| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
The proposed amendments to Section 3 of the Act would clarify that a person can commit a Section 3 offence by being reckless as to whether, for example, a computer will be impaired, although impairment was not his intent. The amendments will also make it an offence for a person to commit an unauthorised act in relation to a computer with the intent of enabling a person to commit a Section 3 offence.
We must make it absolutely clear that it will not be a defence to suggest that the intention was not to impair the operation of a computer. It is enough that the act was unauthorised and that, by committing such an act, there was recklessness as to whether the act could have caused impairment to the operation of a computer. We must also ensure that it is understood that enabling a person to commit a Section 3 offence is an offence in its own right.
Government Amendments
Nos. 178A, 178B and 178C make transitional provisions to ensure that
the proposed changes to the Computer Misuse Act do not impact on
offences committed before this Bill comes into force. We have also made
amendments to
11 July 2006 : Column 605
The Earl of Northesk: With the leave of the Committee and at the invitation of the noble Lord, Lord Bassam, I shall speak to my amendments in this group. At the outset, I should offer my guarded congratulations and thanks to the Government on bringing forward these changes to the CMA. As the Minister is only too aware, I and others, not least the Internet All-Party Group, have been calling for some time for the legislation to be updated to make it clear that DoS attacks—denial of service attacks—are unlawful. As they stand, Clauses 39 and 40 go some way towards achieving that in a rather more coherent way than my somewhat ham-fisted Private Member's Bill of four years ago. Nevertheless, as the Minister has explained, gaps remain in the provision. In particular, the current drafting does not deal with the problems caused by botnets, zombie infections and the like.
I need not dwell too much on the nature of the problem because the Minister has explained that well enough, but it might be helpful to put this into some sort of context. For example, in 2005 the Federal Trade Commission estimated that something of the order of 150,000 computers were hijacked daily as a means of launching a criminally motivated DoS, spamming and fishing attacks. In similar vein, Gartner, the analysts firm, estimated recently that up to 70 per cent of all spam is generated by zombie machines. In monetary terms, it is estimated that these categories of DoS attack cost internet service providers $500 million every year in excess trafficand customer churn alone. Clearly, therefore, they constitute a serious threat for which adequate provision should be made in law.
4.15 pm
Having tabled my amendments ahead of the Government’s, I can only express my gratitude that the Government have seen fit to endorse my proposition. I am indifferent as to which version finds favour with the Committee; if mine are defective, I am quite content to accept that. Be that as it may, I confess to a certain amount of embarrassment. Although drafted to deal with a specific and palpable problem, I had intended them merely to be probing in character, because I have residual and serious concerns about how effective the provisions will be in practice.
Access to IT systems
can be denied for awhole host of reasons. Notwithstanding the
scale of maliciously motivated attacks to which I have already
referred, the bulk of such denials are attributable to wholly natural
or, dare I say it, innocent causes. At the most basic level,
connections to the internet can be rendered unreliable or inoperable by
pure weight of traffic, as occurred with the 1901 census site when it
11 July 2006 : Column 606
In passing, I cannot resist mentioning today’s media reports of significant problems with the Passport Office’s online systems. Some might even be tempted to argue that this is a particular feature of the PDVN, on which we all rely. Moreover, it is inevitable that these systemic weaknesses are exploited, deliberately or not, by the perpetrators of DoS attacks. The difficulty is that the Bill makes no distinction between those occasions when IT systems slow down and crash as a result of criminal or malicious interference and when they fail for entirely natural reasons. Indeed, that is compounded by the fact that proper analysis of any particular system crash is a profoundly technical matter, more often than not beyond the technical expertise of law enforcement and the judicial process.
An even greyer area is the status of cyber protest, or online lobbying, numerous examples of which exist, such as the pro-Zapitista group, Electronic Disturbance Theatre, or the French group, Federation of Random Action. At its most fundamental, the internet is a means of communication—a hugely powerful one, but a means of communication none the less. As such, it has enormous potential to empower, enrich and liberate the individualcitizen. To that extent, it is crucially important that internet law be drafted, so far as is possible, not to constrain freedom of expression and of association unnecessarily or disproportionately. By its very nature, cyber protest, although of course not criminally motivated, will often mimic the effects of a DoS attack. Occurrences of it will therefore be potentially prosecutable under the terms of the Bill, particularly if one considers the full implications of the drafting of Clause 40(5)(b).
By way of another example, blogging, particularly in the political sphere, is becoming increasingly popular. We should welcome that, especially in terms of public engagement with politics. But if a particularly successful blog generated so much traffic that it crashed the server on which it was hosted—an equivalent of a DoS attack—would its author and those accessing the site have committed an offence under these provisions? As I interpret it, the drafting is unclear on the point. If the answer is yes, that cannot be right. Nor do I believe, given the technical complexities involved in this whole area and thewide breadth of the existing provision, that it is appropriate to fall back on reliance on the interpretation of the courts. As legislators, we should be capable of stating our intent with much greater clarity than this.
I have a number of other,
wider concerns which, conscious of time, I will merely list. First,
there are
11 July 2006 : Column 607
I apologise to the Committee for having spoken at such length. As I say, I welcome the Government’s attempt to bring DoS attacks within the scope of the CMA. It is a small step in the right direction. That said, I am unconvinced that the insertion of these odd few confused clauses at the tail end of a portmanteau Bill demonstrates either adequate understanding of the complexities of the issues or firm resolve to attend to the whole corpus of internet crime. Rather, they are a desultory attempt to use no more than a sticking plaster to mend a broken leg. What is needed above all else is a wholesale rewrite of the CMA, not only to take account of how far technology has moved on since it was enacted, but also to weave in the intricacies of associated civil liberty issues. To be blunt, I fear that ultimately these clauses will create more problems than they solve.
The Earl of Erroll: My Lords, I have had a certain amount of e-mails and discussions about these clauses. In general I think they are a good idea, so they should go through. There is very little difference between the Government’s amendments and those of the noble Earl, Lord Northesk. The only thing I would add is that it has always worried me how you define the difference between a denial-of-service attack where it comes from one point or a set of netbots, and someone demanding that everyone lobby their MP on a particular issue so suddenly that 100,000 e-mails are sent from different single points to one central server. Actually, maybe the latter case should be made illegal, although I cannot think how it could. I apologise for hesitating; I had not thought this out very hard. There are problems around it that probably need to be addressed, as the noble Earl was saying. With the general proviso that we need to think further about the issue, I welcome these amendments.
Lord Bassam of Brighton: My Lords, I have heard what both noble Earls have had to say on this subject. The noble Earl, Lord Northesk, is well regarded in your Lordships’ House for his knowledge and interest in, and dedicated consideration of, these issues. I have great respect for him for the work he does.
I shall respond to a couple of points
that the noble Earl raised. Just to clarify this point: the Bill
distinguishes systems interference due to criminal action from that due
to accidental action by whether the access modification is unauthorised
and whether or not the person has the necessary mens rea. It
will ultimately be for the courts on the facts to decide
11 July 2006 : Column 608
The noble Earl raised the prospect of a rewrite of the Computer Misuse Act 1990. We have consulted the industry, including the APIG, which the noble Earl mentioned, and others on this issue over a period of two years. We concluded that the consultation did not highlight the need for a complete rewrite of the Act, but these changes reflect the issues that were raised as fruit of that consultation. I know that legislation in this field is an art of perfection for the noble Earl but we seek, as ever, to keep the industry well informed and well briefed on our thinking. We consult regularly, take on board the results of those consultations and try to reflect them where relevant in any necessary changes to legislation. I am very grateful for the noble Earl’s work on this. I accept that he will never be entirely happy and satisfied with what we are attempting to do, but I hope that he will feel reasonably content and that he will not press his amendment.
On Question, amendment agreed to.
[Amendment No. 172 not moved.]
Baroness Anelay of St Johns moved Amendment No. 173:
The noble Baroness said: I wish to speak to Amendments Nos. 173, 175 and 177. These are probing amendments that reflect concerns raised by the All-Party Children’s Group in its child impact statement.
Clause 39 amends Section 1 of the Computer Misuse Act 1990, and introduces new penalties for unauthorised access to computer material. Clause 40 amends Section 3 of the same Act and again introduces new penalties for an unauthorised act with intent to impair the operation of a computer. Clause 41 amends the same Act, introducing new penalties for making, supplying or obtaining articles for use under the previous sections.
The problem is that it is unclear whether these offences can apply to young people under 18; if so, they would not appear in the Crown Court. Therefore, the maximum penalty available in the youth court would be a two-year detention and training order. We have tabled this amendment because we and the all-party group would be grateful if the Minister could clarify the Government’s intentions on this matter. I beg to move.
The
Earl of Erroll: When I saw the amendment I
wondered what its purpose was since a lot of the relevant damage is
done by under 18 year-olds who regularly try to disrupt computer
systems for fun. They may start at the age of 10 or 12 playing around,
then they learn a bit more, and then they learn a bit more at school.
The thought that none of this would apply to under-18s was greeted with
horror in some circles. I have discovered that it is a probing
amendment on exactly how the matter will be dealt with in the courts,
but I should like to make it clear that under-18s should not be
exempted from
11 July 2006 : Column 609
Lord Bassam of Brighton: I am grateful to the noble Baroness for speaking to the amendments, but ultimately we cannot commend them to the Committee. We believe that criminal responsibility should apply as much online as it does in the physical world—I almost said the metaphysical world—but we do not believe that there is a need to treat Computer Misuse Act offences differently from other offences. Under-18s are capable of understanding the consequences of their online actions in the same way as they do their offline actions. I often think that they understand online consequences far more clearly than people of our generation. I ought to put in a disclaimer of sorts there, but having noticed my teenage children working online, that certainly is the case.
That said, any under-18s who commit an offence under these provisions would be eligible for a fine or warning if they admitted their guilt and it was their first or second offence, in which case the young person can be assessed to determine the causes of their offending behaviour and to identify a programme of activities to address them.
I hope that, having heard that explanation, the noble Baroness will withdraw the amendment.
Baroness Anelay of St Johns: As I made clear, this is a probing amendment to meet the requirements of the all-party group, to which the noble Lord’s comments will not come as a surprise.
The difficulty is that all of us have noted the Government’s split personality. On some occasions 16 to 18 year-olds are treated as adults but on other occasions they are treated as juveniles. On occasions such as this we are not sure exactly how they will be treated. I accept that those under 18 have every bit as much of a facility to use computers in an unwelcome way as anyone over 18. They know a heck of a lot more about it than I would do; not that I would want to learn how to misuse information technology—I leave that to the Government and their plans for ID cards. On that note, I beg leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 39, as amended, agreed to.
4.30 pm
Clause 40 [Unauthorised acts with intent to impair operation of computer, etc]:
The Deputy Chairman of Committees (Lord Geddes): Before calling Amendment No. 173A, I must advise the Committee that if it or Amendment No. 174 is agreed to, I cannot call Amendment No. 175, due to pre-emption.
Lord Bassam of Brighton moved AmendmentNo. 173A:
11 July 2006 : Column 610
- “3 UNAUTHORISED ACTS WITH INTENT
TO IMPAIR, OR WITH RECKLESSNESS AS TO IMPAIRING, OPERATION OF COMPUTER,
ETC.
- (3) This subsection applies if the
person is reckless as to whether the act will do any of the things
mentioned in paragraphs (a) to (d) of subsection (2) above.
- (4) The intention referred to in
subsection (2) above, or the recklessness referred to in subsection (3)
above, need not relate to-
On Question, amendment agreed to.
[Amendments Nos. 174 and 175 not moved.]
The Deputy Chairman of Committees: Amendment No. 176 is a joint amendment.
Lord Bassam of Brighton: My understanding is that our amendments cover the same ground, and as I advised the Committee we had a suspicion that the amendment proposed by the noble Earl, Lord Northesk, was technically deficient. We would prefer our amendment to his, and I thought that the noble Earl was going to withdraw his.
The Earl of Northesk: The noble Lord, Lord Bassam, has failed to perceive that we are on Amendment No. 176, which is in my name and the Minister’s. If he does not want me to move it, I am quite content not to.
Lord Bassam of Brighton: The embarrassment is mine, and I apologise fulsomely to the Committee and to the noble Earl. I do have an excuse, but it would not be worthy of your Lordships’ Committee.
The Earl of Northesk moved Amendment No. 176:
“( ) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily”On Question, amendment agreed to.
[Amendment No. 177 not moved.]
Clause 40, as amended, agreed to.
Clause 41 [Making, supplying or obtaining articles for use in computer misuse offences ]:
11 July 2006 : Column 611
The Deputy Chairman of Committees: Before calling Amendment No. 178, I must advise the Committee that if it is agreed to, I will not be able to call Amendment No. 178ZA, due to pre-emption.
The Earl of Northesk moved Amendment No. 178:
The noble Earl said: This subsection was introduced as a government amendment in Committee in another place. Moreover, although some concerns were raised at that time, I acknowledge that there was consensus across the political divide that it should be inserted. In that sense, I draw no comfort whatever from the possibility of being a minority in objecting vehemently to the provision. It is profoundly flawed and coulddo untold damage to the IT community in the UK and conceivably even that beyond our shores. I shallendeavour to explain why.
Before so doing, as with the previous amendments on DoS attacks, I willingly, although again guardedly, endorse and support the Government’s intention with the clause as a whole. We all know that, whatever its form, online hacking of IT systems with criminal or malicious intent is a modern scourge. Manifestly, therefore, due provision should be made to proscribe making, adapting, supplying or offering to supply so-called “hacker tools”. I therefore find paragraph (a) eminently sensible and desirable. That said, I am fiercely of the opinion that the test that someone is guilty of an offence under the clause if he merely believes,
is unnecessarily and dangerously broad, the more so because it is not in any way constrained by the expressions of intent contained in paragraph (a).As the Committee will be aware, the use and effectiveness of online activity is highly dependent on the work of anti-virus and IT security companies. Of necessity, they employ a variety of so-called “hacking tools”, such as Nmap, which is used to probe for insecure machines online to see whether they respond, or the scripting language Perl, simply to test IT systems for vulnerabilities that could be exploited by those with criminal or malicious intent. In so doing, they can address discovered weaknesses, hopefully, before hackers can take advantage of them. Indeed, the patches and updates issued by the likes of Microsoft—of which I am sure Members of the Committee are only too aware—are a culmination of this process.
Here, it is not a case of whether system administrators believe that such tools are “likely” to be used in the commission of an offence; they know full well that they will be—and, indeed, already are. Accordingly, in any interpretation of the paragraph, they lay themselves open to possible prosecution simply by doing their job. As an IT acquaintance has pointed out to me, this is akin to legislating to make use of a crowbar illegal on the basis that an individual would believe that it was “likely” to be used in the commission of burglaries.
I do not doubt
that that is not the Government’s intent; nevertheless, it is
the implication of the drafting. I know of a number of IT
professionals,
11 July 2006 : Column 612
Consider, too, forensic hacking. Of necessity, law enforcement agencies use hacking tools to investigate crime; for example, to gain access to encrypted data. Again, it is not a case of “belief” that such tools could be used by a hacker, it is absolute certainty. Do we, therefore, conclude that an IT security company supplying hacking software to the police should be deemed to be committing an offence? Or, perhaps, the Government imagine that an individual constable hacking into encrypted data on a criminal’s computer could fall foul of paragraph (b). Patently, such situations would be absurd.
I wonder, too, whether the Government have thought through this matter in the context of higher education. As the Committee will be aware, the syllabuses of many undergraduate computing degrees include hacking. In fact, in response to demand from the IT sector, the University of Abertay in Dundee has recently announced its intention to run, from the start of the next academic year in October, a BSc (Hons) undergraduate course in ethical hacking and countermeasures. But what would be the status of such educational opportunities if paragraph (b) were enacted? On the face of it they would be illegal, because students and professors would know, not merely believe, that the subject matter of their courses is “likely” to be used in the commission of an offence. Again, this would be perverse.
I am of course aware of the Home Office’s view that the key to the provision is how the courts might interpret “likely”. Indeed, it has circulated a letterto interested parties which makes this observation. It states that it
- “boils down to the
court deciding whether it is more likely than not each individual
instance of the article will be used to commit an offence, i.e. the
offence is only committed if it will be used criminally more than
legally”.
I could say much more, but I will not weary the Committee any further. I merely observe in conclusion that, in contrast to their efforts on DoS attacks, with paragraph (b) the Government are attempting major surgery where a sticking plaster will do. They are using a sledgehammer to crack a nut, the more so because paragraph (a) of itself bears down adequately, if not entirely, upon the activity that the Government wish to and should proscribe. In so far as that suggests incoherence in their approach to legislating on IT, I repeat my conviction that a wholesale re-write of the CMA is needed. In the mean time, I beg to move.
11 July 2006 : Column 613
The Earl of Erroll: I shall also speak to Amendment No. 178ZA in this group. To be honest, Amendment No. 178, deleting the paragraph altogether, may be the best course of action, because the provision causes serious problems. I have had long conversations about this with several people from companies that will be directly affected by it. I thought that the Home Office might not be willing to remove the paragraph, so I tabled my slightly less extreme amendment; nevertheless, it may have its own problems, and it may be wiser to delete the paragraph altogether. This small but important amendment will have a serious impact on quite a lot of companies that currently write software that is perfectly legal and is extremely useful because it allows computers to be managed remotely. To give you a feel of the technology, the Parliamentary ICT helpdesk uses such software. If you have a problem, you can allow one of the helpdesk people to take control of your computer or to watch what you are doing on it and give you helpful advice. That would be a typical application where someone is remotely accessing your computer using the same tools as hackers would use.
People developing websites will have software that can download and install itself to monitor the mouse’s movements around the screen to see how people use the websites, where they hover and what they click on. These things, which sit in the background, are used by academics and developers to make websites more usable. We all know of websites—possibly even the parliamentary website—which could do with a little research in this direction. Such tools will almost certainly be made illegal by the proposal because they are exactly the sort of tools that hackers can use. Even if such tools were not principally designed for a hacker in the first place, hackers could easily modify bits of them, or use them, and it is extremely likely that they will do so; it is highly unlikely that they would not do so.
It is very likely that hackers will use these things. It is highly improbable that they will not. Unless my definition of “likely” is very different from that of the lawyers at the Home Office, I would prefer the dictionary definitions that I find to the ones that they may be trying to use.
The real trouble is how the courts will interpretthe word “likely”. In our courts, some very clever barristers will use very clever verbal gymnastics to twist the meaning of the word “likely” to suit their case. The case may be brought not against a large company that can afford very expensive barristers to defend it but against a small, one-man band, who may have written some software. For some reason someone who may be trying to gain commercial advantage reports him, or has a contact that can do something, and he may be unable to defend himself against a clever barrister in court.
I do not know whether the
word “likely” implies that more people will use such
tools for legal purposes than for illegal purposes such as hacking. How
dothe courts establish that? As a result, after some
discussion with people, I suggest the word “primarily”,
which would be better. I am open to other ideas, such as that of our
assiduous and
11 July 2006 : Column 614
The important thing is that they should convey the intention of Parliament better than the word “likely” in the mind of the lawyers. I support this approach because of the possibility that this might persuade the lawyers in the Minister’s department to change their minds, but I do not know whether this is likely or unlikely.
It has been suggested to me in discussions with the people behind the word “likely”—the Home Office—that the courts can use Pepper v Hart to look at the Minister’s response to these amendments to find out the intention behind Parliament’s inclusion of this word. The trouble is that the courts have to decide that it is ambiguous and I am not sure that it is at all ambiguous. I believe that it is highly likely that any of these tools will be used by hackers unambiguously.
Another approach would be to use a very ambiguous word. I will leave it to noble Lords’ imagination how you might make this phrase so ambiguous that the courts had to read the Minister’s statements. That would be an alternative, but is that likely to happen? Anyway, it is a bad way to make law.
I turn to a matter that I feel strongly about. In Roman law, I believe, one makes laws slightly general and the courts and the state decide how the law is to be interpreted and fill in the blanks later. But under common law—we are a common law country—basically you are allowed to do anything that is not expressly forbidden. Therefore, we define much more closely what is forbidden because it is important to make clear what companies are and are not permitted to do and not leave it to the courts to interpret later.
I have also spoken to someone who has close ties with the Commission and they do not like this at all either. Should we pass the measure in this form, there may be moves from Europe later in the yearto get it changed. International companies are sufficiently worried about this for lobbying to take place. With that, I look forward to hearing the Minister’s reply.
4.45 pm
Baroness Harris of Richmond: We agree with this amendment. As I understand it, under paragraph (b) a software developer will need only to intend his software to be used or believe it likely to be used as a hacking tool. I very much welcomed the fact that the noble Earl, Lord Erroll, explained his concerns about the word “likely”—a point with which we also agree.
| Next Section | Back to Table of Contents | Lords Hansard Home Page |