Computer_MisusePbck.qxd 31/3/09 19:08 Page Response, regulation and the law Stefan Fafinski ‘Provides a comprehensive, valuable and timely critical review of the legal and extra-legal governance of computer misuse.’ – Professor Martin Wasik CBE (Keele University) ‘At a time of headlines about the rising threat of cybercrime, Dr Fafinski's meticulous study provides a calculated assessment of cybercrime and what modes of response can best protect the system and the public His welcome book highlights shortcomings of the criminal law in responding to crimes against computer systems and offers important insights into productive alternative strategies.’ – Professor Clive Walker (University of Leeds) This book is concerned with the nature of computer misuse and the legal and extra-legal responses to it It provides a history of its emergence in parallel with the evolution of computer technology and surveys the attempts of the criminal law of England and Wales in dealing with it It then considers the characteristics and purpose of the criminal law in the context of computer misuse to explore whether effective regulation requires more than just the domestic criminal law This book will be of interest to students of IT law as well as to sociologists and criminologists, and those who have a professional concern with preventing computer misuse and fraud or governing the information society Academic and Professional Publisher of the Year 2008 International Achievement of the Year 2009 www.willanpublishing.co.uk Response, regulation and the law Stefan Fafinski Dr Stefan Fafinski is a lecturer in law at Brunel University and a Director of Invenio Research He has over twenty years’ experience in the information technology industry He is a Chartered Engineer, a Chartered Scientist, a Chartered Fellow of the British Computer Society and a Court Liveryman of the Worshipful Company of Information Technologists Computer Misuse Response, regulation Finally, it concludes with an examination of the complex governance network and considers whether the regulation of computer misuse is only viable in a global networked society by a networked response combining nodes of both legal and extra-legal governance and the law The book then introduces various theories of risk before considering the idea of a governance framework as a viable regulatory mechanism, examining the legal responses of the European Union, Council of Europe, Commonwealth, United Nations and Group of Eight The book then broadens the discussion beyond the law to encompass extra-legal initiatives and examines the contribution made by each Computer Misuse Computer Misuse Stefan Fafinski Computer Misuse Computer Misuse Response, regulation and the law Stefan Fafinski Published by Willan Publishing Culmcott House Mill Street, Uffculme Cullompton, Devon EX15 3AT, UK Tel: +44(0)1884 840337 Fax: +44(0)1884 840251 e-mail: info@willanpublishing.co.uk Website: www.willanpublishing.co.uk Published simultaneously in the USA and Canada by Willan Publishing c/o ISBS, 920 NE 58th Ave, Suite 300 Portland, Oregon 97213-3644, USA Tel: +001(0)503 287 3093 Fax: +001(0)503 280 8832 e-mail: info@isbs.com Website: www.isbs.com © Stefan Fafinski 2009 The rights of Stefan Fafinski to be identified as the author of this book have been asserted by him in accordance with the Copyright, Designs and Patents Act of 1988 All rights reserved; no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the Publishers or a licence permitting copying in the UK issued by the Copyright Licensing Agency Ltd, Saffron House 6–10 Kirby Street, London, EC1N 8TS First published 2009 ISBN 978-1-84392-379-4 paperback 978-1-84392-380-0 hardback British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Project management by Deer Park Productions, Tavistock, Devon Typeset by GCS, Leighton Buzzard, Beds Printed and bound by T.J International, Padstow, Cornwall Contents List of abbreviations List of figures and tables Table of cases Table of legislation Acknowledgements Preface vii ix xi xv xxi xxiii Introduction Principal research questions and chapter structure Terminology Part 1  Constructing the problem of computer misuse The emergence of the problem of computer misuse 13 A brief history of computing Manifestations of computer misuse Pre-1990 regulation The genesis of the Computer Misuse Act 1990 The Computer Misuse Act 1990 Conclusion 13 19 22 28 34 43 The evolution of the problem of computer misuse 45 The evolution of computing and computer misuse post-1990 Prosecutions under the Computer Misuse Act 1990 Interpretation of the Computer Misuse Act 1990 Limitations and proposals for reform The Police and Justice Act 2006 Alternative domestic criminal legislation Conclusion 46 49 52 66 67 84 94  Computer Misuse Computer misuse and the criminal law Theories of criminal law The instrumentalist construction of the criminal law The moralistic construction of the criminal law The structural conflict theory of criminal law The interactionist theory of criminal law Computer misuse as a public or private wrong Computer misuse and jurisdiction Conclusion 96 97 99 106 110 114 119 122 124 Part 2  The governance of computer misuse The risk of computer misuse and its governance 131 Risk The realist perspective on risk Constructionist perspectives on risk Cultural and symbolic perspectives on risk The ‘risk society’ The role of the state and governmentality Governance The precautionary principle Risk, computer misuse and the domestic criminal law 132 134 145 147 151 161 165 174 179 The legal governance of computer misuse: beyond the domestic criminal law 187 European Union initiatives Council of Europe initiatives Commonwealth initiatives United Nations initiatives Group of Eight initiatives Computer misuse and legal governance 187 208 226 228 231 235 The extra-legal governance of computer misuse 238 Frameworks for extra-legal governance Warning and response systems Education and public engagement Technical regulation Conclusion 239 250 265 269 275 Part 3  Examining the solution The constellation of control 281 Principal research findings Conclusion 281 292 Appendix: Outline research methodology Bibliography Index vi 295 299 319 List of abbreviations ACLU APCERT APIG ARPANET BCS BITNET BSE CEENet CERN CERT CFSP CIRCA CJD CMA CoE CPNI CPS CSIRT D&G DARPA ECSC EGC EJN American Civil Liberties Union Asia Pacific Computer Emergency Response Team All Party Internet Group Advanced Research Projects Agency Network British Computer Society Because It’s There Network Bovine Spongiform Encephalopathy Central and Eastern European Networking   Association Conseil Européen pour la Recherche Nucléaire   (European Council for Nuclear Research) Computer Emergency Response Team Common Foreign and Security Policy Computer Incident Response Co-ordination Austria Creutzfeldt-Jakob disease Computer Misuse Act 1990 Council of Europe Centre for the Protection of the National   Infrastructure Crown Prosecution Service Computer Security Incident Response Team Domestic & General Defence Advanced Research Projects Agency European Coal and Steel Community European Government CSIRTs group European Judicial Network vii Computer Misuse ENIAC ENISA EURATOM EURIM FCC FIRST FSA FSISAC G8 INTERPOL IP ISP ITC JANET JHA NASA NCFTA OECD PGP PJCC RAYNET SIRC SIS SOCA TERENA TF-CSIRT TI UK-ILGRA UKERNA UNIVAC US-CERT WANK WARP viii Electronic Numerical Integrator and Computer European Network and Information Security Agency European Atomic Energy Community European Information Society Group (formerly   European Information Management Group) Federal Communications Commission Forum of Incident Response and Security Teams Financial Services Authority Financial Services Information Sharing and Analysis   Centre Group of Eight International Criminal Police Organisation Internet Protocol Internet Service Provider Information Technologists’ Company Joint Academic Network Justice and Home Affairs National Aeronautics and Space Administration National Cyber Forensic Training Alliance Organisation for Economic Cooperation and   Development Pretty Good Privacy Police and Judicial Cooperation in Criminal Matters Radio Amateurs’ Emergency Network Social Issues Research Centre Schengen Information System Serious Organised Crime Agency Trans-European Research and Education Networking   Association Task Force of Computer Security and Incident   Response Teams Trusted Introducer United Kingdom Interdepartmental Liaison Group   on Risk Assessment United Kingdom Education and Research Network   Association (now JANET) Universal Automatic Computer United States Computer Emergency Readiness Team Worms Against Nuclear Killers Warning, Advice and Reporting Point List of figures and tables Figures 3.1 World Internet usage (millions) 1995–2007 3.2 Vulnerabilities catalogued by CERT 1994–2007 3.3 Incident reports received by CERT 1988–2003 47 48 49 Tables 3.1 3.2 4.1 5.1 A.1 Number of persons cautioned by the police for principal   offences under the Computer Misuse Act 1990   (England and Wales) 1991–2002 Number of persons proceeded against for principal   offences under the Computer Misuse Act 1990   (England and Wales) 1991–2002 Correspondence between features of computer misuse   and the domestic criminal law The grid-group model of risk perception Categorisation of research participants 50 50 127 150 298 ix Bibliography Sudman, S and Bradburn, N., Response Effects in Surveys (Aldine, Chicago, IL, 1974) Suler, J., The Psychology of Cyberspace Sullivan, D., Qualitative Research: Theory, Method and Practice (2nd edn, Sage, London, 2004) Sunstein, C.R., ‘Probability neglect: emotions, worst cases and law’ (2002) 112 Yale Law Journal 61 Sunstein, C.R., ‘The paralyzing principle’, Regulation (Winter 2002–03) 32 Sunstein, C.R., ‘Beyond the precautionary principle’ (2003) 151 University of Pennsylvania Law Review 1003 Sunstein, C.R., ‘Essay: on the divergent American reactions to terrorism and climate change’ (2007) 107 Columbia Law Review 503 Tappan, P.W., ‘Who is the criminal?’ (1947) 12 American Sociological Review 96 Tapper, C., ‘Computer crime: Scotch mist?’ [1987] Criminal Law Review Teichner, F., ‘Regulating cyberspace’, 15th BILETA Conference (14 April 2000) Teubner, G., ‘After legal instrumentalism: strategic models of post-regulatory law’, in Teubner, G (ed.), Dilemmas of Law in the Welfare State (Walter de Gruyter, Berlin, 1986) Thomas, D., ‘Home Office seeks to increase jail terms for hackers’, Computing (20 July 2005) Thomas, D., ‘New bill to beef up e-crime law: Home Office proposes tougher sentences for hackers and virus writers’, Computing (25 January 2006) Thomas, D., ‘Clamping down on the cyber criminals’, Computing (2 February 2006) Thomas, W.I and Thomas, D.S., The Child in America: Behavior Problems and Programs (Knopf, New York, 1928) Tierney, K., ‘The battered women movement and the creation of the wifebeating problem’ [1982] Social Problems 207 Tobler, C., ‘Annotation: Case C-176/03, Commission v Council, judgment of the Grand Chamber of 13 September 2005’ (2006) 43 Common Market Law Review 835 Tompkins, J and Mar, L., ‘The 1984 Federal Computer Crime Statute: a partial answer to a pervasive problem’ (1985) Computer and Law Journal 459 Turk, A.T., Criminality and the Social Order (Rand-McNally, Chicago, IL, 1969) UKERNA, ‘CSIRTs and WARPs: Improving Security Together’ (March 2005) 315 Computer Misuse Ultrascan, ‘419 fraud stats and trends for 2007’ (19 February 2008) United Kingdom Interdepartmental Liaison Group on Risk Assessment, The Precautionary Principle: Policy and Application (2002) United Nations, ‘World Charter for Nature’, UN Doc A A/RES/37/7 (1982) United Nations, ‘Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana (27 August – September 1990)’, UN Doc E/91/IV/2 United Nations, ‘Rio Declaration on Environment and Development’, UN Doc A/Conf 151/5/Rev (1992) United Nations, ‘Manual on the prevention and control of computer-related crime’ (1994) 43–44 International Review of Criminal Policy, UN Doc E/94/IV/5 United States Department of Justice, Computer Crime and Intellectual Property Section, ‘Council of Europe Convention on Cybercrime Frequently Asked Questions and Answers’ (11 November 2003) United Nations, ‘Congress Discussion Guide’, UN Doc A/CONF/203/PM/1 (11 February 2005) United Nations, ‘“Around the clock” capability needed to successfully fight cybercrime, workshop told’, UN Doc SOC/CP/334 (25 April 2005) Van Blarcum, D., ‘Internet hate speech: the European Framework and the emerging American haven’ (2005) 62 Washington and Lee Law Review 781 Van Wyk, K.R and Forno, R., Incident Response (O’Reilly & Associates, Sebastopol, CA, 2001) Vermeulen, G., ‘Pre-judicial (preventative) structuring of international police action in Europe’ (1996) Vold, G., Theoretical Criminology (Oxford University Press, Oxford, 1958) Wagner, R.P., ‘Information wants to be free: intellectual property and the mythologies of control’ (2003) 103 Columbia Law Review 995 Walden, I., Computer Crimes and Digital Investigations (Oxford University Press, Oxford, 2007) Walker, C., ‘Political violence and commercial risk’ (2003) 56 Current Legal Problems 531 Walker, C., ‘Cyber-terrorism: legal principle and law in the United Kingdom’ (2006) 110 Penn State Law Review 625 Walker, C., ‘Governance of the Critical National Infrastructure’ [2008] Public Law 323 Walker, C and Broderick, J., The Civil Contingencies Act 2004: Risk, Resilience and the Law in the United Kingdom (Oxford University Press, Oxford, 2006) 316 Bibliography Wall, D.S., Cybercrime: The Transformation of Crime in the Digital Age (Polity Press, Cambridge, 2007) Wang, C and Williamson, S., ‘Unemployment insurance with moral hazard in a dynamic economy’ (1996) 44 Carnegie-Rochester Conference Series on Public Policy Warren, C., ‘Qualitative interviewing’, in Gubrium, J and Holstein, J (eds), Handbook of Interview Research: Context and Method (Sage, London, 2001) Wasik, M., ‘Criminal damage and the computerised saw’ (1986) 136 New Law Journal 763 Wasik, M., Crime and the Computer (Clarendon Press, Oxford, 1991) Wasik, M., The Role of the Criminal Law in the Control of Misuse of Information Technology (University of Manchester Working Paper No 8, July 1991) Wasik, M., ‘Dealing in the information market: procuring, selling and offering to sell personal data’ (1995) International Yearbook of Law, Computers and Technology 193 Wasik, M., ‘Hacking, viruses and fraud’, in Akdeniz, Y., Walker, C and Wall, D.S (eds), The Internet, Law and Society (Pearson Education, Harlow, 2000) Wasik, M., ‘Computer misuse and misconduct in public office’ (2008) 22 International Review of Law, Computers and Technology 135 Weber, A.M., ‘The Council of Europe’s Convention on Cybercrime’ (2003) 18 Berkeley Technology Law Journal 425 Webster, P., ‘Millions more ID records go missing’, The Times (18 December 2007) Webster, P and Seib, C., ‘Alistair Darling props up Northern Rock with fresh £30bn debt guarantee’, The Times (19 January 2008) Webster, P., O’Neill, S and Blakely, R., ‘25 million exposed to risk of ID fraud’, The Times (21 November 2007) Weller, P and others (eds), The Hollow Crown: Countervailing Trends in Core Executives (Macmillan, London 1997) West-Brown, M.J and others, Handbook of Computer Security Incident Response Teams (2nd edn, Carnegie Mellon University, Pittsburgh, PA, 2003) Whine, M., ‘Cyberhate, anti-semitism and counterlegislation’ (2006) 11 Communications Law 124 White, S., ‘Harmonisation of criminal law under the First Pillar’ (2006) 31 European Law Review 81 Wiener, J.B., ‘Whose precaution after all? A comment on the comparison and evolution of risk regulatory systems’ (2003) 13 Duke Journal of Comparative and International Law 207 Wiik, J., Gonzalez, K.K and Kossakowski, K.-P., ‘Limits to Effectiveness in Computer Security Incident Response Teams’ (Twenty-third International Conference of the System Dynamics Society, Boston, 2005) Williams, K.S and Carr, I., ‘Crime, risk and computers’ (2002) Electronic Communication Law Review 23 317 Computer Misuse Williams, M., Virtually Criminal (Routledge, Abingdon, 2006) Willmore, L., ‘Government policies towards information and communication technologies: a historical perspective’ (2002) 28 Journal of Information Science 89 Wilson, D and others, Fraud and Technology Crimes: Findings from the 2003/04 British Crime Survey, the 2004 Offending, Crime and Justice Survey and Administrative Sources, Home Office Online Report 09/06 Young, J., The Exclusive Society (Sage, London, 1999) Zedner, L., Criminal Justice (Oxford University Press, Oxford, 2004) Command papers Beveridge, W., Social Insurance and Allied Services (Cmd 6404, 1942) HM Treasury, Investing in Britain’s Potential: Building Our Long-term Future (Cm 6984, 2006) Secretary of State for Work and Pensions, Ready for Work: Full Employment in Our Generation (Cm 7290, 2007) Parliamentary reports The BSE Inquiry, ‘BSE Inquiry Report’ HC (1999–00) 887 European Union Committee, ‘The Criminal Law Competence of the European Community: Report with Evidence’ HL (2005–06) 227 European Union Committee, ‘Schengen Information System II (SIS II)’ HL (2006–07) 49 Joint Committee on Human Rights, ‘The Council of Europe Convention on the Prevention of Terrorism’ HL (2006–07) 26; HC (2006–07) 247 Select Committee on European Communities, ‘Incorporating the Schengen Acquis into the European Union’ HL (1997–98) 139 Standing Committee C, ‘Computer Misuse Bill’ HC (1989–90) 318 Index abetting 205 Abortion Act 1967 240 access codes 211 Ahmad, Babar 123–4 aiding 205 Akdeniz, Y 271, 272 Alder, M 99–100 All Party Parliamentary Internet Group (APIG) 38–9, 66, 72, 213 alteration 210, 228 American Civil Liberties Union (ACLU) 221–2 American Express 55 American Model Penal Code 100 analytical engine 14, 38 analytical theories 97 APCERT 256 Apple Macintosh 16, 18 arms trafficking 197 ARPANET (Advanced Research Projects Agency Network) 16–17, 19, 46 articles used in offences 75, 77–84, 211–12 Ashcroft v Free Speech Coalition 217 attempting 205 Avalanche 60–6, 90 Babbage, Charles 14 Bainbridge, D 25, 28 Baker, S 271 Baker, T 140, 172 Baldwin, R 247 Bangemann Report 200–1 Barlow, J.P 169 Beck, U 151, 152–3, 154, 155–6, 158–9, 161, 246 Becker, H 115–16 behaviour changed by law 240–1, 242 technology and 8, 33, 292 Benn, Hilary 157 Berners-Lee, Tim 1, 46–7 Beveridge report 152 BITNET (Because It’s There Network) 17–18 Black, J 246 Blears, Hazel 79 Bletchley Park 14 Bonger, W 111 Boyle, J 103 Bradbury, J 146–7 Bradley, J 134 Braithwaite, J 170, 245 Brans, M 138–9 Brenner, S.W 223 British Standards Institution 273–4 Brokenshire, James 78–9 Brown, J 135 BSE Inquiry 134–5 BT Prestel system 26–8, 43, 282 bulk e-mail 64 Bunyan, T 199 burglary 40, 55, 77–8, 101, 268–9, 275–6 319 Computer Misuse calculators 15 car ownership 240–1 Carr, I 154–5 Casati 191 Cassis de Dijon 191 Castells, M 169 CBS Songs Ltd v Amstrad Consumer Electronics plc 77–8 Central and Eastern European Networking Association (CEENet) 256 Centre for the Protection of the National Infrastructure (CPNI) 261 CERTs (Computer Emergency Response Teams) collaboration between 253–6 effectiveness of 256–60 incident reports 49f overview 260–1 role of 47–8, 250–3 Chicago School 139 child pornography 215, 216–18, 272 Child Pornography Prevention Act 1996 216 Citizens’ Advice 265 civil wrongs 119–22 Clark, L.L 223 Clarke, Charles 68 climate change 156–7 Clipper chip 270–1 Coaker, Vernon 217–18 cognitive science theory 145, 147–8 Cohen, Harry 33–4, 37 Cohen, M.R 107 Colossus 14 Colvin, Michael 30, 105 commercialism 240–2 Commission v Council (Case C-440/05) 193 Commission v Council (Case C-176/03) 190–3 Common Foreign and Security Policy (CFSP) 189 Commonwealth initiatives 226–7 Communications Act 2003 90–1 community of fate 152–3 Computer and Computer-related Crimes Bill 226 computer crime, concept of 5, Computer Crime (Scotland) Bill 30 320 Computer Crime (Scottish Law Commission) 29 computer, definitions of 35–8 Computer Emergency Response Teams (CERTs) see CERTs computer misuse costs of 105, 201 definition 56–7, 126–7, 282–3 expansion of 47–8, 282 regulation pre-1990 22–8 vulnerabilities 48f Computer Misuse Act 1990 alternatives to 284 amendments see Police and Justice Act 2006 cautions 50f effectiveness of 283–5 genesis of 28–31, 281–3 jurisdiction 42–3, 123 limitations and proposals 66–7 passage of 31–4 prosecutions under 49–52, 50f, 94, 185, 292 unauthorised access to computer material 35 unauthorised access to computer material interpretation 52–8 unauthorised access with intent 39–40 unauthorised access with intent interpretation 58–9 unauthorised modification 40–3 unauthorised modification interpretation 59–66 Computer Misuse Act 1990 (Amendment) Bill 66 computer tendency syndrome 54 computing history 14–19 consensus view of crime 104–5, 106, 110–11, 122, 124 Consumer Protection Act 1987 175–6 Convention on Cybercrime additional protocols 215–21 adoption of 212–14, 289–90 computer-related offences 212 computer systems definition 38 confidentiality, integrity and availability 210–12 content-related offences 212 copyright 212 Index criticisms of 221–5 drafting of 209–10, 215 G8 234–5 human rights 221–2 making, supplying or obtaining 75 overview 225 ratification 208–9, 213, 222 testing tools 76 copyright 101–3, 212, 244 Copyright Act 1956 77–8 Copyright, Designs and Patents Act 1988 101 corruption 197 Council of Europe see also Convention on Cybercrime Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 85 criminal law competence 190–3, 193 Framework Decision 72, 202–6 initiatives 208–9 jurisdiction 205 Project Against Cybercrime 214, 229–30 Counter Terrorism Committee 230, 290 counterfeiting 197 Cox v Riley 22–3, 25, 41–2 Creating a Safer Information Society (European Commission) 201–2, 248–9 crime prevention 87, 173 crimes against humanity 215, 219 criminal damage 73 Criminal Damage Act 1971 22–4, 41–2 Criminal Justice Act 2003 137 Criminal Justice and Immigration Act 2008 218 Criminal Justice and Police Act 2001 89 Criminal Justice and Public Order Act 1994 86 criminal law Community law and 188–94, 207–8 computer misuse and 127t Convention on Cybercrime 218 Council of European Union 202–6 environment and 191–3 guiding principles 202 instrumentalist construction 99–106, 124–5, 285 interactionist theory 114–19 jurisdiction 122–4, 205, 292–3 moralistic construction 106–10 overview 281–3, 293–4 passerelle provision 194–6 risk and 171–2, 179–86 sovereignty 293 sovereignty and 190 structural conflict theory 110–14, 183 theories of 97–9, 124–8 criminalisation alternatives to European Council 202 Group of Eight (G8) initiatives 232–3 instrumentalist construction 100, 104–6, 124–5, 285 interactionist theory 118, 285–6 moralistic construction 110, 125, 285 overview 285–7 structural conflict theory 112–14, 125, 285–6 cross-border surveillance 198 Crown Prosecution Service, guidance 83–4 CSIRT (Computer Security Incident Response Team) 252, 256 culture of security 249–50 customary international law 174 cybercrimes 5–6 see also Convention on Cybercrime computer definitions 38 Dahrendorf, R 111 damaging 210 Dangerous Dogs Act 1991 171–2 dangerousness 136–7 DARPA (Defence Advanced Research Projects Agency) 19, 117 data-processing 14, 15 Data Protection Act 1984 34, 85, 284 Data Protection Act 1998 85–9, 277 Data Protection Registrar 85–6 Data Protection Tribunal 85–6 data retention 224, 226 de minimis trap 105–6 Dean, M 164 DEC PDP-10 15 deception 92–3 defective goods 175–6 Defense Advanced Research Projects Agency (DARPA) 250–1 deletion 210 denial-of-service 321 Computer Misuse actus reus 72 Communications Act 2003 90–1 costs of 69, 201 definition 61 public concern about 66 Denning, D 109 Department for Innovation, University and Skills 273–4 deterioration 210 Devlin, P 100, 107–9 digital realism 239 Digital Rights Management 113 Disasters Emergency Committee 60 disclosure 87 distress or anxiety, causing 89–90 Domestic and General Group 60–6, 90 domestic violence 120, 121 dot coms 46 Douglas, M 147–50 Downing, R.W 222–3 DPP v Bignell 54, 56 DPP v Jones 36–7 DPP v Lennon 60–6, 90, 182, 283 DPP v McKeown 36–7 Draft Criminal Code 73 Driver, S 154 Department of Trade and Industry 106 Duff, R.A 99, 106 Dworkin, R 109, 122 e-mail bombing 60–6 East Coast Code 239–41, 243–4 education 265–9 efficacy 98–9, 126 egalitarians 151, 182–3 electricity abstraction 24–6 Elsa, P 258–9 enabling provisions 70, 74 encryption 85, 269–72 enforced subject access notification 86 ENIAC (Electronic Numerical Integrator and Computer) 14–15 Enigma machines 14 Enlightenment 159 environment criminal law and 191–3 precautionary principle 175 Environment Agency 261 equivalence doctrine 188 Ericson, R.V 173 ethernet technology 17 322 ethical hacking 76 EURIM (European Information Management Group) 77 Eurojust 189 European Commission Communication on cybercrime 206, 249 Creating a Safer Information Society 201–2, 248 criminal law competence 190–3, 193 current initiatives 206–7 European Union and 190–1 G8 and 231 technical regulation 269 European Communities Act 1972 188 European Communities Pillar 189–94 European Community Agencies 254 European Convention on Human Rights 99, 126 European Government CSIRTs (EGC) group 255 European Judicial Network (EJN) 189 European Network and Information Security Agency (ENISA) 254–5 European Union European Commission and 190–1 initiatives 187–8 pillars 189–92, 196–7 precautionary principle 175 European Union (Amendment) Bill 199–200 European Union Treaty 189–90 passerelle provision 194–6 Europol 189 Ewald, F 132, 135, 137, 138, 152, 162–3, 164 expert knowledge 162 extra-legal governance see also CERTs (Computer Emergency Response Teams) education 261–5 effectiveness of 291–2 frameworks for 239–50 overview 275–7 public/private framework 239–48 technical regulation 269–74 typology 248–50 WARPs (Warning, Advice and Reporting Points) 261–5 extradition 55–6, 123–4, 190 Schengen acquis 198 Index Extradition Act 2003 123 false e-mails 90 false instrument 27 false representation 93 fatalists 150, 182 fear of crime 173 Featherstone, Lynne 69, 78 file-sharing software 244 Financial Services Authority (FSA) 277 Financial Services Information Sharing and Analysis Centre (FSISAC) 252 Financial Times 53–4 Firearms (Amendment) (No 2) Act 1997 172 First Pillar 189, 190–4, 207 Flannagan, A 223 floppy disks 20–1 Forno, R 251 foot-and-mouth disease 178 Football (Disorder) Act 2000 172 forgery 212 Forgery and Counterfeiting Act 1981 26–8, 43, 282 Forum of Incident Response and Security Teams (FIRST) 256 Foucault, M 161–3 Fox, D.J 170–1 fraud 93, 212 Fraud Act 2006 5, 92–3, 284 freedom of information 103–4 Freedom of Information Act 2000 277 freedom of speech 216–18, 243 Fuller, L.I 98–9, 126 Furedi, F 157, 168, 173, 183 Gender Recognition Act 2004 240 genocide 219 genocide denial 215 Get Safe Online 266–8 Giddens, A 111–12, 151, 153, 155, 156, 160, 200, 246 globalisation risk and 150 risk society 154, 158 Goldsmith, J.L 225 governance see also extra-legal governance explanation of 165–73, 184–5 legal governance 235–7, 289–91 overview 287–9, 293 precautionary principle 176 technical regulation 269–74 governmentality, risk and 161–4, 184, 288 Gowers Review 102 Greatorex, P 192 Greenleaf, G 239 Gross, O 146 grossly offensive e-mails 90 Group of Eight (G8) 231–5 policeable technologies 249, 269 Habermas, J 246 hacking basic offence 52–8, 70 ethical hacking 76 history of 19–21, 43 regulation pre-1990 22–8 Hafner, K 20 Haggerty, K.D 173 Harare Scheme 226 harm copyright 101–2 criminalisation 128 de minimis trap 105–6 European Council 203 perceptions of 102–4 seriousness 210 theories of 104–6, 285 United States 100 Harris, Tom 67 Hart, H.L.A 98–9, 104, 108–9, 122, 126 Hayek, F.A 139 health insurance 141–2 Heidensohn, F 116–17 Heimer, C.A 142, 144, 152–3 Hey, E 174 hierarchists 151, 183 hindering without right 211 Hirst, P 166, 171, 202 HM Treasury Holder, C 94 Hollerith, Herman 14 homosexuality 108–9, 120–1 honeynets 270 Hood, C 161, 172 House of Lords 192, 195, 200 Hubner, Hans 20 human rights 99, 126, 221–2 Hume, D 97 Hurst, P 271 323 Computer Misuse Hyden, G 166 IBM 15, 16 identity cards impairment 65, 73–4 implied consent 63, 64, 65, 73 indecent e-mails 90 individualists 150 industrialisation 155–6 information and enforcement notices 86 Information Commissioner 86, 87, 88, 277 information security Information Tribunal 86 Ingraham, D In re Boucher 272 instrumentalist construction 99–106, 124–5 insurance criminal law and 180 moral hazard and 141–5 overview 287 reinsurance 138–41 risk and 135–7 intellectual property rights 101–3 intent 78 intention 77–8 intentional access without right 204, 210–12 interception 89, 222–3 interception without right 210–12 internal morality 98–9, 126 international standards 272–4 International Standards Organisation 273 Internet evolution of 46–8 world usage 47f INTERPOL 224 is/ought 97–8 ISO 9001 273 ISO/IEC 12207 273 ISPs 220 Johnson, D 123 Jones, H.W 139–40 journalism 261 jurisdiction 42–3, 122–4, 205, 292–3 Justice and Home Affairs 197 Kalanke 191 324 Kant, I 97–8 Katyal, N.K 247–8, 270 Keyser, M 224 Kickert, W 167–8 Killcrece, G 251 Kjaer, A.M 166–7, 253 knowledge gap 18–19, 103, 265–9 Lacey, N 116 LAN (Local Area Network) 17 Law Commission of England and Wales 30–1, 36–7 legal governance 235–7, 289–91 extra-legal governance and 275 Lemley, M 241 Lemmens 191 Lenk, K 171 Lessig, L 239–40, 242, 247, 266, 269–70, 274 Levy, S 19 Lewis, B.C 223–4 likelihood 78–82, 83–4 Lipson, H 258 Lloyd, I 28 Local Government Act 1988 265–6 Lupton, D 158, 159, 162 MacCormick, N 200 McGowan, D 241 McKinnon v USA 123 mail-bombing 60–6 Malicious Communications Act 1988 89–90 making, supplying or obtaining 74–84 articles used in offences 75, 77 fraud 93 intention 77–8 likelihood 78–82 penalties 75 penetration testing 76 mala prohibita 105–6 Malicious Communications Act 1988 89–90, 284 Mandla v Dowell Lee 218–19 manufactured uncertainty 156–7 Marler, S.L 221–2 Martell, L 154 Marx, K 110–11 Marxism 111–12, 157, 167 Metropolitan Police Commissioner v Caldwell 73, 79 Index Michael, J 99–100 Microsoft criticisms of 113 technical regulation 274 Microsoft Windows 16, 18 Mill, J.S 104, 108 Miller, H.T 170–1 Miller v California 216 Milton, P 98 minicomputers 15 misconduct in public office 89, 284 MIT 19 Mitchell, B 109 MITS Altair 8800 16 mobile phones 177–8 model criminal code 225 modernisation 158–61 modification see unauthorised modification money laundering 197 Moore, G.E 97 Moore, R.S 107 moral hazard, risk and 141–5 moralistic construction 106–10 morality 97–9 mutual assistance 190, 222, 223 National Cyber Forensic Training Alliance (NCFTA) 251 National Heath Service (Connecting for Health) Information Governance 261 National Hi-Tech Crime Unit 72, 114 National Identity Register National Science Foundation 46 natural surveillance 270 NCP (Network control protocol) 46 Neighbourhood Watch 263 neo-liberalism 162, 184 network analysis tools 211–12 networking growth of 16–18, 43 post-1990 46–8 New York v Ferber 216 Nicholson, Emma 30 Nimmer, R normative theories 97 Northern Rock 140 Northesk, Earl of 73, 80, 94 notice and take-down 220, 221 obscene articles 43 observer countries 208 obstructing certain lawful inspections 86 Ofcom 277 Official Secrets Act 1989 57 Ogus, A 247 Okinawa Charter 233 O’Malley, P 144–5, 165 Organisation for Economic Cooperation and Development (OECD) 233, 249, 269 organised crime 197 Packer, H.I 100 participants 249–50 passerelle provision 194–6 passwords 211, 228 penetration testing 76, 211–12 PENWARP 261 personal computers 16 Peter, N 192 Peters, B.G 167 Philip, Prince 26 phone phreaks 20, 43 photographs 218 Pierre, J 167 ping attacks 62 Police and Criminal Evidence Act 1984 36 Police and Judicial Cooperation in Criminal Matters 189–94 Police and Justice Act 2006 commencement 206 Convention on Cybercrime 213 interpretation 94 making, supplying or obtaining 74–84, 284 rationale 67–70 unauthorised access 70–1, 284 unauthorised access with intent 71–4 unauthorised modification 284 police misuse 54–5, 57–8, 87–8 policeable technologies 249, 269 policing, risk and 173 pornography 216 positivism 98 Post, D 123, 241–2, 245–6 Powell, J 140 precautionary principle 174–9 Pretty Good Privacy (PGP) software 272 325 Computer Misuse Pritchard, Mark 69 privacy 221–2, 270–2 Project Against Cybercrime 214 prosecutions 49–52, 50f, 94, 185 Protection of Children Act 1978 218 provident state 152 public engagement 265–9 Public Order Act 1986 218 public/private wrong 119–22 public transport 240–1 R v Bedworth 53–4 R v Bow Street Metropolitan Stipendiary Magistrate and Allison, ex parte Government of USA 55–7 R v Brown 88 R v Cropp 52–3 R v Cunningham 73 R v Cuthbert 60, 283 R v Delamare 58–9 R v G 73 R v Gold and Schifreen 26–8, 43, 282 R v Hardy 57–8 R v Jones and Smith 55 R v Pile 59 R v Rooney 88 R v Stanford 89 R v Talboys 22 R v Whiteley 23–4, 25 Race Relations Act 1976 218 Racial and Religious Hatred Act 2006 218 racism 215, 217–18 Radio Amateurs’ Emergency Network (RAYNET) 261 ransomware 84–5 rape 120 Re Boucher 272 Re Holmes 93 recklessness 72–3 ‘Recommendations on Transnational Crime’ (G8) 234–5 reflexivity 158–61, 184 Regulation of Investigatory Powers Act 2000 89, 284 regulation pre-1990 22–8 Reidenburg, J 169 reinsurance 138–41 Reinsurance (Acts of Terrorism) Act 1993 140 religious hatred 218–19 326 Reno v American Civil Liberties Union 216 Renouf, M 193 Report on Computer Crime (Scottish Law Commision) 29 research methodology 295–8 research questions 2–4 Rheingold, H 103 Rhodes, R.A.W 166–7, 168–9, 253 risk concept of 132–4 constructionist perspective 145–7 criminal law and 179–86 cultural and symbolic perspectives 147–51, 150t, 182, 287 governance 165–73 governmentality 161–4, 184, 288 ignorance of insurance and 135–7 moral hazard and 141–5 objective/subjective 154 overview 287–9 precautionary principle 174–9 realist perspective 134–5, 147–8, 180 reinsurance 138–41 state and governmentality 161–4 risk-avoidance 163 risk society 151–61 criminal law and 183–4 overview 288 reflexivity 158–61, 184 state and governmentality 161–4 technology and 154–7 welfare state and 152–3 Rogers, M.K 110 Rose, N 136 Rosenau, J.N 166 Rossbach, M 138–9 Royal Society 146–7 Russian Federation 208 safe havens 229, 232 Salomon, J.M 258–9 Schengen acquis 198–9 science 159–60, 162, 174, 177 Scott, C 246 Scottish Law Commission 28–30, 35–6 Second Pillar 189, 197 securing access 35 security precautions 64–5, 76–7 Sellin, T 111 Index Selznick, P 245 Serious Crime Act 2007 70, 74 Serious Organised Crime Agency 114, 266 seriousness 285 sexual exploitation 197 Sexual Offences Act 1967 240 ship-source pollution 192 Simon, J 140, 172–3 Sinclair Research 16 Smith, D 257–8 Smith, J.C 56 Social Chapter 199 Social Issues Research Centre 177–8 social norms 240 software development standards 272–3 sovereignty 122, 190, 199–200, 236, 293 Spafford, E 109 spam 6–7, 64 spyware 83 stand-alone computers 54 state, role of 161–4 Steele, J 133, 142 Stephen, Sir James 106–7 Stewart Report 177–8 Straw, Jack 172 structural conflict theory 110–14, 125 subscription television chanels 41 substantial harms 101–2 Sui-Tak Chee 24–5 Suler, J 110 Sunstein, C.R 146, 177 suppression 210 surveillance 198, 270 Task Force of Computer Security and Incident Response Teams (TF-CSIRT) 255–6 TCP/IP (Transmission control protocol/ Internet protocol) 46 technical regulation 269–74 technology behaviour and 8, 33 precautionary principle 177–9 risk society and 154–7 technology of regulation 246 Telecommunications Act 1996 242 temporary impairments 65, 73 terminology 4–9 terrorism Counter Terrorism Committee 290 Lisbon Treaty 197 United Nations initiatives 230 Terrorism Act 2000 91–2, 122, 124 Terrorism Act 2006 219–21, 284 testing tools 76–7, 211–12 Teuber, G 245 Theft Act 1968 24, 84–5, 93, 275–6, 284 Theft Act 1978 93 Third Pillar 189, 190–4, 197, 207 Third Way 153–4 Thomas, W.I 115 Thompson, G 166, 171, 202 threatening e-mails 90 Tobler, C 191–2 trafficking 197 Trans-European Research and Education Networking Association (TERENA) 255 Treaty establishing the EEC 188, 193 Treaty of Lisbon 196–200, 207 Treaty of Maastricht 199 Treaty on European Union 189–90, 193 passerelle provision 194–6 Trojan horses 41 trust relationships 168 Trusted Introducer (TI) 255 Tsouli, Younes 124 Turk, A.T 111 UKCERTs 254 UKERNA 262 unauthorised access actus reus 39 Computer Misuse Act 1990 35–9 definition 56–7 interpretation 52–8 mens rea 39 penalties 70, 71 Police and Justice Act 2006 70–1 Regulation of Investigatory Powers Act 2000 89 United Nations initiatives 228–9 unauthorised access with intent interpretation 58–9 Police and Justice Act 2006 71–4 unauthorised modification actus reus 65, 72 Computer Misuse Act 1990 40–3 interpretation 59–66 Lennon 62 mens rea 65 327 Computer Misuse penalties 72 Police and Justice Act 2006 71 unemployment 142–4 United Kingdom Interdepartmental Liaison Group on Risk Assessment (UK-ILGRA) 178–9 United Nations Convention on Cybercrime 229 initiatives 228–30 technical assistance 249 technical regulation 269 United States CERTs 250–3 computer definitions 36–7 Convention on Cybercrime 215–17, 221–2, 225 in Council of Europe 208 East/West Coast Code 239–41, 243–4 encryption 272 freedom of speech 216–17, 243 harm 100 international standards 273 precautionary principle 176 Telecommunications Act 1996 242 Unlawful Internet Gambling Enforcement Act 2006 244 UNIVAC (Universal Automatic Computer) 15 Unlawful Internet Gambling Enforcement Act 2006 244 unlawful trade 87 US census (1890) 14 V-chip 242–3 Van Blarcum, D 217 Van Wyk, K.R 251 Vermeulen, G 190 vetoes 195, 207 virtual child pornography 216, 218 viruses Computer Misuse Act 1990 41 harm 106 328 history of 20–1 interpretation 59–66 prosecutions 49–51 United Nations initiatives 229 Vold, G 111 von Colson 191–2 Wagner, R.P 103–4 Walden, I 87–8, 214, 227, 233 Walker, C 92, 271, 272, 276 Wall, D.S 6, 105–6, 242, 270 warning and response systems see CERTs (Computer Emergency Response Teams); WARPs (Warning, Advice and Reporting Points WARPs (Warning, Advice and Reporting Points) 261–5 Wasik, M 25, 54–5, 58, 88, 89, 94–5, 125–6 weapons of offence 77 Weber, A.M 224–5 websites, interference with 41 welfare state 138–41 risk society and 152–3 West-Brown, M.J 252, 257 West Coast Code 239–41, 243–4 Whine, M 221 Wiener, J.B 176 Wiik, J 251 Williams, K.S 154–5 Willmore, L 171 Wolfenden report 108 World Wide Web 46–7 worms 41 Wyatt, Derek 66 xenophobia 215 Young, J 117 Zedner, L 108 ZX80 16 Computer_MisusePbck.qxd 31/3/09 19:08 Page Response, regulation and the law Stefan Fafinski ‘Provides a comprehensive, valuable and timely critical review of the legal and extra-legal governance of computer misuse.’ – Professor Martin Wasik CBE (Keele University) ‘At a time of headlines about the rising threat of cybercrime, Dr Fafinski's meticulous study provides a calculated assessment of cybercrime and what modes of response can best protect the system and the public His welcome book highlights shortcomings of the criminal law in responding to crimes against computer systems and offers important insights into productive alternative strategies.’ – Professor Clive Walker (University of Leeds) This book is concerned with the nature of computer misuse and the legal and extra-legal responses to it It provides a history of its emergence in parallel with the evolution of computer technology and surveys the attempts of the criminal law of England and Wales in dealing with it It then considers the characteristics and purpose of the criminal law in the context of computer misuse to explore whether effective regulation requires more than just the domestic criminal law This book will be of interest to students of IT law as well as to sociologists and criminologists, and those who have a professional concern with preventing computer misuse and fraud or governing the information society Academic and Professional Publisher of the Year 2008 International Achievement of the Year 2009 www.willanpublishing.co.uk Response, regulation and the law Stefan Fafinski Dr Stefan Fafinski is a lecturer in law at Brunel University and a Director of Invenio Research He has over twenty years’ experience in the information technology industry He is a Chartered Engineer, a Chartered Scientist, a Chartered Fellow of the British Computer Society and a Court Liveryman of the Worshipful Company of Information Technologists Computer Misuse Response, regulation Finally, it concludes with an examination of the complex governance network and considers whether the regulation of computer misuse is only viable in a global networked society by a networked response combining nodes of both legal and extra-legal governance and the law The book then introduces various theories of risk before considering the idea of a governance framework as a viable regulatory mechanism, examining the legal responses of the European Union, Council of Europe, Commonwealth, United Nations and Group of Eight The book then broadens the discussion beyond the law to encompass extra-legal initiatives and examines the contribution made by each Computer Misuse Computer Misuse Stefan Fafinski ... Street, London, EC1N 8TS First published 2009 ISBN 97 8-1 -8 439 2-3 7 9-4 paperback 97 8-1 -8 439 2-3 8 0-0 hardback British Library Cataloguing-in-Publication Data A catalogue record for this book is available... problem of computer misuse The emergence of the problem of computer misuse 13 A brief history of computing Manifestations of computer misuse Pre-1990 regulation The genesis of the Computer. .. [1995] ECR I-3051 (CJEC) 191 Foster v British Gas (Case C-188/89) [1990] ECR I-3313 (CJEC) 236 Francovich and Others v Italian Republic (joined Cases C-6/90 and C-9/90) [1991] ECR I-5357 (CJEC)