access or attempts at accesss regardless of whether there is damage or risk of damage would be to take a serious step which I find hard to justify as a matter of principle.

I believe that it would be wrong to criminalise those who have no criminal intent and create no hazard. This is analogous to a case of trespass where no damage is caused. There may be a case, however, for dealing with persistent unauthorised access.

We should not lose sight of the fact that computer users ought to protect their own systems and, as regards personal data, this is a duty clearly established in the Data Protection Principles. You've only yourself to blame if your neighbour's cattle get into your unfenced field."

That press release presents a much more sophisticated case for what is criminalised or not than does the Bill, under which all hacking will be illegal.

Some barristers are also against the proposals. In The Times of 21 April 1989 Alistair Kelman, a barrister specialising in computer law, said :

"The only gap in the law is when a hacker gains access to a computer and just has a look around."--

that is the key phrase.

"But the existing laws of fraud, theft and criminal damage cover cases where financial loss or intentional damage occurs." He queried why those who access a computer just to have a look around should be guilty of an offence. If a hacker breaks into a medical database and uses the information to blackmail someone, he would be caught by the law on blackmail. The hacker who broke into a defence computer and sold its secrets would be prosecuted under the Official Secrets Act 1989. As a result of the Bill, someone who accesses a computer just to have a look round will be guilty of a section 1 offence. The Bill's net is being cast far too wide, and it will lead to many people, some vulnerable, committing a crime where none now exists.

The word "computer" is not defined in the Bill. On 13 March 1989 there was a debate in the House at 3 am to


Column 1167

which the hon. Member for Beverley (Mr. Cran) and my hon. Friend the Member for Huddersfield (Mr. Sheerman) contributed. Given its timing, some hon. Members may be unaware of it. The debate was about the lack of legislation covering electronic surveillance devices. Those hon. Gentlemen were rightly trying to pressurise the Government into controlling surreptitious electronic surveillance devices which can be bought cheaply and which are being used increasingly to infringe privacy. The then Minister of State, Home Office, now the Government Chief Whip, said that when controlling such devices there was a major problem about their definition. He said :

"The Government are not persuaded that it is practicable or necessary to extend the criminal law to cover electronic or other surveillance or eavesdropping, objectionable though such activities can undoubtedly be. A criminal offence must be clearly defined, well understood and capable of effective enforcement. It would be difficult to define an offence in this area without making it so narrow that it was easily evaded or soon overtaken by new technology, or so wide that it was unreasonable and unenforceable in practice."--[ Official Report 13 March 1989 ; Vol. 149, c. 187.]

The Government gave that as a reason why they could not legislate, and yet the Bill legislates without a definition. That approach is inconsistent.

If the Bill attempted to define a computer, I appreciate that there would be a problem because it might not cover the next generation of computers. It would have to be continually updated to stay the course. However, it would be better to have a definition than none at all because otherwise the Bill could bring the law into disrepute by making too many actions criminal.

Mr. Douglas Hogg : The hon. Gentleman has argued the case for defining the word "computer". I am sure that he will keep well in mind the fact that in paragraph 3.39 of the Law Commission's report precisely that point was considered, and the Commission recommended against defining that word.

Mr. Cohen : I appreciate that, but how can the Minister make that point and justify the former Minister of State, Home Office, saying on 13 March that the Government could not legislate against electronic surveillance machines because they could not produce a definition. That is inconsistent. If they could not legislate for such machines because they could not define the word "computer" they should not legislate for hacking. If they can legislate against hacking because they do not need a definition, they should legislate against electronic surveillance. The Government cannot have it both ways.

By omitting the definition, the Bill will not only apply to mainframe and personal computers and other computer technology, but will extend to a range of consumer electronics that currently have, or will have, programmable or computer-type functions. I am sure that the sponsor did not think that that was the case, but it could happen. In years to come, the Bill could apply to a washing machine, controlled by a chip, electronic car locks or programmable compact disc players, light switches, pocket calculators and watches. That is nonsense.

Let us suppose that an hon. Member finds an electronic personal organiser in the street and presses a button to find out whose it is so that he or she can hand it back. He or she would fiddle with the on-off switch, and, under clause 1 of the Bill, could be imprisoned for six months. Let us


Column 1168

suppose that someone gets a brand new Rolls -Royce, parks it in the street and a young, east end lad who is dead keen on cars--there are plenty in my area--goes out, touches it and sets off the computer. He will be committing an offence under the Bill.

Mr. Colvin : Earlier the hon. Gentleman made great play about the question of intent. The intent must be there. The access may be unauthorised, but unless the hacker intends to get access to a computer system he or she will not be committing an offence.

Mr. Cohen : I take that point. However, the hon. Member for Torridge and Devon, West earlier spoke about how judges will interpret the provision. I would not like to think how Judge Pickles would interpret a lad touching a lock. He might not do it in an attempt to open the car and gain entry, but he might touch off the computer and that could be interpreted as intentional.

London travel cards contain conditions to the effect that they can be used only

"by the person shown in the accompanying Photocard".

Those cards cost a lost of money and, if the carrier of the card goes through computer ticket machines he or she will have to carry his photocard at all times. We are on to the ID debate. The House has never accepted that everybody must be immediately identifiable, but this Bill does so, by the back door, for people with travel cards. If carriers do not have their photocards with their season tickets, it could lead to six months in the nick for them. The Bill can apply to every-day facilities. Surely that was not the intention of the hon. Member for Romsey and Waterside.

Even defining unauthorised access provides further problems. The Bill tries to do this in clause 18(5), which brings into play the employer-employee relationship. At present, someone might use an office typewriter to do a bit of personal typing, such as wedding invitations or matters relating to the local chess club tournament, and an employer would turn a blind eye to it. However, if it is done on a computer and the employee does not have authorised access, under the Bill he or she can be prosecuted and can get six months' imprisonment. That interferes with employer-employee relationships. It would be bad for the employer because the advice to employees would be to use the computer only if they had received specific authority from their employer.

These may seem extreme examples, but that is not necessarily true. A fly-on -the-wall programme in the late 1970s followed the Thames Valley police in their work. At one stage, a constable said to the desk sergeant, "Sergeant, I cannot find anything in the book to charge him with." The sergeant answered, "Go and look in the bigger book." He meant the constable to find an offence to fit the facts. The Bill, drawn as wide as it is, could easily give a policeman who wants to arrest someone the chance to do that when a computer is involved. That is wrong. An offence under clause 1 would have almost universal application whenever any electronic system was switched on.

The Bill is one-sided because it deals with private hackers, but computer misuse is much wider than that. The Government are one of the biggest, perhaps the biggest, computer misuser, yet they are not even touched on in the Bill. I tabled early-day motion 416 about the electoral register. The Government replied that they had no plans to let voters decide for themselves whether they wished their names and addresses to be sold, inform voters


Column 1169

that this had been done, provide guidance on privacy issues to electoral registration officers about the disclosure of information on individuals or protect those at risk should their names and addresses be sold or disclosed--for example, women who had suffered violence from their male partners. That is one example of Government abuse not touched on by the Bill. Why should the Government be allowed to get away with this without let or hindrance and pick on a few private hackers? Why should the owners get away with it without having a duty of care with regard to privacy?

The argument behind the Bill and the Law Commission's report is that we need special crimes concerning access to computers because computers are special and unauthorised access can cause damage. If computers are special, the owners of them should have special responsibilities. We have legislated to the effect that the owners of guns have to keep them in lockable, custom -built storage cupboards, yet computer misuse can also cause death and there is no duty on computer owners to maintain security.

The Bill does nothing to enhance security. First and foremost, it should encourage all computer users to improve all aspects of computer security. The hon. Member for Romsey and Waterside would have done better to pick up the recommendations of the Younger committee in 1972 to criminalise electric surveillance and eavesdropping and to tighten up the Data Protection Act 1984 which is now regarded as one of the weakest of such measures in Europe. The Bill should not be restricted to hacking. There are three other basic ways in which computer misuse can be prevented. First, the basic security of data should be guaranteed ; secondly, the procedures used should ensure that the reliability and integrity of computer operations remain intact and are properly tested ; and, thirdly, privacy should be protected. Those three elements are absolutely crucial and are not addressed in the Bill.

Mr. Ian Bruce : I know that the hon. Gentleman has listened carefully to virtually all the debate, but unfortunately he was not here when my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) was introducing the Bill. He will find that many of the points he is raising were adequately covered by my hon. Friend. Perhaps he should read Hansard . I am sure that we would welcome him in the Committee if he wished to pursue those matters.

Mr. Cohen : I did not miss all of the speech of the hon. Member for Romsey and Waterside. I apologise for missing the initial part of his speech, but I was here for the last part of it, and I heard much of what he had to say.

The hon. Gentleman's intervention does not deflect from the argument that private hacking is only a small element of computer misuse. The Government data network is not even considered in the Bill. The Government have recently answered questions from me saying that they are extending their data network into other sectors. How can we discuss unauthorised access to data as defined under clause 18(5) of the Bill when the Government refuse to define their own internal authorisation procedures? Someone might break into the Government computer network and get done under the Bill, yet the Government refuse to define what is authorised and what is unauthorised.


Column 1170

Probably the best and most well-known hackers are the security services. The Bill does not touch them. They have the freedom to hack at will and cause whatever damage results from that hacking. I have raised the matter on a number of occasions. I asked for a code of practice, and the Government refused. I suggested there should be independent oversight of the security services, such as the Data Protection Registrar. He is in place already. The Government should give him independent oversight over the security services if they start hacking and causing damage. But the Government will not do it. The security services represent much more hacking than a few private individuals, yet they are not recognised in the slightest in the Bill.

Mr. Harry Barnes (Derbyshire, North-East) : Perhaps such measures are being introduced simply because there is concern about commercial practices as computer use has become overdeveloped in certain commercial sectors, instead of concern about the matters that my hon. Friend mentioned. One example was the Government's insistence on trying to develop the football ID card system which they still have in cold storage. Under such a system there would have been a computer terminal in the shed at Halifax Town and it would have been very tempting for some people to interfere with that, given the problems regarding football spectators. Therefore, the Government have to introduce increasingly draconian measures in an attempt to protect their position as they have done in regard to the poll tax legislation.

Mr. Cohen : My hon. Friend is alsolutely right. The Bill has been drawn very narrowly, confining computer misuse to one group of misusers, and left out all the other groups. The duty of care has been left out altogether.

The best way forward would have been to introduce legislation to enhance the three crucial elements that I mentioned : basic security, integrity and reliability of computer procedures, and privacy, which never gets a look in. There should be duties upon owners of computers. Damages and compensation could be awarded to people affected by computer misuse by the owners of computers or by the Government. A duty of care would require owners of computers and producers of software to produce software that had been tested because if they were taken to court and could prove that the system had been properly tested they would get off, but if it was discovered that it had not been tested and damage had occurred they would be fined, and therefore the available software would improve. Section 23 of the Data Protection Act should be extended to relate to all data, not just personal data, so that owners who did not take care to maintain the security of their data would have to pay compensation for any damage that occurred. The point made by the Data Protection Registrar about cattle in an unfenced field is right. In fact, it is more serious than that. Let us suppose, for example, that some hacker breaks into an aircraft control system and causes the aircraft to crash. The hacker would go to prison. But if those in charge of the aircraft control system had not taken care they should also be penalised for their slack procedures and should have to pay damages. That is not covered by the Bill.

In summary, the Bill fails to address the three aspects of computer security that most concerns the public : basic security, reliability and privacy. The Bill should provide


Column 1171

that computers will have a special part to play in our future. Computer owners who expect a profit must take special care to ensure that all three aspects of computer security are addressed. The Bill is myopic in looking at only one aspect.

12.29 pm

Mr. Edward Leigh (Gainsborough and Horncastle) : In a way I am relieved that the hon. Member for Kirkcaldy, (Dr. Moonie) is not in his place. To have one's arguments tested by a psychiatrist is bad enough but to have them tested by a computer-literate psychiatrist would give even the most robust Member the kind of nightmares that not even Freud could dream of.

My hon. Friend the Member for Romsey and Waterside (Mr. Colvin) said that in the six weeks that he has been studying these matters closely, things have moved on. However, it seems that some things do not move on, because according to the hon. Member for Kirkcaldy, most hacking is due to sexual inadequacy.

I welcome the Bill as a step forward. However, it is important that the arguments advanced by my hon. Friend the Member for Romsey and Waterside are tested, and that is what I shall seek to do by asking some questions. Friday debates are often dominated by enthusiasts. Although I did not agree with everything that the hon. Member for Leyton (Mr. Cohen) said, he asked many worthwhile questions that need to be answered by my hon. Friend the Minister for Industry. The Bill is similar to two Bills that we have discussed on Fridays in this Session. They were worthy Bills, but there were problems about enforceability and about whether in some aspects current common law and statute law is not sufficient to deal with the problem. In terms of clause 1 we seek an assurance from the Minister that the innocent hacker--if one can describe any hacker as innocent--will not be put in an invidious and impossible position.

On clause 2 we want to be assured that existing law is not adequate to deal with the problem. I shall go through those problems and take up some points made in the press by commentators on these issues. The first comment is by Terence Wright who is a computer conferencing specialist. He makes a worthwhile comment when he says :

"There is a wide cultural gulf between those who learned computing in 1961 and those who learned in childhood more recently." Is my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson) able to distinguish hitting keys 1980 style from hacking? Can the courts? Will they convict the innocent because they did not do what the manuals said they should do?

My hon. Friend the Member for Romsey and Waterside assures us that under clause 1 hacking must be deliberate, but we need reassurances from the Minister about that. Mr. Wright also says :

"The great Prestel hack', which is so often cited, was a case of a wide- open door, and not of security being broken. There was no security and there should have been."

I hope that the Bill will become an Act, but no one would want it to absolve people in the computer industry from being responsible for closing doors. That is their responsibility.


Column 1172

We heard much in the debate about bulletin boards. Terence Wright said at some length that we do not want to ban bulletin boards in the same way as in the past people wanted to ban books. Hon. Members have reassured us about that, but perhaps the Minister may also wish to speak about it.

The substantial questions about the Bill relate to clause 2 and whether what it seeks to ban is not already covered by statute law. A person who steals money by using a computer can surely be charged under the Theft Acts of 1968 and 1978. In the case of a person who has access to a database for which charges are made the same Acts can apply. Anyone who maliciously or recklessly deletes or contaminates computer files should fall foul of the Criminal Damage Act 1971.

Mr. Douglas Hogg : No.

Mr. Leigh : My hon. Friend the Minister says no, but perhaps he will deal with the matter more fully when he makes his speech because the matter has been raised in the press and should be answered by the Minister.

Anyone who manufactures a magnetic strip card or a password-bearing disk to access a computer could be charged under the Forgery and Counterfeiting Act 1981. Perhaps the Minister will also deal with that. There has been much sensational publicity about access to secrets. Will the Minister assure us that if there is such access the Official Secrets Acts are not sufficient to deal with the problem? I hope that the Minister will deal with the problem of enforcement. We are reminded that out of 150,000 police officers in England and Wales only five are mainly concerned with computer crime. We have not gone into that in detail. Fewer than 100 have received even the minimum four weeks basic training and the Serious Fraud Office has one computer-knowledgeable official. I read that in an article in The Guardian written by Hugo Cornwall but I do not know whether it is correct. If it is, it is alarming and must throw doubt on whether the provisions of the Bill will be enforceable.

Mr. Colvin : My hon. Friend raises an important issue. I have spoken to the police and I have been assured that the courses at Bramshill police college and at Hendon police school include specific courses on computerisation and the issues that are addressed in the Bill. There is also provision for the police to call in expert guidance and assistance, notably from British Telecom which provides the means for networks to be established. My hon. Friend mentioned Hugo Cornwall. Mr. Cornwall has done the country a service by drawing attention to the whole ethos of hacking. He has produced a new edition of "The Hacker's Handbook". If the Bill becomes law he will have to produce yet another edition to take on board the issues addressed in the Bill, or he might find himself straying perilously near to incitement.

Mr. Leigh : I am grateful to my hon. Friend. It is important that we tease out these issues. The Minister for Industry is a former Home Office Minister. I see that he is consulting his civil servants or, more likely, he is giving them instructions. [Interruption.] It appears that he is talking about his lunch. My hon. Friend the Member for Romsey and Waterside raises an important matter and we need to have some answers about what is going on in the


Column 1173

police force. Does it have sufficient resources to deal with this serious problem? The hon. Member for Leyton quoted Alistair Kelman. The quote intrigued me. He said :

"The only gap in the law is when a hacker gains access to a computer and just has a look around But existing laws on fraud, theft and criminal damage cover cases where financial loss or international damage occurs."

Was the hon. Member for Leyton suggesting that if someone intentionally has a look around he should not be liable for criminal prosecution? I see that the hon. Gentleman is nodding. "Having a look around" at a computer can cause immense damage and has done so. My hon. Friends the Members for Romsey and Waterside, for Torridge and Devon, West and for Keighley (Mr. Waller) all dealt with the damage that that is doing to industry.

Mr. Cohen : I share the view expressed in the press release issued by the Data Protection Registrar, that

"if damage is caused inadvertently or not, then someone should be liable".

But if no damage is caused by someone who just enters a system to just look around it, my view is that such action should not be criminalised.


Next Section

  Home Page