Issues of Computer Law

Issues of Computer Law

The world is embarking upon a new century, and we are facing an ever-increasing reliance on technology, particularly computers and the Internet, in our day-to-day lives. The importance and pervasiveness of computers are certain to continue to expand, and given the exponential growth of the Internet and computer technology, legal institutions face serious questions about the regulation of such technology[1]. To continue the smooth operation of human relationships we need functional institutions. Currently, technology is changing at a pace too rapid for the law to keep up. It’s argued that existing law can be stretched to encompass issues related to computers and the Internet, but the effectiveness of such existing legislation has been questioned.[2]

It has been shown that existing law cannot stretch to encompass computer-related issues, most specifically in relation to the notable case involving the Duke of Edinburgh’s email. In the mid-1980s, hacking was not an offence, and the two men involved in this case, Gold and Shifreen, hacked into and left a number of messages in the Duke’s private mailbox. They later said they wanted to prove their skill, and had no malicious intent. They were charged with an obviously unsuitable offence of “making false instrument” which normally applies to a forgery case. Both men were convicted, but were later released on appeal to the High Court, when Lord Chief Justice said that the Forgery Act was not intended for computer misuse offences.[3]

This incident, among others, spawned a Royal Commission into computer misuse and resulted in the Computer Misuse Act 1990. Detective Inspector Michael Gorrill of the Greater Manchester Police Commercial Fraud Squad stated that:

“the Computer Misuse Act was created to prevent unauthorised access to computer systems and also to deter the more criminal elements in society from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer”.[4]

The Act creates three offences, in sections 1 through to 3. They make it illegal to, respectively:

access computer material without authority;access computer material without authority with the intent to commit or facilitate the commission of further crime; andmodify computer material without authority.[5]The sentences, including up to five years imprisonment, reflect the seriousness in which hacking and virus proliferation are viewed.

The scope of Section 1 of the CMA includes using another person’s ID to access a program, such as to read an exam paper. Section 2 encompasses gaining access to another person’s financial or administrative records, though intent to commit a further offence must be proven. The offences that come within Section 3 range from destroying and/of modifying another’s files, to creating and introducing a local and/or network virus, or deliberately causing a system malfunction.[6]

After the introduction of the Computer Misuse Act in 1990, technology continued its explosive development to the point where large databases of information were held about people, and the privacy and freedom of information laws were insufficient to deal with the new technology. The Data Protection Act 1998 (DPA) amended the original Act of 1984 to enhance the protection and clarify the rules about how data about people can be used.[7] The Data Protection Act covers information or data stored on a computer or organised paper filing system about living people.[8]

People want to keep their pay, bank details, and medical records private and away from the view of just anybody. If someone who is not entitled to see these details can obtain access without permission it is unauthorised access, and therefore a criminal offence. The DPA requires that any organisation or person who needs to store personal information must apply to the Information Commissioner. The person within an organisation who applies to the data commissioner for permission to store and use personal data is called a data controller. They must keep to the eight principles of data protection, embodied in the DPA:

personal data must be must be collected and used fairly and inside the law;personal data must only be held and used for the reasons given by the data controller to the Information Commissioner;the personal data can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with;the information held must be adequate (enough), relevant and not excessive (too much) when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data;the personal data must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move;the personal data must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most;the information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone; andThe files may not be transferred outside of the European Economic Area (that’s the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law.[9]The Act also sets up rights for the person whose data is being held, such as a right to access, a right to correction, and a right to prevent direct marketing.

Legislation and directives relating to computers and the Internet continued to attempt to close the gap between existing law and technological advances, on the international platform, during the mid-1990s. In 1996, the European Commission adopted directive 96/9/EC on the legal protection of databases (“Database Directive”). One of the principal objectives of the Database Directive was to promote investment in the creation of databases throughout the EU. This was to be achieved by the introduction of a new sui generis database right. This sui generis right built on existing legal and equitable rights which were capable of applying to electronic databases under UK law – namely, copyright, confidentiality and contract.[10]

Despite this, the information technology industry continued to scream out for the laws designed to protect businesses from hacking to be reviewed and updated.  A spokesman for the IBM Computer User Association said, “Unless the law can respond and take the appropriate measures against the perpetrators of denial of service attacks, these things will continue.” Once again the cyber crime had out-grown the existing legislation, which failed to envisage the developments that had occurred in technology, as well as the intelligence of the hackers. Roger Loosley, chairman of the Technology Lawyers Consortium agreed:

“The Computer Misuse Act is over 10 years old and only covers the unauthorised access to and modification of computer material … Although it is difficult to keep the law up to date with the fast pace of technological developments, governments should at least try to keep the law in sight of current practices. Those who deliberately cause significant damage to the commercial interests of others should be guilty of an offence.”[11]

The legislature did respond, and on the tenth anniversary of the Computer Misuse Act, in 2000, the Regulation of Investigatory Powers Bill was introduced into Parliament. The Bill did not achieve a balance between illegality and the actions of law abiding individuals and businesses, drawing vast criticism.[12] The Bill intended to introduce powers to allow authorities to intercept Internet communications and to seize encryption keys used for the protection of such traffic and for the protection of stored computer data. The powers were not limited in their application to those involved in criminal activities, and although abuse of these powers may have been limited, there would still have been situations were honest computer and Internet users would bear increased risks to their privacy, safety and security whilst using the Internet, rather than being protected from criminal activity as the proposed legislation intended. The Bill allowed for the intercept of email, the seizure of information on a user’s computer, and the seizure of encryption codes.[13]

Law enforcement agencies have, however, following the enactment of the Bill, now the RIP Act, and the enactment of the Anti-Terrorism Crime and Security Act 2001, gained full and unrestricted access to non-anonymous traffic data. Further amendments to the RIP Act were attempted by the British Government, though were withdrawn after the public outcry they caused. However, a recent directive of the European Parliament on privacy and electronic communications (2002/58/EC) has codified these powers across the European Union. By the end of 2002, the BBC reported that law enforcement bodies had made over 400,000 requests for traffic data from mobile network operators. The authorities draw little distinct between non-identifiable data and personally identifiable data. The effect of the RIP Act, supported by the Directive 2002/58/EC, is to make traffic data generated by a mobile telecommunication available on request to UK law enforcement bodies.[14]

It has been highlighted throughout this paper that the law has been slow to legislate in regard to technology, and when it has the technology has either quickly out-grown the law again, or the law has encroached on what are seen as fundamental personal rights. Parliament and the legal industry are faced with the complexity and exponential growth of technology, and this area of law is embryonic in nature in comparison to other areas. We are likely to continue to find more questions than answers as the law struggles to maintain pace in the computer age.

Bibliography

Brown, Ian & Gladman, Brian. ‘The Regulation of Investigatory Powers Bill – Technically inept: ineffective against criminals while undermining the privacy, safety and security of honest citizens and businesses’ (2000) < http://www.fipr.org/rip/RIPcountermeasures.pdf> accessed 30 April 2007.

BBC Reporters. ‘The Computer Misuse Act’ <http://www.bbc.co.uk/schools/ gcsebitesize/ict/legal/3virusesrev4.shtml> accessed 30 April 2007.BBC Reporters. ‘The Data Protection Act’ < http://www.bbc.co.uk/schools/gcsebitesize /ict/legal/0dataprotectionactrev1.shtml> accessed 30 April 2007.

CW Reporters. ‘UK must lock down the law to stop the hackers’ Computer Weekly, Feb 28, 2002 p2.

Ed: Brown, Ian; Davies, Simon & Hosein, Gus. ‘The Economic Impact of the Regulation of Investigatory Powers Bill’ (2000) < http://is2.lse.ac.uk/research/BCC_RIPA.pdf> accessed 30 April 2007.

Free, Gary. ‘The Computer Misuse Act 1990’ < http://www.unix.geek.org uk/~arny/cmuse.html> accessed 30 April 2007.

Green, Nicola & Smith, Sean. ‘A Spy in Your Pocket? The Regulation of Mobile Data in the UK’ Surveillance and Society 1(4):573-587.

Lancaster University. ‘Guidance on Computer Misuse Act’ <http://www.lancs.ac.uk/ iss/rules/cmisuse.htm> accessed 30 April 2007.

Lim, Yee Fen. Cyberspace Law: Commentaries and Materials (Oxford University Press, South Melbourne 2003).

O’Hare, Paul. ‘Electronic Databases: Protecting Your Investment: An Analysis of the Legal Rights in Electronic Databases Under UK Law’ Mondaq Business Briefing, Nov 20, 2006 pNA.

[1] Lim, Yee Fen. Cyberspace Law: Commentaries and Materials (Oxford University Press, South Melbourne 2003).[2] Ibid, p1.[3] Free, Gary. ‘The Computer Misuse Act 1990’ < http://www.unix.geek.org uk/~arny/cmuse.html> accessed 30 April 2007.[4] Ibid.[5] BBC Reporters. ‘The Computer Misuse Act’ <http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/ 3virusesrev4.shtml> accessed 30 April 2007.[6] Lancaster University. ‘Guidance on Computer Misuse Act’ <http://www.lancs.ac.uk/iss/rules/ cmisuse.htm> accessed 30 April 2007.[7] Green, Nicola & Smith, Sean. ‘A Spy in Your Pocket? The Regulation of Mobile Data in the UK’ Surveillance and Society 1(4):573 at 577.[8] BBC Reporters. ‘The Data Protection Act’ < http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/ 0dataprotectionactrev1.shtml> accessed 30 April 2007.[9] BBC Reporters. ‘The Data Protection Act’ < http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/ 0dataprotectionactrev1.shtml> accessed 30 April 2007.

[10] O’Hare, Paul. ‘Electronic Databases: Protecting Your Investment: An Analysis of the Legal Rights in Electronic Databases Under UK Law’ Mondaq Business Briefing, Nov 20, 2006 pNA.[11] CW Reporters. ‘UK must lock down the law to stop the hackers’ Computer Weekly, Feb 28, 2002 p2.

[12] Ed: Brown, Ian; Davies, Simon & Hosein, Gus. ‘The Economic Impact of the Regulation of Investigatory Powers Bill’ (2000) < http://is2.lse.ac.uk/research/BCC_RIPA.pdf> accessed 30 April 2007.

[13] Brown, Ian & Gladman, Brian. ‘The Regulation of Investigatory Powers Bill – Technically inept: ineffective against criminals while undermining the privacy, safety and security of honest citizens and businesses’ (2000) <http://www.fipr.org/rip/RIPcountermeasures.pdf> accessed 30 April 2007.[14] Green, above 7, at 583.