This article compares the differing approach thatthe UK and the US take to computer crime.Criminal legislation remains the primary tool inthe regulation of computer crime in both the UKand the US. The key question is whether the UKshould follow the precedent set by the US legalcommunity and utilise the civil courts to preventinterference or damage to websites or computernetworks or whether the UK should remainresolutely committed to the prosecution of suchoffences through the criminal courts.

A. IntroductionThe threat of computer crime in the UK is aprevalent force within the media and the publicimagination. Evidently, the law enforcementauthorities are facing a two-pronged attack. Firstly,they must deal with seemingly benign individuals,such as those who defaced the Labour Party’swebsite in protest at Tony Blair’s pro-Americanstance. Secondly, they are being faced with agreater threat from committed terrorists who aresetting their sights at exploiting any potentialvulnerability in the UK’s computer networks.

The term “computer crime” has often been usedto cover a multitude of offences ranging from virusdissemination, hacking and organised crime toterrorist rings that use the computer and computernetworks in the commission of the offence. Thereis now a real concern that computer networks are atrisk from cyber-terrorists whose primary aim is tode-stabilise and disrupt Western society. However,there is now an extensive armoury of criminallegislation aimed at non-terrorist and terrorist alikeat the disposal of the UK law enforcementauthorities and more planned in the future.

The US has adopted the approach using thecivil law to tackle non-violent computer hackerswhere damage is limited to a specific amount. Forexample, under the US Computer Fraud and AbuseAct (18 U.S.C. § 1030) (the CFAA) if information isretrieved without authorisation from a website,then an individual will incur a civil penalty. Thismeans that a court will grant an injunction anddamages of up to an aggregate value of US$5000over the course of one year to the operator of thewebsite which has suffered the loss. Under Section1030(e)(2)(B) of the CFAA, a protected computeris widely defined as one “…which is used in

interstate or foreign commerce orcommunication”.

Following complaints that the civil sanctionwas ambiguous; the CFAA was amended by thePATRIOT Act 2001 (Uniting and StrengtheningAmerica by Providing Appropriate Tools Requiredto Intercept and Obstruct Terrorism). The CFAAnow defines a loss as:

any reasonable costs to any victim, including

the cost of responding to an offence, conducting

a damage assessment and restoring the data,

program, system, or information to its condition

prior to the offence, and any revenue lost, cost

incurred, or other consequential damages

incurred because of interruption of service.

If such a discretionary approach were adoptedin the UK, it would allow law enforcementauthorities to concentrate and apply the full weightof the criminal law against the likes of Al Qaeda.

It is even debatable whether the State shouldregulate activity that is encouraged by the persistentfailure of the businesses to adopt stringent securitymeasures to safeguard their IT systems. In the faceof limited public resources to fund expensivecriminal prosecutions against computer hackers orvirus writers, one option would be to put the onusshould be placed firmly in the hands of businessesto take action against such activities through thecivil courts and to implement defensive measures toprevent their spread.

No computer system is impregnable or 100%secure as disgruntled employees are in a position tosupply passwords and other security information. Insuch cases and depending on the level of damagecaused, the law enforcement authorities and thebusiness should co-operate to take action againstthe employees through disciplinary measures, civilsanctions or criminal prosecution.

B. Joined-up approachCriminal law is fraught with jurisdictional issues.This is especially so in the case of computer criminalswho are located outside the UK and who may not beamenable to prosecution in the UK if no extraditiontreaty exists. However, the growing myriad of treatiesthat allows law enforcement authorities to extraditealleged computer criminals means that there are fewersafe countries where would-be computer criminals

Computer Law & Security Report Vol. 19 no. 5 2003 ISSN 0267 3649/03 © 2003 Elsevier Ltd. All rights reserved

Comparative computer crime

Cyber-crime – criminal offence or civil wrong? Paul Barton and Viv Nissanka, Field Fisher Waterhouse

There is now a

real concern that

computer

networks are at

risk from cyber-

terrorists

401

can now hide. The passing of the Council ofEuropean Convention on Cyber-Crime1 means thatcomputer hackers can even be extradited from and tocountries that have no formal extradition treaties withthe UK. The UK and the US are two of the 26 nationswho have so far signed it.

Any UK citizen facing extradition to the US isnow facing the prospect of longer sentences and thecomplex federal and state legislation on computercrime. Under the UK’s Computer Misuse Act 1990(the CMA), the maximum sentence is five years. InMarch 2002, a federal court in New Jersey sentencedTimothy Lloyd2 to nearly three and a half years’imprisonment and fined him nearly US$2 million inrestitution. This was seen as a deterrent sentence inthe wake of the increasing number of computercrime offences. The court stated on sentencing that:

The government wishes that you should bepunished severely. What you did was wrong.What you did not only affected the company, butthe people who worked there… We need to deterothers in this increasingly computerized worldand economy.3

In another example, the creator of the Melissavirus received a 20-month custodial sentence and aUS$5000 fine. This is what Gary McKinnon, aBritish suspect accused of hacking, will face.McKinnon is accused of hacking into 92 separateUS military and NASA networks. It is alleged thatthe intrusions also made the network that servesthe military district for Washington inoperable.The US has now sought the extradition ofMcKinno nand he has been indicted on eightcharges of computer crime involving US$900 000(approximately £600 000) of damage to computersin fourteen states. Each charge carries a prisonsentence of up to ten years and a US$250 000 fine.

The UK courts have started to adopt a similarapproach. Simon Vallor, a 22-old Welsh webdesigner who pleaded guilty to three offences underSection 3 of the CMA for creating the Gokar, Redesiand Admirer mass mailing viruses was sentenced totwo years’ imprisonment in January 2003.

On sentencing Vallor at Southwark CrownCourt, the presiding Judge, HHJ Rivlin QC, invery similar language to that of the judge in theTimothy Lloyd case, noted that the sentence wasintended to act as a deterrent for potential futurevirus writers. The judge went on to state:

virus writers are not so-called computer buffsor nerds, they happen to be criminals... their

viruses cause destruction, disruption, consternationand even economic loss on a grand scale.

The three viruses had spread to 27 000computers in 42 countries and caused untolddamage. Not all countries treat computer hackers orvirus writers in the same hard-line manner as theUK courts. Mainland Europe is taking a differentstance; the Dutch courts sentenced the author of theAnna Kournikova worm, Jan de Wit, to just 150hours’ community service. The court had given DeWit the choice of 150 hours’ community service or75 days in jail for releasing the virus. In addition, thecourt confiscated a CD-ROM containing thousandsof viruses but not his computer hardware.

In comparing the level of sentences that wereimposed in the 1980s by the US and UK courts, itis evident that the sentence in the Lloyd case israther severe. For example, in 1988, the author ofthe Internet Worm, Richard Morris wasprosecuted and was sentenced to only three years’probation, 400 hours’ community service, and afine of US$10 050. The highest sentence handeddown to a British virus writer before the Vallorcase was that of Christopher Pile in 1995. Pile hadcreated two viruses (Pathogen and Queeg) thatmade use of the SMEG (Simulated MetamorphicEncryption Generator) technology and wastherefore difficult to be detected. In one of thefirst cases under the Computer Misuse Act 1990,Pile pleaded guilty to eleven charges and wassentenced to eighteen months’ imprisonment.

C. Private sector controlsAlthough September 11 seems to be the spur forthese recent robust security measures, the dangers ofinternal threats faced by a business should not beunderestimated. Disgruntled employees can cause asmuch chaos as any committed terrorist. Both Europeand the US have recognised that internal networksecurity is crucial. Numerous surveys in the US andthe UK have identified that security breaches remainat a critical high. Such surveys also routinely recordthe failure of businesses to report security breachesto law enforcement authorities due to concerns thatsuch reporting would harm a business’s reputation.The 2002 DTI Security Breaches survey reports that44% of UK businesses had suffered at least onemalicious security breach in the past year.

Now both the US and the UK are taking firmeraction and considering the implementation ofmandatory measures to ensure that businesses reportor tackle security breaches effectively. Theauthorities have recognised that computer crime andcyber-terrorism could be stopped dead in its track ifthose at risk implemented preventative measures. So

402

Comparative computer crime

in spite of moves on both sides of the Atlantic, somecommentators have said that this is still:

…the golden age of hacking… there has not

been enough of an effort to secure our

systems...this amounts to negligence.4

The Californian legislature has now put on itsstatute book a law that requires that all agencies,business or individuals conducting business inCalifornia which collect personal data to notifytheir customers of any security breaches.California Law SB 1386 will take effect from 1 July2003. The controversial law has angered manyCalifornian businesses that are alarmed at thedamage that such disclosures may have on theirbusiness reputation and share prices.

In the UK, under the Data Protection Act 1998(as amended) (the DPA 1998), businesses which aredata controllers are required by the seventh dataprotection principle to ensure a level of securityappropriate to the harm that might occur fromsuch unauthorised or unlawful processing oraccidental loss, destruction or damage; and thenature of the data to be protected. The DPA 1998does not contain any explicit requirement that anindividual should be notified by a data controllerthat any loss of data has occurred. However, ifsuch loss of data leads to damage or distress to besuffered by the individual, then the individual canclaim compensation where the data controllercannot prove that it took reasonable measures tocomply with the seventh data principle.

Furthermore, the Department of Trade andIndustry (the DTI) is considering whether UKbusinesses should be required to implementISO/IEC17799: 2000. This is an internationalstandard adopted by the International Organisationfor Standardisation and the InternationalElectrotechnical Commission: InformationTechnology – code of practice for informationsecurity management. ISO/IEC17799: 2000 is anentry-level framework for information security andidentifies good practice objectives such asorganisational security, asset classification, personnelsecurity, physical and environmental security, accesscontrol, mobile computing, and teleworking. Wewait to see whether the DTI will follow through andmake ISO/IEC17799: 2000 a mandatory measure.

D. Protection of informationsystemsBoth the US and Europe have belatedly identifiedthat information security and technology systemsnow underpin key industries such as

telecommunications, financial services, andtransport networks. The use of the Internet by AlQaeda terrorists to communicate before theSeptember 11 atrocity has heightened fears that theUS and Europe remain unprepared for any potentialcyber-terrorist attack against its critical IT networks.

In the wake of such concern, the US Congresspassed the Cyber Security Research andDevelopment Act in February 2002. This Actestablished the US National Institute of Standardsand Technology which was mandated to develop asecurity plan to repel terrorist attacks on the US’scritical IT networks.

On passing the Act, Congressman SherwoodBoehlert acknowledged that information securitywas now a fundamental cornerstone of modernAmerican society:

For while most Americans have been focused

exclusively on hijackings, bombs and bio-terrorism,

the experts tell us that the nation is also profoundly

at risk from cyber-terrorism. In an era when virtually

all the tools of our daily lives are connected to, and

reliant upon computer networks, a cyber attack

could knock out electricity, drinking water and

sewage systems, financial institutions, assembly lines,

and communications – to name just a few. We must

improve our ability to respond to these threats.

The Cyber Security Research and DevelopmentAct authorised the expenditure of nearly US$903million for research efforts over the next five years.The US Congress has also established a Departmentof Homeland Security and a Science and TechnologyDirectorate to oversee cyber security as well as otheruses of technology in counter-terrorism.

Likewise, Europe is adopting a similarapproach and is establishing a new network andinformation security agency. The proposed agency’saim is to raise awareness of IT security and it willact as a centre of excellence for informationsecurity and help businesses fight security threatsranging from external viruses, theft, fraud, internalabuse by employees and even industrial espionage.

Alongside the creation of the agency, theEuropean Council is in the process of discussingthe final draft of the new European CouncilFramework Decision on attacks againstinformation systems (the Information SystemsDecision).5 This measure is intended to becomplementary to the European Arrest Warrant,6

the Council Framework for Combating Terrorism7

and European Convention on Cyber-Crime.

The Information Systems Decision concernsopeartions that disrupt, deny, degrade or destroy

Comparative computer crime

403

There are fears

that the US and

Europe remain

unprepared for

any potential

cyber-terrorist

attack against its

critical IT

networks

information held in computers and computernetworks and is intended to be technology neutral.“Information System” is defined as:

any device or group of inter-connected orrelated devices, one or more of which, pursuantto a program, performs automatic processing ofcomputer data, as well as computer data stored,processed, retrieved or transmitted by them forthe purposes of their operation, use, protectionand maintenance.

This broad definition will include networks,servers, the Internet, personal computers, personaldigital organisers, mobile telephones, intranets,extranets and other infrastructure connected to theInternet.

The Information Systems Decision doesencourage Member States to avoid over-criminalisation of minor cases and to providepenalties that can be effective, proportional anddissuasive. Under Article 9 Member States will alsobe able to use criminal and non-criminal penaltiessuch as deprivation of state benefits, disqualificationfrom commercial activities, supervision and windingup orders. Unusually, it has not specified that theconfiscation of computer hardware should becompulsory alongside these penalties.

Although the Information Systems Decision isintended to harmonise European laws protectinginformation systems from hackers and organisedcrime, commentators have argued that it may not bea dramatic improvement on the CMA. One of theirprimary concerns had been that previous drafts ofthe Information Systems Decision would haveactually worked to the advantage of hackers, as itappeared to allow hackers to access an informationsystem without breaking the law provided there hadbeen no intention to cause damage or to generatean economic benefit. The latest version of Article 3has now been amended significantly and is broadlydrafted to cover illegal access to an informationsystem. Each Member State will be able to use theArticle 3 offence or the Article 4 offence that dealswith illegal data interference to tackle hacking,virus offences as well as cyber-terrorism. EachMember State will be free to exclude minor ortrivial cases when transposing the scope of theInformation Systems Decision into domestic law.

E. Civil remediesRecently, the US courts have started to extend thecommon law cause of action such as trespass tochattels (i.e. property other than freehold land) tointerference with the functioning of a website or

computer system. This approach is evident in thecases of eBay v Bidder’s Edge8 and Oyster Software vForms Processing.9 In these two cases, theCalifornian court have held that some form of“proximately caused injury”10 had been caused bythe defendant’s actions. The only dissentingjudgment has been in Ticketmaster Tickets.com.11 Inthe eBay decision, the court held that the deprivationof server bandwidth and capacity had constituteddamage to eBay. The subsequent decisions inRegister.com confirmed the eBay decision and statedthat unauthorised use of a website would be atrespass to chattels. The New York courts have alsoapproved similar reasoning in the Register v Verio 12

case.

In the Hamidi case,13 the California SupremeCourt has confirmed that Intel’s action for trespassto chattels and nuisance had failed. The SupremeCourt held that:

…Such an electronic communication does notconstitute an actionable trespass to personalproperty, i.e. the computer system, because itdoes not interfere with the possessor’s use orpossession of, or any other legally protectedinterest in the personal property itself.

Intel would have needed to prove actualdamage to equipment and/or property. Intel’s claimthat Hamidi’s emails had disrupted or distractedits employees did not amount to such damage.

There is no UK decision on this point. In 1999Virgin.net settled an action out of court againstAdrian Paris a prolific spammer who had causeddamage to Virgin’s email service.14 Virgin.net hadalleged trespass and breach of contract.

By analogy the Torts (Interference with Goods)Act 1977 (TIGA 1977) or the common law doctrineof trespass to goods under English law would notappear to provide a similar remedy. Under the Torts(Interference with Goods) Act 1977, goods aredefined as “all chattels personal other than things inaction or money”.15 Both TIGA 1977 and trespassto goods envisage that a physical chattel is takenaway or interfered with. In the case of computerhacking or attack by a virus, the damage is done tothe content of a website or computer system. Theperpetrator does not physically remove the originalcontent, although a copy may be cached or copied.

Case law suggests that mere touching is enoughto constitute damage. In the case of Fouldes vWilloughby,16 it was held that the physicalscratching of a panel of a carriage would betrespass. It remains to be seen whether the Englishcourts would uphold that the proposition that

404

Comparative computer crime

damage to a website or computer system isequivalent to this. Most academic commentatorshave suggested that previous judicial assertions thatan intentional interference without the removal ofthe chattel is not actionable is incorrect. They arguethat this would mean that art galleries would be leftwith no legal remedy if the public were to touchartworks without consent. Consequently, valuableobjects could be “touched with impunity”.17

The little used and under-developed tort ofunlawful interference with economic or otherinterests where one person uses unlawful means tocause damage to another is an alternative option.The unlawful act must be directed or intended toharm the claimant, and damage to the claimantmust be the end-result of the unlawful interference.

In Allen v Flood,18 the House of Lordsreferred to the earlier case of Mogul19 andcommented that it was:

… accepted as undoubted law that a traderhas a right to carry on his business withoutdisturbance except in the way of fair competition.

The House of Lords then went on to affirmthe comments made by Bowen LJ in the Mogulcase who had stated:

… no man, whether trader or not can justifydamaging another in his commercial business …intimidation, obstruction, and molestation areforbidden … assuming always that there is no justcause for it. The intentional driving away ofcustomers by shew of violence; the obstruction ofactors on the stage by preconcerted hissing; thedisturbance of wild fowl in decoys by the firing ofguns; all are instances of such forbidden acts.

It may be possible to argue by analogy thatunlawful interference with a website or computersystem would be akin to the examples given above(i.e. the subscribers are prevented from using thewebsite or computer system through disruption).

F. ConclusionAs discussed, the remedies available to lawenforcement authorities to combat computer crimeor cyber-terrorism have grown considerably sincethe inception of the CMA. The National Hi-TechCrime Unit is encouraging more businesses toreport security breaches with the establishment ofits industry hotline and the launch of itsConfidentiality Charter. It is hoping that thesemeasures will improve closer liaison withbusinesses and promote crime prevention.

For law enforcement authorities, the cyber-terrorist will be the primary target and the legislation

currently available is sufficient and draconian enoughto stamp out such activity. It will be difficult to saywhether law enforcement authorities will be forced toconcentrate on such high level criminals, leavingthem with little option but to take no action againsthackers and virus writers as resources become finite.

For businesses, the civil remedies may not beattractive for the sole reason that the would-becomputer hacker or virus writer will not necessarilyhave sufficient resources to pay any worthwhiledamages for losses suffered by the business. In suchcircumstances, a criminal prosecution may be apreferable option for its deterrent value. Needless tosay, businesses must continue to play their part andimplement the necessary measures to prevent suchcriminal activities.

Paul Barton and Viv Nissanka, Field FisherWaterhouse

Paul Barton pxb@ffwlaw.com is a partner and VivNissanka vkn@ffwlaw.com an Assistant Solicitorin the Technology Law Group of the firm. Tel:+44(0)20 7861 4000

FOOTNOTES1 Formally adopted in November 2001. The text isavailable on the Internet athttp://conventions.coe.int/Treaty/EN/CadreListeTraites.htm2 2002 US District Court (Newark). Unreported case butsee “Net Saboteur Faces 41 months” – Network World 4March 2002.3 Judge William H Walls. 4 John Sleggs Government - Computer News 7 April 2003. 5 http://register.consilium.eu.int/pdf/en/03/st08/st08687en03.pdf.6 Proposal for a Council Framework Decision on theEuropean arrest warrant and the surrender proceduresbetween the Member States (COM (2001) 522 Finaladopted by the Commission on 19.9.2001. 7 COM (2001) 521 Final. Adopted by the Commission on19.9.2001.8 eBAY Inc v Bidder’s Edge Inc 100 F Supp 2d 1058 (NDCal 2000).9 Oyster Software Inc v Forms Processing Inc 2001 US DistLexis 22520 (ND Cal 2001).10 Thrifty-Tel Inc v Bezenek 19996 46 Cal. App 4th 1559.11 Ticketmaster Corp v Tickets.com Inc 54 USP Q 2d 1344(2000) (CD (Cal) (US).12 Register.com Inc v Verio Inc 126 F Supp 2d 238 (SDNY2000).13 Intel Co-operation v Kouroush Kenneth Hamidi CaliforniaSupreme Court (Ct App. 3 C033076) 30 June 2003.14 Unreported case 1999.15 Section 14. 16 1841 8 M & W 540. 17 Clerk and Lindsell on Torts (18th edition) 14-135 [787].18 [1898] AC 1.

19 Mogul Steamship Co v McGregor Gow & Co [1892] AC 25.

Comparative computer crime

405

The National Hi-

Tech Crime Unit is

encouraging more

businesses to

report security

breaches