Computer_Crimes_and_Digital_Investigations_----_(Pg_199--229)

Committing Crimes: Substantive Offences
harass’.531 However, the amendment has been criticized for potentially chilling free speech
through anonymous ‘blogs’ and Usenet.532
3.219 Existing law governing harmful communications remains based in an era of one-to-one
communication techniques, specifically voice telephony. However, the variety of one-to-
many communication techniques in cyberspace, such as personal websites, may challenge
the suitability of existing rules. The distress and anxiety caused to a target of malicious,
improper, or harassing communications is likely to be of a considerably greater magnitude
where the communications are of a public rather than private nature.
D. Computer-integrity Offences
3.220 When considering computer crime or cybercrime, most people think in terms of ‘hack-
ing’ into systems and the distribution of ‘viruses’. Such activities target the computers
themselves, as the subject, rather than as an instrument to commit other crimes. With the
spread of computerization and our consequential dependency, the adequacy of criminal law
to deter such activities has had to be addressed by policy-makers and legislators. In most
jurisdictions, the application of traditional criminal law has been often uncertain, such as
forgery, or completely inappropriate, such as theft of electricity.533 As such, sui generis legis-
lation has been adopted to tackle the threat to the security of computer and communication
systems.
3.221 The three primary activities we are concerned with are access, modification, or interference,
and interception; examining the suitability and sufficiency of these concepts to safeguard
the confidentiality, integrity, and availability of the systems themselves (both hardware and
software) and the data they process. Obtaining access and interception are primarily means
by which the confidentiality of data may be compromised, whether ‘at rest’ or ‘in transmis-
sion’; while interference is primarily centred on issues of system and data integrity and avail-
ability. Although access under UK law is primarily conceived in terms of computers and
networks, the information being processed as data is the underlying object of protection.
Access protection may be supplemental where the information is subject to other protective
regimes, such as laws on confidentiality, but may be the exclusive criminal remedy for many
forms of information crime. Criminalizing interference with systems and data, as distinct
Copyright © 2016. Oxford University Press, Incorporated. All rights reserved.
from traditional criminal damage, can be viewed as recognition of the enhanced status of
incorporeal property in our modern information society.
3.222 Another consideration when examining these offences is the level of sanction such acts
should attract. Does the scale of harm resulting from, and/or societal concern with breaches
of confidentiality equate with a breach of integrity or availability? Such questions could
be answered strictly on an empirical basis, using crime statistics. However, as discussed
in Chapter 2, such an approach depends on the existence of information that is often not
currently available. As a consequence, we rely on policy-makers and legislators to make
such an assessment as to maximum appropriate tariffs, based on somewhat opaque criteria,
531 47 USC s 223(a)(1)(C).

532 McCullagh, D, ‘Create a e-a nnoyance, go to jail’, CNet, 9 January 2006, available at <http://w ww.
cnet.com/news/create-a n-e-a nnoyance-go-to-jail/>.
533 Theft Act 1968, s 13.
158
Walden, Ian. Computer Crimes and Digital Investigations, Oxford University Press, Incorporated, 2016. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/gla/detail.action?docID=5891904.
Created from gla on 2023-09-28 14:43:40.
Computer-integrity Offences
and the judiciary to provide some reasoning in the specific case. For example, when exam-
ining a proposal to create an offence specifically targeted at DOS attacks, the All Party
Parliamentary Group felt that such activities were more akin to an act of unauthorized
access in terms of seriousness than that of modification, and hence should be subject to a
comparable tariff.534 However, determinations of seriousness may also be made subject to
the presence of aggravating circumstances, such as being part of a criminal organization,
which alters the applicable tariff whatever the form of conduct.535 As we shall see under
current UK law, access and interception are considered of lesser seriousness than interfer-
ence, ie breaches of integrity and availability rank higher in terms of harm than breaches of
confidentiality.
Before analysing the different integrity offences, access, interference, and interception, it 3.223
is necessary to examine two questions generic to all three categories of criminal activity.
First, we must consider the nature of the subject matter being protected by law, ie informa-
tion and communication technologies and the data they process; and second, the concept
of authorization in relation to our subject matter, which comprises a line that divides that
which is criminal from that which is not.
Of computers, systems, and devices

In Chapter 2, we began by defining the various technologies that comprise our subject mat- 3.224
ter, unencumbered by any legal constraint. We now need to consider precisely how such
technologies are defined in law, as the basis for our subsequent analysis. Such definitions
may, for example, betray a failure to fully understand the nature of what is being regulated,
thereby creating legal uncertainty and potential lacunae.
The CMA does not define a ‘computer’, therefore potentially extending its scope to every- 3.225
day domestic appliances, cars and any object that incorporates computer technology. It
has been argued that a narrow view of what constitutes a computer should be adopted;536
although this looks less appropriate as we enter the age of the ‘Internet of Things’, where
domestic appliances can become targets for attack.537 In 1988, the Law Commission found
general support for the view that to attempt such a definition would be ‘so complex, in an
endeavour to be all-embracing, that they are likely to produce extensive argument’;538 and
therefore recommended that ‘the word should be given its ordinary meaning’.539 Indeed,
this is the approach commonly taken in UK legislation when addressing technology.540

When the issue was subject to re-examination in 2004, by the All Party Parliamentary
Internet Group (APIG), it recommended that the Government resist any temptation to
define the term.541 The UK Government is not obliged to depart from the English law
534 Interview with Richard Clayton, specialist advisor to the APIG inquiry on ‘Revision of the Computer
Misuse Act’, 31 January 2006.

535 eg Directive 13/40/EU, above, n 159, Art 9(4).
536 See Ormerod, D and Laird, K (eds), Smith & Hogan Criminal Law, 14th edn, Oxford University Press,
2015, s 30.2.1.1.
537 eg ‘Your FRIDGE is Full of SPAM: Proof of An IoT-d riven Attack’, 16 January 2014, available at
<https://w ww.proofpoint.com/us/t hreat-insight/post/ Your-Fridge-is-Full-of-SPAM>.

538 Law Commission, Computer Misuse, Report No 186, Cm 819, London, HMSO, 1989, para 3.39.
539 ibid, para 6.23.
540 eg Copyright, Designs and Patents Act 1988, c 48, in respect of a ‘computer program’.
541 All Party Parliamentary Internet Group (APIG), ‘Revision of the Computer Misuse Act’, June 2004,
para 17, available at <https://w ww.cl.cam.ac.uk/~rnc1/A PIG-report-cma.pdf> (‘APIG Report’).
159
approach to definitions by the Convention on Cybercrime and the Directive542 and, to date,
the courts have not struggled to interpret the scope of such terms.543 A similar position has
been taken in other jurisdictions, such as France and Germany.
3.226 However, the absence of a definition does not mean that the CMA contains no implicit
treatment of the concept. In respect of modification, the Act distinguishes the legal treat-
ment of any ‘storage medium’ when in the computer and when removed.544 This clearly
implies that the mere storage of programs or data on a DVD or USB memory stick is not
sufficient to constitute a computer. Some further functionality or processing capability
would seem to be a necessary feature of a computer, which conforms both to general defini-
tions and common usage within the IT community.545 However, such an interpretation
does not match concepts of ‘processing’ in other contexts, where mere storage is sufficient
to trigger application of the law.546 In addition, a narrow perspective may create problems at
the edges of technological development. Over the years, for example, 3¼ inch floppy disks
have given way to CDs, DVDs, and USB memory sticks as a storage medium for portable
computing. However, as such devices evolve from ‘dumb’ towards ‘smart’ storage solutions,
which incorporate some processing capacity in the memory stick, we can easily envisage the
uncertainty a court may have about interpreting s 17(6), which could be aided by a defin-
ition that listed the minimum functionality required of a computer.
3.227 Numerous other countries do feel the need to define the term. In the US, for example, the
federal Computer Fraud and Abuse Act provides the following definition:
. . . an electronic, magnetic, optical, electrochemical, or other high speed data processing
device performing logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating in conjunction with such
device, but such term does not include an automated typewriter or typesetter, a portable
hand held calculator, or other similar device.547
The attempt to distinguish between storage as a function of a ‘processing device’ and storage
as a ‘facility’ does not appear to resolve the legal status of a USB stick.
3.228 The exclusions in the final part of the US definition very much reflect the period when the
provisions were first adopted, ie the early to mid 1980s. Today, nearly all typewriters and
calculators would fall within the concept of a computer, and contain no distinguishing
features that enable us to discern what would be a ‘similar device’, other than the absence of
those features defined in relation to a computer. In US v Mitra,548 the court stated that the
choice of exclusions meant that ‘other devices with embedded processors and software are
covered. As more devices come to have built-in intelligence, the effective scope of the statute
grows.’ It should also be noted, however, that US law constrains the scope of the majority
542 Directive 13/40/EU, above, n 159.

543 eg in DPP v McKeown, DPP v Jones [1997] 2 Cr App R 155, Lord Hoffmann simply notes that ‘a com-
puter is a device for storing, processing and retrieving information’.
544 CMA, s 17(6).
545 eg Encyclopaedia Britannica Online: ‘device for processing, storing, and displaying information’. See
also ISO, ‘Information Technology—Cloud Computing—O verview and vocabulary, which refers to ‘pro-
cessing, storage or networking resources’, Draft International Standard, ISO/IEC 17788: 2013(E), available
at <http://infostore.saiglobal.com/store/PreviewDoc.aspx?saleItemID=2670417>.
546 eg DPA 1998, s 1(1), defining ‘processing’.
547 18 USC s 1030(e)(1).
548 405 F 3d 492 (7th Cir 2005).
160
of offences under s 1030 to cases involving a ‘protected computer’, which is due in part to
the federal nature of the US legal system, but also reflects a specific policy concern with the
vulnerability of computers used by the US Government and financial institutions.549 The
Singapore Computer Misuse and Cybersecurity Act adopts a virtually identical definition
of ‘computer’ to that found in US federal law, except that it provides that a ‘similar device’
is that which is either ‘non programmable or which does not contain any data storage facil-
ity’,550 which implies that mere storage would not be sufficient to be a computer.
The Council of Europe Convention of Cybercrime utilizes the following definition for a 3.229
‘computer system’:
any device or a group of inter-connected or related devices, one or more of which, pursuant
to a program, performs automatic processing of data.551
While refreshingly brief compared with the US definition, substantial clarification is pro-
vided in the Explanatory Report.552 It states that parties are not ‘obliged to copy verbatim
into their domestic laws the four concepts defined in Article 1, provided that these laws
cover such concepts in a manner consistent with the principles of the Convention and offer
an equivalent framework for its implementation’.553 In 2006, the Cybercrime Convention
Committee (T-C Y) issued a Guidance Note on the term, confirming that the common
understanding of the parties to the Convention on Cybercrime is that it extends beyond
traditional notions of the mainframe and desktop computer to include smart phones, tab-
lets, and other developing technologies.554
The EU Directive uses a different term, ‘information system’, although with a broadly simi- 3.230
lar definition to that of the Convention:
a device or group of interconnected or related devices, one or more of which, pursuant to a
programme, automatically processes computer data, as well as computer data stored, pro-
cessed, retrieved or transmitted by that device or group of devices for the purposes of its or
their operation, use, protection and maintenance.555
Echoing the Convention, the Directive distinguishes between an ‘information system’ and
‘computer data’, the former acting upon the latter, referred to as ‘processing’. An attempt
is made to draw a bright line between the two concepts, although such an approach would
seem to be based on a fundamental difficulty.
A computer or information system comprises ‘devices’, a term not further defined in the 3.231
Directive, although the commentary to the draft 2005 Framework Decision stated that the
549 18 USC s 1030(e)(2).

550 Singapore’s Computer Misuse and Cybersecurity Act (Chapter 50A), s 2(1)(c). Subsection (d) also
grants the Minister the power to designate other devices.
551 Convention on Cybercrime, Art 1(a). The Commonwealth Model Law on Computer and Computer
Related Crime, LMM(02)17, October 2002, Art 3 adopts a virtually identical definition.
552 Explanatory Report to the Convention on Cybercrime, above, n 1, paras 23–4.
553 ibid, para 22.
554 Cybercrime Convention Committee (T- C Y), ‘On the notion of “computer system”—A rticle 1.a
Budapest Convention on Cybercrime’, Guidance Note No 1, T-C Y(2012) 21, 5 December 2012, avail-
able at <https://w ww.coe.int/t/dghl/cooperation/economiccrime/Source/Cybercrime/TCY/TCY2012/T-
CY%282012%2921E_g uidanceNote1_a rticle1_final.pdf>.
555 Directive 13/40/EU, above, n 159, Art 2(a).
161
term ‘covers both the hardware and the software of the system’,556 and the Convention’s
Explanatory Report provides that a device consists of ‘hardware or software developed for
automatic processing of digital data’.557 These devices process data ‘pursuant to a program’.
The Explanatory Report conceives a ‘program’ as being a ‘set of instructions that can be
executed by the computer’, which would seem to equate to software, given its ordinary
meaning. Thus, a device may be software, which then acts pursuant to software to process
data. Presumably a distinction being made is between operating systems, such as Windows,
and applications, such as Word and PowerPoint. The former operates to enable a ‘group of
inter-connected or related devices’ to execute instructions upon the data, while the latter
interpret and present the data so manipulated.
3.232 However, such a distinction would seem to raise further problems. First, a single program
may contain both an operating system and various applications.558 Second, the program
may take the form of data input into the computer or may be physically hardwired into a
device within the computer, such as a ROM, generally referred to as ‘firmware’. However,
‘computer data’ is defined to include a ‘program’:
means any representation of facts, information or concepts in a form suitable for process-
ing in an information system, including a programme suitable for causing an information
system to perform a function.559
While this would seem semantically correct, it creates definitional uncertainty in respect of
the nature of ‘firmware’ programs, whether as a device comprising part of the ‘information
system’ or as a form of ‘computer data’. A third problem is that the term ‘device’ is also used
by the Convention in a different context, external to the computer, as a tool that is capable of
enabling acts of unauthorized access and interference to be carried out. This latter concept
is examined further below.560
3.233 However, do these definitional uncertainties create a problem of law and, if so, how could
the problem be resolved? The potential problem would seem to be that both the Convention
on Cybercrime and the Directive 13/40/EU create an offence in respect of accessing an
information system, but not the data held on it, as well as creating separate offences of
system and data interference. In the former case, the offence occurs when ‘the whole or any
part’ of the system is accessed, which means that the unauthorized use of a program may
or may not constitute an offence, depending on whether it is viewed as part of the system
or the data. In the latter case, where the offences are viewed as being of different levels of
seriousness,561 and therefore attracting different penalties, a determination of software as
system or data could again be critical. An example of the latter can be found in an ex parte
temporary restraining order obtained by Microsoft in June 2014. In it, Microsoft made the
following statement:
556 Proposal for a Council Framework Decision on attacks against information systems, OJ 203 E/109,
27.8.2002, at Art. 2(d).

557 Explanatory Report to the Convention on Cybercrime, above, n 1, para 23.
558 In the Commission’s anti-t rust action against Microsoft, this was seen as ‘tying’. See Commission
adopted Decision 2007/53/EC against Microsoft Corp, Case COMP/C -3.37.792—Microsoft, OJ L 32/
23, 2007.
559 Directive 13/40/EU, above, n 159, Art 2(d).
560 See paras 3.336–3.350 for a discussion of unlawful devices.
561 The Convention on Cybercrime, eg permits signatories to only criminalize data interference resulting
in ‘serious harm’ (Art 4(2)).
162
The installation of malware by deceiving consumers and without Microsoft’s authoriza-

tion is an intrusion into the Microsoft Windows operating system (which is licensed to
Microsoft’s customers), without Microsoft’s authorization.562
The court granted the order, although the dispute was eventually settled.563 However, it illus-
trates the potential for such criminal statutes to be interpreted broadly by IP rights-holders.
In terms of addressing the problem, the issue would seem to be that of the perception of 3.234
computers as distinct physical, singular objects, separate from the data which they pro-
cess, rather than as virtual machines, integrating hardware, firmware, software, and data
in an effectively indistinguishable manner. The criminal law should be able to protect the
confidentiality, integrity and availability of these virtual machines without the need to dis-
tinguish the component elements. Unauthorized access to, or interference with, the whole
or part of this virtual machine is the mischief being addressed, and differential treatment
can be addressed on the basis of the nature of the act carried out, harm suffered, and/or
culpability of the perpetrator, not some uncertain and unsustainable technical distinction.
Of authorization, right, and lawful excuses

Central to the legislative response to activities threatening the integrity of computers, net- 3.235
works, and the information they process has been the issue of determining whether a person
has the right to do the thing that they do, primarily in terms of access, use, modifica-
tion, interference, or interception. Under common law jurisdictions, the pertinent term is
‘authorization’564 or ‘without lawful excuse or justification’,565 while European legal instru-
ments refer to a ‘right’.566 Since the absence of such ‘authorization’, ‘excuse’, or ‘right’ triggers
exposure to criminal liability, we must carefully examine the nature and appropriateness of
these concepts, before considering the integrity offences arising from them.
Determination of authorization in respect of a computer or network resource generally 3.236
resides with the person that controls the resource (the ‘controller’), the right to control
being distinguished from legal ownership. The granularity of authorization in respect of a
particular resource can vary from obtaining access to the computer to detailed rules govern-
ing the use of particular resources available on, or from, the computer once initial access
has been obtained. This freedom of the controller to determine levels of authorization has
led to concerns being expressed about the over-criminalization of users’ activities in cyber-
space, where legal statements are routinely ignored.567 A leading example of this potential
problem arose in US v Drew,568 which involved the defendant establishing a fake profile on
the social media service MySpace in order to cause harm to a thirteen-year-old classmate
of her daughter. As a result of the actions of the defendant and others, the child ended
562 Microsoft Corporation v Naser Al Mutari and others, US District Court in Nevada, Case No 2:14-c v-
00987-GMN-GWF, 19 June 2014, para 58.

563 See Goguen, N, ‘Update: Details on Microsoft takeover’, no-ip, 10 July 2014, available at <http://
www.noip.com/blog/2014/07/10/microsoft-takedown-details-updates/>.
564 eg the UK, US, Australia, and New Zealand. Some civil law countries, such as Belgium, also use
this term.
565 eg Commonwealth ‘Model Computer and Computer-related Crimes Bill’.
566 ie Directive 13/40/EU, above, n 159, and Convention on Cybercrime.
567 Kerr, O, ‘Cybercrime’s scope: interpreting “access” and “authorization” in computer misuse statutes’,
78(5) New York University Law Review 1596 (2003).

568 US v Drew, 259 FRD 449 (CD Cal 2009).
163
up committing suicide. The defendant was prosecuted under the Computer Fraud and
Abuse Act (CFAA)569 on the basis that her acts were an intentional breach of the terms of
service (TOS) applicable to the site, which therefore rendered her conduct either unauthor-
ized or exceeding her authorization. She was found guilty by the jury on this basis, but
appealed. On appeal, the court struck down the verdict on the grounds that by enabling
criminal liability to turn on a website’s TOS, the CFAA contravened the US doctrine of
‘void-for-vagueness’, one element of which concerns whether ordinary people would under-
stand that such conduct is subject to criminal prohibition, as well as the clarity of the TOS
themselves.570
3.237 English law would also generally curtail any attempt to overly restrict authorization
through statements by imposing obligations upon the relying party, primarily in respect of
transparency and practice. When considering the applicability of a legal notice, a court will
have regard to the adequacy of the steps taken by the relying person to bring the terms of
the notice to the attention of those against whom it is being asserted; an obligation to com-
municate. Second, consideration will be given to the actual practice of the relying party,
especially where such practice differs from the terms of the notice. Therefore, while the
controller retains the freedom to set the terms of authorization, in the event of dispute, such
terms will likely be subjected to an objective assessment by the court.
3.238 In the course of a court’s objective assessment of the controller’s authorization policy; the
prosecution will also be required to show that the perpetrator had the subjective knowledge
that his actions were without, or exceeded, the terms of any authorization policy in relation
to the resource. Indeed, if the latter mens rea can be shown then there may not be any need
to evidence the controller’s authorization policy at all. The extent to which the question of
authorization will need to be addressed from the controller’s perspective would, in a trad-
itional computing environment, often correlate with the status of the perpetrator vis-à-vis
the controller. Where the perpetrator operates from within the controller’s organization,
such as an employee, greater attention will likely need to be given to the specificity of the
controller’s authorization policy,571 while for external persons, the absence of authorization
would often be assumed. Two problem areas are likely to be where a person operates on the
periphery of the controller’s organization, such as an independent contractor, and where
systems are designed to interact with external persons.
3.239 In a cyberspace environment, this second problem arises from the nature of the interac-
tions taking place. Two cases illustrate this point: Lennon572 and Cuthbert.573 The first case
concerns a DOS attack. The perpetrator admitted sending millions of email messages, but
successfully argued at first instance that, as each message was of a kind that the recipient
machine was designed to receive and respond to, and was therefore authorized, this ren-
dered the totality of messages sent authorized. Here the manner in which the machine was
569 ie 18 USC ss 1030(a)(2)(C) and 1030(b)(2)(A).

570 The court noted that virtually all previous CFAA decisions based on terms of service were civil actions
under 18 USC s 1030(g).
571 Compare, eg, two employment cases involving computer misuse: Denco v Joinson [1991] 1 WLR
330 and British Telecommunications plc v Rodrigues (1995) Employment Appeal Tribunal, EAT/854/92, 20
February 1995.
572 Lennon [2005] ECLR 5(5), 3.
573 Cuthbert (Daniel), Horseferry Road Magistrates’ Court, 6 October 2005, unreported.
164
set up, essentially the authorization policy as coded, was initially considered fatal to the
prosecution, irrelevant of the perpetrator’s mens rea.574
In Cuthbert, the accused, known as the ‘Tsunami hacker’, tried to access the non-public parts 3.240
of the web server via the directory structure by entering a URL with a string of /../../, referred
to as a ‘directory traversal’ attack.575 While such practices may be common among users try-
ing to locate information on a website, which must be considered to be implicitly authorized,
such practices become criminal when the perpetrator has the necessary mens rea.
A third example is P2P networks, where the user effectively opens a part of his system (eg 3.241
‘My Shared Folder’ with KaZaA) to anyone else connected to the network. In all three
situations, the nature of the interaction between person and computer or computer and
computer blur traditional conceptions of authorization.
In some jurisdictions, specific obligations have been placed upon controllers concerning the 3.242
manner in which they operate their systems, as a means of encouraging good security prac-
tices, as well as limiting criminal liability. In Germany, for example, data must be ‘specially
protected’ against unauthorized access.576 A similar provision existed under Norwegian
law, with liability arising where any person obtains access ‘by breaking a protective device
or in a similar manner’.577 This resulted in the Supreme Court finding that simply ‘prob-
ing computers connected to the Internet for the purpose of disclosing the lack of security
measures was not illegal’.578 A failure by a controller to implement such measures would
undermine the prosecution’s ability to characterize any unauthorized access as criminal.
The Council of Europe Convention on Cybercrime provides that a party ‘may require that
the offence be committed by infringing security measures’,579 as an optional qualifying
element for commission of the offence. In the EU, such a qualification was optional under
the EU Framework Decision,580 but has become mandatory under the Directive.581 The
Commission’s original proposal did not contain the need to infringe a security measure and
indeed specifically warned against ‘the introduction of additional constitutive elements’;582
however, the European Parliament, on the initiative of Jan Albrecht MEP representing the
Greens/European Free Alliance, disagreed and inserted the qualification.583 In particular,
574 For a fuller discussion of the legal issues raised by DOS attacks, see paras 3.294–3.303.
575 Sommer, P, ‘Computer misuse prosecutions’, 16(5) Computers and Law (2006), available at <http://
www.scl.org/site.aspx?i=ed832>.
576 StGB, Art 202a. See also Brazil’s Código Penal, Art 154-A (‘by means of undue violation of a security
mechanism’) and Japan’s Unauthorized Computer Access Law, Art 3(2)(1) (‘restricted by an access control
function’).
577 Norwegian General Civil Penal Code, s 145. The provision was enacted in 1987, but was amended in
April 2005 and now reads: ‘Any person who unlawfully opens a letter or other closed document or in a similar
manner gains access to its contents, or who breaks into another person's locked repository’. See also Criminal
Code of Finland, s 8(1) (‘breaking a protection’).
578 Case No 83 B, RT-1998-1971, 15 December 1998.
579 Convention on Cybercrime, Art 2.
580 Council Framework Decision on attacks against information systems, OJ L 69/67, 16 March 2005,
Art 2(2) ‘(Framework Decision’).

581 Directive 13/40/EU, above, n 159, Art 3.
582 European Commission, ‘Proposal for a Directive on attacks against information systems and repeal-
ing Council Framework Decision 2005/222/JHA’, COM(2010) 517 final, 30 September 2010, at 7.
583 See Committee on Civil Liberties, Justice and Home Affairs (Rapporteur M Hohlmeier), Report on
the proposal for a directive of the European Parliament and of the Council on attacks against information
systems and repealing Council Framework Decision 2005/222/JHA’, A7-0224/2013, 19 June 2013.
165
there was a concern that employees using their work computers for ‘unauthorised’ private
purposes may be exposed to criminal liability.584
3.243 During passage of the Computer Misuse Bill in the UK, an attempt was made to add a
provision whereby hackers would be able to offer a defence if computer users had not imple-
mented security measures:
For the purposes of this section, it shall be a defence to prove that such care as was in all the
circumstances reasonably required to prevent the access or intended access in question was
not taken.585
The imposition of a ‘security measure’ threshold would seem likely to generate greater legal
uncertainty, however, were a court required to make an assessment of the appropriateness
or reasonableness of any security measure, as well as providing defence counsel with plenty
of scope to challenge prosecutors and raise doubts in the minds of the jury. While the pro-
posed amendment was rejected, the issue of the existence of security measures would seem
implicitly relevant in the context of establishing whether an access was ‘unauthorized’.586
Commentators continue to argue the case that criminal liability for unauthorized access
should only be triggered when it involves the ‘circumvention of code-based restrictions’.587
While Directive 13/14/EU states in its recitals that ‘contractual obligations or agreements
to restrict access to information systems by way of a user policy or terms of service’ should
not be the sole basis for criminal proceedings for unauthorized access.588
3.244 When computer misuse statutes were first proposed, during the 1980s, prior to the Internet,
comparisons were made with seemingly analogous concepts from the traditional criminal
code: the act of trespass with unauthorized access; criminal damage with unauthorized
interference. These comparisons have coloured the subsequent debate about the question of
authorization, particularly the law of trespass. Indeed, trespass is used as a descriptive term
for unauthorized access in the literature, as in ‘cybertrespass’;589 is used in statutory provi-
sions,590 and has been argued as a basis for legal action in cybercrime cases in the US.591
Entering an open house may be unlawful, but will not be criminal unless the trespasser has
been adequately warned; therefore, the argument runs, an unsecured computer is akin to an
open house. However appealing the analogy, it should also be borne in mind that computer
crime statutes were adopted as a response to the failure of property-based solutions, such
as trespass, to address the types of misuse being carried out against computer systems.592
584 See Directive 13/40/EU, above, n 159, recital 17. Also an email from Ralf Bendrath, Senior Policy
Advisor to Jan Albrecht, received on 7 July 2015.

585 Amendment proposed by Harry Cohen MP, at Standing Committee C, ‘Computer Misuse Bill’ HC
(1989-90) col 15 (14 March 1990).

586 The APIG Report, above, n 541, paras 41– 8, also examined the issue, but rejected any statutory
provision.
587 Kerr, above, n 567, at 1600.
588 Directive 13/40/EU, above, n 159, recital 17.
589 See Wall, DS, ‘Policing the Internet: Maintaining order and law on the cyberbeat’, in Walker, C, and
Wall, D (eds), The Internet, Law and Society, Longman, 2000, Chapter 7, at 157.
590 eg Brazil Código Penal, Art 154-A ‘Trespass of a computer-related device’.
591 Intel Corp v Hamidi, 71 P 3d 296 (Cal 2003), where a claim was pursued under the tort of trespass to
chattels in respect of unwanted emails. The claim was unsuccessful.

592 Kerr, above, n 567, at 1602 et seq.
166
The question of authorization under interception laws is more complex than that for access 3.245
and interference, involving three different dimensions. First, there is the authority of the
person controlling the network.593 This dimension is most similar in nature to that for the
other integrity offences. Second, there is the authority or consent of the communicating
parties, those utilizing the network. It is the protection of the privacy of these users that
is the primary objective of interception laws. Finally, as an investigative tool, there is the
authorization required to legitimize, in terms of vires, the conduct of public law enforce-
ment agencies when engaged in an act of interception.594
An issue that intersects and overlaps the boundary that must exist between authorized 3.246
and unauthorized is the distinction between public and private space. Indeed, many of the
problems discerning authorization in cyberspace arise, in part, from the manner in which
the Internet challenges and disrupts traditional concepts of public and private spheres.
The popular conception of the Internet is as the World Wide Web, a particular service
available over the ‘network of networks’, which in large part operates as a public space,
governed by implied authorizations underpinning the availability and exchange of infor-
mation.595 Concurrently, public consciousness of the Internet has often involved a percep-
tion of anonymity, an environment of private relationships and space, unmonitored and
unencumbered by state oversight. Taken together, these notions may challenge reliance on
authorization in integrity offences.
Under the CMA, access is considered to be unauthorized access if: 3.247
(a) he is not himself entitled to control access of the kind in question to the program or
data; and
(b) he does not have consent to access by him of the kind in question to the program or data
from any person who is so entitled;
but this subsection is subject to section 10.596
Where the accused is external to the victim’s organization, showing knowledge of an
absence of entitlement or consent is not generally an issue, subject to the scenarios dis-
cussed above. However, where the accused is an employee of the organization, the burden
is upon the prosecution to show that the accused knew that ‘access of the kind in question’
was unauthorized, rather than a misuse of express or implied rights of access, for example
an accounts clerk entering false expenses claims. As noted by the Law Commission:
An employee should only be guilty of an offence if his employer has clearly defined the limits
of the employee’s authority to access a program or data.597
US federal law does not criminalize mere unauthorized access, akin to the s 1 offence, such 3.248
access has to be linked to some further purpose, such as obtaining national security infor-
mation or financial records.598 Also in contrast to the UK, US federal law expressly addresses
two distinct scenarios in respect of authorization: ‘knowingly accessed a computer without
593 See further paras 3.328–3.331.

594 See further paras 4.167–4.178.
595 Reed, C, Internet Law: Text and Materials, 2nd edn, Cambridge University Press, 2004, at 66 et seq.
596 CMA, s 17(5).
597 Report No 186, above, n 538, para 3.37.
598 18 USC s 1030 ‘Fraud and related activity in connection with computers’.
167
authorization or exceeding authorized access’.599 The latter term is intended to cover ‘insid-
ers’, such as employees,600 and is defined in the following terms:
means to access a computer with authorization and to use such access to obtain or alter infor-
mation in the computer that the accesser is not entitled so to obtain or alter.601
3.249 There have been conflicting decisions, however, as to when the entitlement threshold is
reached in the case of departing employees. In International Airport Centers LLC v Citrin,602 a
departing employee installed a program on his employer-owned laptop and securely deleted
all the company’s proprietary data. The court held that Citrin lost his entitlement as an
agent of the company the moment he breached his duty of loyalty as an employee. This sets
a very low threshold, placing the onus primarily on the employee to act appropriately, rather
than upon the employer to clearly set out those acts which are permitted and those that are
not. In Lockheed Martin Corporation v Speed603 such a broad approach was explicitly rejected
by the court. The case concerned the copying on to various data media of Lockheed’s pro-
prietary information by three departing employees prior to joining a competitor. The court
considered that the ‘breach of loyalty’ test effectively places an employee in a position of
being ‘without authorization’, rather than that of exceeding such authorization. This latter
reading would seem more logical and principled in terms of creating a meaningful distinc-
tion between the two concepts, ‘without’ and ‘exceeding’, but will require approval from a
higher court and in the context of criminal rather than civil proceedings.
3.250 The interpretation of ‘authorization’ under the CMA in an employment context was first
considered in detail in DPP v Bignell.604 The case concerned two serving police officers
who had accessed the Police National Computer (PNC), via an operator, for personal
purposes. They were charged with offences under s 1 of the CMA and convicted in the
Magistrates’ Court. They successfully appealed to the Crown Court against their con-
viction, and this decision was the subject of a further appeal before the Divisional Court,
which was dismissed.
3.251 The central issue addressed to the court was whether a person authorized to access a com-
puter system for a particular purpose (eg policing) can commit a s 1 offence by using such
authorized access for an unauthorized purpose (eg personal). The Crown Court asserted
that the CMA was primarily concerned ‘to protect the integrity of computer systems rather
than the integrity of the information stored on the computers …’, therefore such unauthor-
ized usage was not caught by the Act. The Divisional Court upheld this view. First, Justice
Astill stated that the phrase in s 17(5)(a): ‘access of the kind in question’ was referring to
the types of access detailed in s 17(2): alteration, erasure, copying, moving, using, and
599 ibid, s 1030(a)(1). Similarly, under Belgian law a separate offence exists where a person ‘exceeds his
power of access to a computer system’ (Art 6(2)).

600 eg EF Cultural Travel BV v Explorica, Inc, 274 F 3d 577 (1st Cir 2001), at 583–8 4.
601 18 USC s 1030(e)(6).
602 440 F3d 418 (7th Cir 2006). Following an earlier decision in Shurgard Storage Centers, Inc v Selfguard
Self Storage, Inc, 119 F Supp 2d 1121 (WD Wash 2000).

603 2006 US Dist LEXIS 53108, 1 August 2006.
604 [1998] 1 Cr App R. In an earlier case, Bennett, unreported, Bow Street Magistrates’ Court, 10 October
1991, a police superintendent pleaded guilty to a s 1 offence, after checking the PNC to discover who his
former wife was now seeing.
168
obtaining output. Second, the phrase ‘control access’ was referring to the authority granted
to the police officers to access the PNC. He concluded that this did not create a lacuna in
the law as the then Data Protection Act 1984 contained appropriate offences in relation to
the use of personal data for unauthorized purposes.605
A near identical scenario to Bignell has been considered before a US state court, with a simi- 3.252
lar result. In State v Olson,606 the officer was convicted of computer trespass for accessing
a police computer database in order to find car licence plate details for female students at
the local college. His initial conviction was overturned on appeal after the court concluded
that while ‘certain uses of retrieved data were against departmental policy, [the record] did
not show that permission to access the computer was conditioned on the uses made of the
data’.607 Here, the concept of access is strictly distinguished from what may be done once
access has been gained, although in this case the court had no statutory definition to assist
them. In New Zealand, the relevant provision expressly states that an offence of unauthor-
ized access is not committed when ‘a person who is authorized to access a computer system
accesses that computer system for a purpose other than the one for which that person was
given access’,608 although other provisions may be relevant.609
The Bignell decision attracted significant criticism and, as with Sean Cropp, was seen as 3.253
significantly limiting the scope of the Act.610 However, key aspects of the decision were re-
examined by the House of Lords in Allison.611 The case concerned an extradition request by
the US Government of an individual accused in a fraud involving an employee of American
Express, who was able to use her access to the computer system to obtain personal identifi-
cation numbers to encode forged credit cards. As in Bignell, defence counsel argued that a s
1 offence had not been committed since the employee was authorized to access the relevant
computer system. The House of Lords, while agreeing with the decision in Bignell, rejected
the subsequent interpretation of s 17(5) made by Justice Astill.612
On the first issue, ‘access of the kind in question’, Lord Hobhouse stated that this phrase 3.254
simply meant that the authority granted under s 17(5) may be limited to certain types of
programs or data, and is not referring to the kinds of access detailed in s 17(2). Evidence
showed that the employee at American Express accessed data in accounts for which she was
not authorized, therefore the access she obtained was ‘unauthorized access’. Second, ‘con-
trol access’ did not refer to the individual authorized to access the system, but the organiza-
tional authority granting authority to the individual. In the Bignell case, it was the Police
Commissioner who exercised such control and, through employee manuals, specified that
access was for police purposes only. As a result of the decision in Allison, a subsequent case
605 Data Protection Act 1984, s 5(6). This has been replaced by an offence of unlawful obtaining under
the DPA 1998, s 55 (see paras 3.35–3.38). See also Rooney [2006] EWCA Crim 1841, where an employee of
the Staffordshire Police accessed the PNC for personal reasons.
606 735 P 2d 1362 (Wash Ct App 1987).
607 ibid, at 1365 (emphasis added).
608 Crimes Act 1961, s 252(2).
609 eg accessing a computer to dishonestly obtain a pecuniary benefit (ibid, s 249).
610 eg Bainbridge, D, ‘Cannot employees also be hackers?’, 13(5) Computer Law and Security Report 352
(1997); and Spink, P, ‘Misuse of Police Computers’, 42 Juridical Review 219 (1997).
611 Bow Street Magistrate and Allison (AP), ex parte US Government (HL(E)) [1999] 4 All ER 1.
612 This interpretation had been followed by the Divisional Court from which the appeal had been
made: see R v Bow Street Magistrates’ Court, ex parte Allison [1999] QB 847.
169
of misuse of the PNC by a police officer did result in a successful conviction for unauthor-
ized access.613
3.255 While the decision in Allison clarifies the interpretation of ‘control’ under s 17(5), the court’s
acceptance of Bignell would seem to perpetuate the uncertain jurisprudence under the
CMA. First, Lord Hobhouse stresses the point that in Bignell ‘the computer operator did
not exceed his authority’ and therefore did not commit an offence (at 627G). This would
seem irrelevant to the question of whether the Bignells were committing a s 1 offence,
since the operator is simply an innocent agent614 and does not break the chain of causation
between the Bignells’ request and the ‘unauthorized access’. Second, Lord Hobhouse recog-
nizes that the concept of authorization needs to be refined, as ‘authority to secure access of
the kind in question’, and the example given is where access ‘to view data may not extend to
authority to copy or alter that data’ (at 626F–G). On this reasoning, it seems incongruous
that the court should hold, by implication, that authority to view the data may not also be
limited to particular circumstances. The Bignells knew that they were only authorized to
access the PNC for policing purposes and knowingly misrepresented the purpose for their
request.
3.256 The ‘without right’ concept used in the Convention and Directive appears to reflect a fun-
damental difference between a common law approach, whereby that which is not speci-
fied is lawful, and a civil law approach, in which that which is specified is lawful. The
Explanatory Report to the Convention suggests that ‘without right’ can either refer to
conduct ‘undertaken without authority’, such authority being derived from a multipli-
city of sources including legislation and consent; or conduct not covered by ‘established
legal defences, excuses, justifications or relevant principles under domestic law’.615 For our
purposes, the former shall be referred to as ‘positive’ authority and the latter as ‘negative’
authority. The drafters were particularly keen to ensure that the conduct of law enforcement
agencies when investigating a cybercrime was not affected by these new offences.616
3.257 Law enforcement officers may require ‘positive’ authority to engage in certain forms of inves-
tigative conduct, such as interception,617 but will also require ‘negative’ lawful authority
in terms of a defence against commission of any integrity offences. Addressing the latter
aspect of law enforcement conduct under the CMA has proved complicated and has evolved
over time. In the original statute, a saving provision was inserted in respect of the offence
of unauthorized access, rendering it inapplicable where officers were exercising powers of

inspection, search and seizure.618 However, where an officer was not exercising such pow-
ers, then potential exposure to liability remained. Indeed, certain websites began specific-
ally stating that law enforcement officers were not authorized to access the site, which was
designed to exploit this lacuna. To address this, the saving provision was amended in 1994
to state:
613 Begley, Coventry Magistrates’ Court, referenced by Turner, MJL, ‘Computer Misuse Act 1990 cases’,
available at <http://w ww.computerevidence.co.uk/Cases/CMA.htm>. See also a related appeal for judicial

review of her dismissal for misconduct, R (on the application of Begley) v Chief Constable of the West Midlands
[2001] EWCA Civ 1571.
614 eg R v Manley (1844) 1 Cox 104.
615 Explanatory Report to the Convention on Cybercrime, above, n 1, at para 38.
616 ibid.
617 See further Chapters 4 and 5.
618 CMA, s 10 (as of 1990).
170
. . . nothing designed to indicate a withholding of consent to access to any program or data

from persons as enforcement officers shall have effect to make access unauthorised for the
purposes of the said section 1(1).619
More recently, further amendment has been made to the saving provision, extending both
its scope to encompass all of the integrity offences under the CMA, thereby providing a
defence for more proactive policing conduct,620 as well as the relevant powers that may
authorize such conduct.621
There would also seem to be a particular problem with the ‘without right’ concept as 3.258
detailed in the EU Directive. In the Convention, entitlement to control refers to the system
as a whole as well as the kind of access being granted. In the Directive, however, entitlement
extends beyond the owner of the system to any ‘another right-holder of the system or of part
of it’.622 The scope of this depends, in part, on the distinction between system and data, as
discussed above. To what extent is data ‘part’ of the system? If data is part of a system, then
a work protected by intellectual property laws (eg copyright, design right, chip protection)
that is being used without the authorization of the right-holder would potentially give rise
to the offence. Such criminalization of IP infringement through the back door of computer-
integrity offences can surely not have been the intention of the drafters.
The phrase used in the Commonwealth Model Law, ‘without lawful excuse or justifica- 3.259
tion’, also appears to be a problematic formulation. It is not further defined in the text of
the Model Law. However, the phrase ‘without lawful excuse’ does appear in English law in
respect of criminal damage, with two types of excuse being detailed: where there is a belief
that consent does, or would, exist; or where it is considered necessary in order to protect
property.623 The question of belief is subjective, not concerned with whether the belief is
either justified or reasonable.624 Defence counsel could be expected to argue, for example,
that the justification for the perpetrator’s actions was to expose the frailties of the secur-
ity measures in place. This was in fact argued in Grey:625 ‘Your claimed motivation was to
expose and publicize the fact that the e-commerce retailers were not security conscious
…’ One can imagine such ‘justifications’ having a strong ‘Robin Hood’ appeal to juries!
Although ‘consent’ shares a common thread with the ‘authorization’ approach, the word-
ing is couched in the style of a defence, rather than the requirement to show ‘knowledge’ in
respect of authorization. This latter requirement can be viewed as a positive characteristic,
since it is likely to reduce the scope of criminal law in respect of computer-integrity offences.
619 Inserted by the Criminal Justice and Public Order Act 1994, s 162(1). An ‘enforcement officer’ is
defined as:
a constable or other person charged with the duty of investigating offences; and withholding con-
sent from a person ‘as’ an enforcement officer of any description includes the operation, by the
person entitled to control access, of rules whereby enforcement officers of that description are, as
such, disqualified from membership of a class of persons who are authorised to have access.
620 See further paras 2.267 and 4.68 et seq.
621 CMA, s 10 (as of 2015, see Appendix I). The amendment was made by the Serious Crime Act 2015,
s 44(2).
622 Directive 13/40/EU, above, n 159, Art 1(d).
623 Criminal Damage Act 1971, s 5(2).
624 ibid, s 5(3).
625 [2001] Swansea Crown Court, 6 July 2001, para 4C.
171
Unauthorized access
3.260 Obtaining unauthorized access into a person’s system, also popularly referred to as ‘hack-
ing’ or ‘cybertrespass’, may be carried out simply for the challenge of doing it, or may be the
preliminary step to compromising the system and the information held on it. Access takes
the perpetrator from the public domain into the private realm, a space sometimes subject to
criminal law protections. Indeed, there has been much discussion about whether it is appro-
priate to use the criminal law against mere unauthorized access, since the most commonly
used physical world analogy is that of trespass, a primarily civil area of law.626 During the
debates on the CMA, a decisive factor distinguishing access from trespass was perceived to
be the cost to a system owner from the breach of confidentiality and integrity, and the con-
sequential remedial work required.627
3.261 Under the CMA, s 1 establishes the basic offence of unauthorized access. Commission of
the offence requires the actus reus of causing ‘a computer to perform any function’. Some
form of interaction with the computer is required, but actual access does not need to be
achieved. This broad formulation means that simply turning on a computer could consti-
tute the necessary act, while stealing a computer with the intention of simply selling it on
would be unlikely to constitute a s 1 offence.
3.262 Access is not defined in terms of the computer itself, but the information, as ‘program’ or
‘data’, held in the computer. Section 17(2) broadly defines ‘function’ to include alterations
or erasure, copying, or moving data, using it or producing output, such as displaying it on a
screen. As such, ‘function’ is akin to the concept of ‘processing’ under the Data Protection
Act 1998.628 The concept of access has been equated with the process of acquiring informa-
tion,629 although access is broader than that of acquisition, since a person may use informa-
tion, such as a program, without acquiring it in any meaningful sense.
3.263 The mens rea of the s 1 offence comprises two elements. First, there must be ‘intent to secure
access to any program or data held in any computer’. This was subject to amendment in
2006 to encompass also acts which ‘enable any such access’630 which criminalizes those
that go beyond the mere provision of ‘hacking’ tools to others, an offence under s 3A, and
interfere, directly or indirectly, with the target computer, such as disabling an access con-
trol mechanism without then attempting to penetrate the system to access programs or
data, but leaving it for other persons, or for entry at some later date.631 Second, the person
must know at the time that he commits the actus reus that the access he intends to secure is
unauthorized. The intent does not have to be directed at any particular program, data, or
computer (CMA, s 1(2)). The offence is also not concerned with any ulterior motivation that
626 However, the Criminal Justice and Public Order Act 1994, Pt V, created a number of new offences in
respect of various forms of trespass considered to threaten public order, such as aggravated trespass (s 68).
In addition, the Serious Organised Crime and Police Act 2005 established an offence of ‘trespassing on
designated site’ (s 128).
627 See comments from Mr Douglas Hogg, Minister for Industry, during the debate on the Second
Reading of the Computer Misuse Bill, Hansard (Commons), Col 1181, 9 February 1990.
628 DPA 1998, s 1(1).
629 Christie, AL, ‘Should the law of theft extend to information?’, 69(4) The Journal of Criminal Law 350
(2005).
630 CMA s 1(1)(a), as inserted by the Police and Justice Act 2006 (PJA), s 35(2).
631 See statement of Lord Bassam, Home Officer Minister, Lords Hansard, 11 July 2006, Col 604.
172
a defendant may have for obtaining access, whether nefarious or otherwise. Any such ‘third’
intent would be relevant to the s 2 offence discussed below.
The first prosecution under the new Act addressed the nature of the actus reus under s 1. In 3.264
R v Sean Cropp (Snaresbrook Crown Court, 4 July 1991), the defendant returned to the
premises of his former employer to purchase certain equipment. At some point when the
sales assistant was not looking, the defendant was alleged to have keyed in certain com-
mands to the computerized till granting himself a substantial discount. During the trial,
the judge accepted the submission of defence counsel that s 1(1)(a) required ‘that a second
computer must be involved’. He believed that if Parliament had intended the offence to
extend to situations where unauthorized access took place on a single machine, then s 1(1)
(a) would have been drafted as ‘causing a computer to perform any function with intent to
secure access to any program or data held in that or any other computer’.
Such an interpretation would have seriously limited the scope of the Act, especially since 3.265
the majority of instances of hacking are those carried out within organizations.632 The crit-
ical nature of this distinction led the Attorney-General to take the procedure of referring
the decision on a point of law to the Court of Appeal.633 The Court of Appeal subsequently
rejected the lower court’s interpretation, stating that the ‘plain and natural meaning is
clear’.634 It is interesting to note, however, that the Council of Europe Convention offence
of ‘illegal access’ does permit Member States to limit the offence to ‘exclude the situation
where a person physically accesses a stand-a lone computer without any use of another com-
puter system’.635 This is the position adopted under Japanese law.636
In Farquharson, the defendant was prosecuted for obtaining mobile telephone numbers 3.266
and codes necessary to produce cloned telephones.637 The computer system containing this
information was actually accessed by his co-defendant Ms Pearce, an employee of the mobile
telephone company, who was charged with the s 1 offence.638 Farquharson was found to
have committed the ‘unauthorized access’ required for the s 2 offence even though he never
touched the computer himself, but had simply asked Pearce to access the information.
The s 1 offence was originally only punishable on summary conviction by a fine of up to 3.267
£2,000 or six months in jail (s 1(3)).639 The original penalty was already double that rec-
ommended by the Law Commission.640 In 2006, the Act was amended and the penalty
was raised for summary convictions to a twelve-month jail term, while on indictment,
a term of up to two years’ imprisonment could be imposed.641 The stated purpose of this
amendment was to ‘ensure that there are adequate and more effective penalties available for
the offence of unauthorized access to computer material, to reflect the seriousness of the
632 See Audit Commission Report, ‘Ghost in the Machine: An Analysis of Fraud and Abuse’ (1998),
which found that nearly 25% of frauds were committed by staff in managerial positions.
633 Criminal Justice Act 1972, s 36.
634 Attorney-General’s Reference (No 1 of 1991) [1992] 3 WLR 432, at 437F.
635 Explanatory Report to the Convention on Cybercrime, above, n 1, at para 50.
636 Unauthorized Computer Access Law, Art 3, which provides that each unauthorized act is committed
against a ‘specific computer … via a telecommunications line’.

637 Croydon Magistrates’ Court, 9 December 1993.
638 ibid. A £300 fine was imposed on Pearce, while Farquharson received a six-month prison sentence.
639 The maximum fine is level 5 on the standard scale, and has risen over the intervening years to £5,000.
640 1988 Report, above, n 251, Pt V.
641 CMA, s 1(3), as amended by the PJA, s 35(3).
173
criminal activities which can be involved in committing this offence’.642 In terms of effect-
iveness, the amendment changes the procedural nature of the s 1 offence in a number of
ways: rendering it capable of being subject to an attempt;643 a magistrate’s search warrant;644
and extradition proceedings.
3.268 With regard to attempt, it seems hard to imagine in what circumstances attempt would be
the most appropriate charge because the person has done more than that which is ‘merely
preparatory’, for example the possession of a person’s password,645 but less than that of caus-
ing, directly or indirectly, the target computer to ‘perform any function’, which is sufficient
for the offence to be made out.
3.269 Under the EU Framework Decision on ‘attacks against information systems’, Member
States were required to provide for a maximum available penalty of between two and five
years, where the illegal access involves ‘infringing security measures’ and is committed by
in the ‘framework of a criminal organization’.646 However, in Directive 13/40/EU, a mini-
mum two-year term has been imposed,647 but no aggravated circumstances pertain to the
illegal access offence.
3.270 Prior to its repeal by the Police and Justice Act 2006, a prosecution under s 1 was subject to
certain time limits. First, proceedings had to be brought within six months ‘from the date
on which evidence sufficient in the opinion of the prosecutor to warrant the proceedings
came to his knowledge’.648 The provision was examined by the courts in Morgans v DPP,649
where it was held that the ‘prosecutor’ includes the policeman in charge of the investigation,
which meant that in this case the charges had to be quashed for falling out of time. In add-
ition, the phrase ‘evidence sufficient in the opinion of’ was construed as being descriptive
of the state of the evidence, rather than requiring the prosecutor to have formed an opinion
about the adequacy of the evidence.650 The second time limit was that proceedings cannot
be brought more than three years after commission of the offence.651 This was an exception
to the normal rule, whereby proceedings must be brought within six months of them taking
place.652 The extension was granted to reflect the fact that it may take time for such acts to
come to the notice of a victim, as well as to assist investigators faced with the forensic chal-
lenges of such cases.653
3.271 Those that distribute passwords, codes, or other tools designed to facilitate hacking activi-
ties could have been subject to prosecution in relation to the s 1 offence, the appropri-
ate charge being dependent on the circumstances and nature of their activities. Under
642 Police and Justice Bill, Pt 5, s 35 Explanatory Note, para 297, available at <http://w ww.legislation.gov.
uk/u kpga/2006/48/notes/division/5/1/5/2>.
643 Under the Criminal Attempts Act 1981, s 1(4), attempt is only possible for indictable offences.
644 Previously under the CMA, a s 14 warrant could only be granted by a circuit judge, which was gener-
ally perceived as a more demanding process than obtaining a warrant from a Magistrates’ Court.
645 See Lord Justice Taylor’s comments in Jones [1990] 1 WLR 1057, at 1062.
646 Framework Decision, above, n 580, Art 7(1) with respect to the optional offence under Art 2(2). No
minimum term was set for the Art 2(1) offence.

647 Directive 13/40/EU, above, n 159, Art 9(2).
648 CMA, s 11(2), which was not complied with in Morgans v DPP [1999] 1 WLR 968, DC.
649 [1999] 1 WLR 968, DC.
650 ibid, at 982.
651 CMA, s 11(3).
652 Magistrates’ Courts Act 1980 (MCA), s 127(1).
653 Report No 186, above, n 538, paras 3.46–3.48.
174
the Magistrates’ Courts Act 1980, they could be charged as a person who ‘aids, abets,
counsels or procures the commission by another person of a summary offence’;654 alterna-
tively, a charge could be brought of incitement655 or conspiracy with others to commit an
offence of unauthorized access. When the CMA was enacted the publishers of the ‘Hackers
Handbook’, a popular guide to current developments in this area, decided to withdraw the
book from circulation to avoid potential legal action.656 Incitement was successfully used in
Maxwell-King,657 where the defendant supplied on a commercial basis a device, known as
a ‘multimode board’, which enabled people to gain access to encrypted satellite television
channels by modifying in an unauthorized manner the set-top box.658 However, such acts
would now be subject to prosecution under s 3A offence, ‘making, supplying or obtaining
articles for use in computer misuse offences’, discussed later in this chapter.
When mere unauthorized access was first criminalized, the debate centred on the appro- 3.272
priateness of the application of criminal law to such circumstances. Indeed, as noted above,
that debate continues to be present in the international instruments. However, in the UK,
arguments against criminalization would seem to be mute; instead, the act is being seen to
be of greater seriousness.659 The harm to a system owner from an act of unauthorized access,
other than those intended by the perpetrator, would seem to fall into one of three broad
types. First, there is the cost of investigatory work required to check the compromised sys-
tem and any impact on data confidentiality, integrity, and availability. Second, there is the
cost of remedial work to the system to prevent future access being obtained. Third, there
is the cost of restoring the system and any data that may have been damaged or modified
inadvertently by the actions of the perpetrator. However, all the examples used to justify
a more serious treatment of unauthorized access seem to fall into the third type, inadvert-
ent damage or modification.660 Addressing such loss under an unauthorized access offence
would seem to be confusing issues of access with issues of interference; the latter offence
being the more serious and not requiring the access to be unauthorized..
Across Europe, Member States have adopted similar unauthorized access offences.661 3.273
In the US, however, federal law does not contain an equivalent to the CMA s 1 offence.
Unauthorized access is only criminal where a certain threshold is met, ie where the author-
ized use of the computer reaches more than $5,000 in a twelve-month period.662
Under s 2 of the CMA, it is an offence to commit a s 1 offence together with the intent to 3.274
commit, or facilitate the commission of, a further offence. The distinction between this
offence and that of mere access is therefore one of differing motivations or, as stated by
the Law Commission, the presence of an ‘ulterior intent’.663 The linkage between an act of
654 MCA, s 44(1).

655 Now itself repealed and put on a statutory basis under the Serious Crimes Act 2007.
656 See Dumbill, E, ‘Computer Misuse Act 1990—recent developments’, 8(4) Computer Law and Practice
107 (1992).
657 The Times, 2 January 2001.
658 See also Parr-Moore [2003] 1 Cr App R (S).
659 ie the amendments made under the PJA and the Serious Crime Act 2015.
660 See the APIG Report, above, n 541, para 98.
661 eg France, Penal Code Art 323-1: ‘Fraudulently penetrating or maintaining access to an information
system’. See generally UNODC Cybercrime Repository, available at <https://w ww.unodc.org/cld/index-

cybrepo.jspx>.
662 18 USC s 1030(a)(4).
175
unauthorized access and some additional purpose is a common feature in other jurisdic-
tions. Indeed, the Convention on Cybercrime gives signatories the option of requiring the
additional ‘intent of obtaining computer data or other dishonest intent’.664 The relevant fur-
ther offence under s 2 is one for which the sentence is fixed by law, for example life impris-
onment for murder, or where imprisonment may be for a term of five years or more, for
example a computer fraud.665 The access and the further offence do not have to be intended
to be carried out at the same time,666 and it also does not matter if the further offence was in
fact impossible.667 Upon conviction, a person could be sentenced to imprisonment for up to
a five-year term on indictment; while the penalty for a summary conviction was raised from
six months to twelve months.668
3.275 The following cases illustrate a range of situations that have arisen under the s 2 offence:
• In Pearlstone, an ex-employee used his former company’s telephone account and another
subscriber’s account to defraud the computer-administered telephone system and place
calls to the US.669
• In Borg, an investment company analyst was accused of establishing dummy accounts
within a ‘live’ fund management system.670 The alleged ‘further offence’ was expected to
be fraudulent transfers into the dummy accounts.
• In Grey,671 the defendant exploited a weakness in electronic commerce sites using
Microsoft’s Internet Information Server application to access customer databases and
obtain the credit card and other personal details of at least 5,400 customers, which were
then published on the Internet; as well as purchasing various goods and services.
• In Brown,672 the defendant had obtained stolen bank and credit card details and used
them to change account details online and impersonate the account holder to obtain a
new card and PIN and then withdraw funds.
3.276 Prosecutions under s 2 are likely to be relatively infrequent or concurrent with other charges,
since in many cases prosecutors will pursue a prosecution for the further offence rather than
the unauthorized access, even though the individual may be initially charged with the s 2
offence. In addition, the perpetrator’s act of unauthorized access may be sufficient to found
a prosecution for an attempt to commit the further offence,673 although it is more likely to
be of use where the steps taken were ‘merely preparatory’.674
664 Convention on Cybercrime, Art 2. Only the US has declared that it has included this additional
requirement. See ‘Reservations and Declarations for Treaty No. 185—Convention on Cybercrime’, available
at <http://w ww.coe.int/en/web/conventions/search-on-treaties/-/conventions/treaty/185/declarations>.
665 CMA, s 2(2), ie for a first offender at twenty-one or over.
666 ibid, s 2(3).
667 ibid, s 2(4).
668 ibid, s 2(5), as amended by the PJA, s 52, Sch 14, para 17.
669 Bow Street Magistrates’ Court, April 1991; described in Battcock, R, ‘Prosecutions under the
Computer Misuse Act 1990’, 6(6) Computers and Law 22 (1996).

670 March 1993; see Battcock, above, n 669.
671 [2001] Swansea Crown Court, 6 July 2001.
672 [2014] EWCA Crim 695.
673 See Criminal Attempts Act 1981, s 1: ‘If, with intent to commit an offence to which this section
applies, a person does an act which is more than merely preparatory to the commission of the offence, he is
guilty of attempting to commit the offence.’
674 Wasik, above, n 8, at 84.
176
An effective criminal code may require what can be called ‘facilitative’ offences, offences 3.277
which facilitate the investigation and prosecution of a criminal, but which are not gener-
ally used as the main or leading charge. Both s 1 and s 2 offences under the CMA could be
characterized as such ‘facilitative’ offences. However, as with other attempt or preparatory
offences, the fact that they may have limited application or actual use would not seem to,
per se, render them worthless as a tool in the armoury of law enforcement.
Unauthorized interference
Obtaining access to a computer system clearly threatens the confidentiality of any infor- 3.278
mation residing in it. However, the greater concern is often that having accessed a system,
the perpetrator may affect the integrity and availability of the information being processed,
by interfering with the data or the hardware on which it resides. Such interference may be
the result of deliberate action, a form of electronic vandalism, or the unwitting by-product
of the hacker’s actions when operating within the system. Indeed, one argument used in
favour of criminalizing mere unauthorized access to a system is that such access can result in
non-intentional damage. The consequences of unauthorized modifications can range from
simple inconvenience to life-threatening incidents, such as Rymer,675 where a hospital nurse
hacked into a hospital computer system and altered patient drug prescriptions.
Criminal damage
The offence of criminal damage may obviously be relevant in many situations where a com- 3.279
puter is the subject of the crime. The value of a computer system normally resides in the
information it contains, software, and data, rather than the physical hardware.676 However,
as with the concept of theft, to what extent does the unauthorized deletion or modifica-
tion of computer-based information constitute ‘damage’ to property, as required under
the Criminal Damage Act 1971?677 The question was examined in Cox v Riley,678 where
an employee deleted computer programs from a plastic circuit card that was required to
operate a computerized saw. The court stated that the property (ie the plastic circuit card)
had been damaged by the erasure of the programs to the extent that the action impaired
‘the value or usefulness’ of the card and necessitated ‘time and labour and money to be
expended’ to make the card operable again.
This interpretation was upheld in R v Whiteley,679 where the defendant was convicted of 3.280
causing damage through gaining unauthorized access into the Joint Academic Network,
used by UK universities, and deleting and amending substantial numbers of files. It was
argued, on his behalf, that the defendant’s activities only affected the information con-
tained on a computer disk, not the disk itself. However, the court stated:
What the Act [Criminal Damage Act 1971] requires to be proved is that tangible property has
been damaged, not necessarily that the damage itself should be tangible.680
675 Referenced by Turner, above, n 613. See also ‘Nurse alters hospital prescriptions’, 2 Computer Fraud
and Security Bulletin (1994), at 4–5.

676 Although the theft of computers for their processor chips has been significant during periods where
market demand has exceeded supply.

677 Criminal Damage Act 1971, s 1(1). Under s 10(1), ‘Property’ means ‘property of a tangible nature,
whether real or personal’.

678 (1986) 83 Cr App R 54.
679 (1991) 93 Cr App R 25.
680 ibid, at 28.
177
The alteration of the magnetic particles contained on a disk, while imperceptible, did impair
the value and usefulness of the disk and therefore constituted damage. However, if the disk
had been blank, any alteration would not necessarily be ‘damage’.
3.281 Despite these successful prosecutions, the Law Commission considered that uncertainty
continued to exist when prosecuting computer misuse under the Criminal Damage Act
and, therefore, proposed the creation of a new offence under the CMA. One concern was
the possibility of situations where it would be difficult to identify the tangible ‘property’
that had been damaged when altering data, for example deleting information being sent
across the public telephone network. A second major concern was that police and prosecut-
ing authorities were experiencing practical difficulties ‘explaining to judges, magistrates
and juries how the facts fit in with the present law of criminal damage’.681
Section 3
3.282 The third substantive offence under the CMA was originally that of ‘unauthorised modifi-
cation of computer material’:
A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of the
computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.682
The offence was principally promoted by the spate of publicity and fear surrounding the
use of computer viruses and other malware, as well as concerns about what hackers do
once they obtain access to a machine. The provision was amended in 2006 and re-titled
‘unauthorised acts with intent to impair, or with recklessness as to impairing, operation
of computer, etc.’:
(1) A person is guilty of an offence if—
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.
(2) This subsection applies if the person intends by doing the act—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer;
(c) to impair the operation of any such program or the reliability of any such data; or
(d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done.
(3) This subsection applies if the person is reckless as to whether the act will do any of the
things mentioned in paragraphs (a) to (d) of subsection (2) above.
As discussed below, the amendment arose primarily in response to concerns about the ori-
ginal provision’s suitability to address denial-of-service attacks. However, while the scope
of the provision has been significantly widened, not least by its extension to include reckless
conduct, much of the original wording was retained. In 2015, a further amendment to the
interference provisions in the CMA saw the insertion of an additional offence of ‘unauthor-
ised acts causing, or creating risk of, serious damage’.683

682 CMA, s 3(1).
683 ibid, s 3ZA.
178
The concept of damage in the Criminal Damage Act 1971 is amended by s 3 to the extent 3.283
that ‘a modification of the contents of the computer’ shall not be regarded as damage, and
therefore an offence under the 1971 Act, ‘unless its effect on that computer or computer
storage medium impairs its physical condition’.684 In the case of removable data media, such
as a USB memory stick or CD-ROM, deletion of data would only be an offence under s 3 if
the storage medium were in the computer.685 Once removed, any subsequent damage to the
data media would be subject to the terms of the 1971 Act, if it were damage to its physical
condition. Despite these changes, data held on a computer may still be subject to judicial
examination as to whether ‘damage’ has occurred under the terms of the Data Protection
Act 1998.686
The original offence created a substantial discrepancy with the situation prior to the 1990 3.284
Act, since conviction under the Criminal Damage Act could be punishable by imprisonment
for up to ten years,687 twice that available for an offence under s 3.688 In addition, liability for
criminal damage could arise through the defendant ‘being reckless as to whether any such
property would be destroyed’,689 without the requirement for the prosecution to show intent.
Such reckless damage is often a feature of ‘hacking’ cases, where a hacker inadvertently deletes
or alters files and data during the course of his activities, causing the victim substantial loss.690
However, the Law Commission considered that the s 3 offence should be limited to those
engaged in intentional acts of sabotage and noted that those causing inadvertent damage
would already be guilty of the s 1 offence, which should be a sufficient deterrent. Under the
2006 amendments, the maximum tariff for the offence was raised to ten years691 and reckless-
ness is sufficient to commit the offence,692 thereby restoring the pre-1990 position on liability.
The offence comprises the mens rea of intent or recklessness, as well as knowledge that the 3.285
act was unauthorized. The conduct element is broadly defined to include the causing of
an act and a series of acts.693 In respect of the former, a person would still have committed
the act where an innocent agent, such as a system operator inadvertently triggering a virus,
executed the actual keystrokes. As with the other CMA offences, the issue of authorization
is further defined:
An act done in relation to a computer is unauthorised if the person doing the act (or causing
it to be done)—
(a) is not himself a person who has responsibility for the computer and is entitled to deter-
mine whether the act may be done; and

(b) does not have consent to the act from any such person.694
684 Criminal Damage Act 1971, s 10(5), as amended by the PJA, s 52, Sch 14, para 2.
685 CMA, s 17(6). Similarly, under Australian law, data held on a ‘data storage device’ is subject to the
offences where ‘for the time being held in a computer’ or ‘on a computer network of which the computer
forms a part’: Criminal Code Act 1995, s 476.1(1). In addition, a separate offence has been established to
address impairment to data held on a stand-a lone computer disk or data storage device (ibid, s 478.2).
686 DPA 1998, Sch 1, Pt I, Principle 7.
687 CDA, s 4.
688 CMA, s 3(7)(b).
689 ibid, s 1(1).
691 CMA, s 3(6)(c).
692 ibid, s 3(3).
693 ibid, s 3(5).
694 ibid, s 17(8).
179
This differs from the original provision by the inclusion of the concept of ‘responsibility’ in
addition to that of entitlement. It is not expressly stated what the purpose of the additional
phrase is; although one can speculate that it is designed to clarify that ‘insiders’, such as
employees, who are given responsibility for a computer, such as a laptop, can still be held
to have engaged in an unauthorized act in respect of that computer if they do not have the
requisite entitlement.
3.286 The nature of any ‘act’ may be permanent or temporary. 695 Also, as with the s 1 offence,
the intent or recklessness need not be directed at any particular program, data, or com-
puter.696 Knowledge only relates to the issue of authorization, not the scale of the act being
committed. This was illustrated in the first prosecution of a virus writer, Christopher
Pile, aka the ‘Black Baron’, in 1995. 697 When arrested, Pile had initially denied any
involvement with computers, let alone writing the viruses; however, during the course
of his police interview, carried out in parallel with a forensic expert examining comput-
ers that had been seized, he eventually admitted his activities.698 Pile was found guilty
of the offence even though he had no knowledge of which computers were affected by
his viruses, called ‘Pathogen’ and ‘Queeg’, and he had not targeted any specific com-
puter. He was sentenced to eighteen months’ imprisonment. Similarly, in Vallor, 699 the
defendant committed a series of offences over the course of a number of weeks, sending
out three different viruses attached to email messages. By the time a search warrant was
executed at his home, his first virus, named ‘Gokar’, had been detected in some forty-
two countries.
3.287 Under the original provision, there was requirement for the presence of dual intention, in
respect of causing a modification and of causing impairment:
. . . the requisite intent is an intent to cause a modification of the contents of any computer
and by so doing—
(a) to impair the operation of any computer; . . .
This was illustrated in the Sean Cropp case. In the Crown Court, the judge had agreed with
the defence counsel’s argument that the defendant’s actions more appropriately fell under
the unauthorized modification offence rather than that of unauthorized access. However,
in the Court of Appeal, Lord Taylor put forward the opinion that the only form of modifica-
tion that could be applicable to the defendant’s actions was with respect to the impairment
of the reliability of the data, and went on to note:
That would involve giving the word ‘reliability’ the meaning of achieving the result in the
printout which was intended by the owner of the computer. It may not necessarily impair the
reliability of data in a computer that you feed in something which will produce a result more
favourable to a customer than the store holder intended.700
695 ibid, s 3(5)(c).

696 ibid, s 3(4).
697 Plymouth Crown Court, 1995.
698 See ‘The sad tale of Chris Pile’s 15 seconds of fame’, available at <http://v xheaven.org/l ib/static/vdat/
lgguilt2.htm>.
699 [2004] 1 Cr App R (S) 319.
700 Attorney-General’s Reference (No 1 of 1991) [1992] 3 WLR 432, at 438A.
180
This statement clearly recognizes the requirement for dual intention and also seems to
support the Law Commission’s stance that ‘the offence should not punish unauthorized
modifications which improve, or are neutral in their effect’.701
However, the meaning of the term ‘reliability’ was revisited in Yarimaka v Governor of HM 3.288
Prison Brixton; Zezev v Government of the United States of America.702 The case concerned the
hacking into the systems of the financial information company Bloomberg, and the subse-
quent attempt to blackmail the founder Michael Bloomberg. In the course of extradition pro-
ceedings, defence counsel for Zezev challenged the validity of the s 3 charge. It was submitted
that the purpose of s 3 was confined to acts which ‘damage the computer so that it does not
record the information which is fed into it’ (para 14). In this case, the defendant fed false infor-
mation into the system concerning the source of certain information and as such he did not
alter or erase the data, the apparent mischief against which the section was directed.
A clear similarity could be drawn between this situation and the position in Sean Cropp. In 3.289
the former, false information was also input into the computer to benefit the perpetrator,
and yet Lord Taylor was of the opinion that this does not ‘necessarily impair the reliability
of the data in a computer’. In Yarimaka, Lord Woolf did not feel inclined to make a dis-
tinction between an intention to modify and an intention to impair, stating ‘[i]‌f a computer
is caused to record information which shows that it came from one person, when it in fact
came from someone else, that manifestly affects its reliability’.703 Such an approach, while
chiming with common sense, potentially generated uncertainty regarding the scope of the
original s 3 offence.704 Under the new s 3, the intent is simply in relation to the listed forms
of interference, not the unauthorized act itself.
Prosecutions under s 3 can be distinguished into two broad categories: those where the 3.290
perpetrator often has no knowledge at all about the identity or number of victims against
whom his crime is committed, as in Pile and Vallor, which can be labelled ‘remote crimes’;
and those involving persons having some pre-existing relationship with the victim, so-
called ‘insider crimes’.
The first major prosecution brought under s 3 was an insider crime, Goulden.705 In this case, 3.291
Goulden installed a security package on an Apple workstation for a printing company,
Ampersand. The package included a facility to prevent access without use of a password.
Goulden made use of this facility as part of his claim for fees totalling £2,275. Owing to the
computerized nature of their printing operations, Ampersand were unable to function for
a period of a few days. They claimed £36,000 lost business as a result of Goulden’s actions,
including £1,000 for a specialist to override the access protection. The court imposed a two-
year conditional discharge on Goulden and a £1,650 fine. The judge also commented that
Goulden’s actions were ‘at the lowest end of seriousness’! By contrast, in Carey,706 a software

702 [2002] EWHC 589 (Admin). Zezev was eventually sentenced to a four-year jail term: see DoJ,
‘Kazakhstan hacker sentenced to four years prison for breaking into Bloomberg systems and attempting
extortion’, Press Release, 1 July 2003, available at <http://w ww.justice.gov/a rchive/criminal/c ybercrime/
press-releases/2003/zezevSent.htm>
703 [2002] EWHC 589 (Admin), para 18.
704 See Tausz, D and Smith, JC, Case Comment, Criminal Law Review 648 [2002].
705 The Times, 10 June 1992.
706 Hove Crown Court, 19 September 2002.
181
engineer deleted three years’ worth of design drawing in another payment dispute with a
company and was sentenced to an eighteen-month prison sentence.
3.292 In Whitaker,707 the courts were required to consider the extent to which the unauthorized
modification offence could be applied against an owner of intellectual property. The case
concerned a software developer and his client, and arose when the developer initiated a
logic bomb designed to prevent use of the software following a dispute over payment. The
defendant programmer argued that since under the contract he had retained all intellectual
property rights in the software (title transferred upon payment), he had the requisite right
to modify the software. The court held that, despite the existence of copyright in the soft-
ware, the nature of the development contract constituted a limitation on the exercise of the
developer’s rights. The court did recognize, however, that such an action would have been
permitted if it had been explicitly provided for in the contract, ie the licensee was made
aware of the consequences of a failure to pay. He was therefore found guilty of an offence
under s 3. This was an important decision, since the software industry has resorted to such
techniques as a means of ensuring payment for their services.708
3.293 In May 1993, the first classic ‘hackers’ were given six-month jail sentences for conspiracy
to commit offences under s 1 and s 3 of the CMA.709 The defendants, known as the ‘Eight
Legged Groove Machine’ (8LGM), hacked computer systems ranging from the Polytechnic
of Central London to National Aeronautics and Space Administration (NASA), causing
damage valued at £123,000. In passing sentence, the judge said:
There may be people out there who consider hacking to be harmless, but hacking is not
harmless. Computers now form a central role in our lives, containing personal details . . .
It is essential that the integrity of those systems should be protected and hacking puts that
integrity in jeopardy.
Such judicial sentiment is critical if the Act is to have a significant deterrent effect. However,
the jury acquitted one of the co-defendants in the same case, Bedworth, because defence
counsel successfully argued, with testimony from an expert medical witness, that the neces-
sary mens rea for a charge of conspiracy was absent because the defendant was an ‘obsessive’
hacker.710 This case was widely publicized and was seen by many as a potential ‘hacker’s
charter’.711 However, the decision seems to have arisen partly from a mistaken choice by
the prosecuting authorities to pursue an action for conspiracy, rather than a charge under
the CMA.
Denial-of-service attacks
3.294 One issue that arose concerning the original s 3 offence of unauthorized modification
was its applicability to the carrying out of DOS attacks launched against websites and
other online resources, particularly commercial operators such as eBay and Amazon. Such
attacks are designed to disrupt the operation of a site by deliberately flooding the host server
707 Scunthorpe Magistrates’ Court, unreported, 1993; see Battcock, above, n 669.
708 For a civil case under similar circumstances, see Rubicon Computer Systems Ltd v United Paints Ltd
(2000) 2 TCLR 453. In the US, the Uniform Computer Information Transactions Act (1999) expressly
provides for the use of such ‘electronic self-help’ mechanisms, at s 816, although it was amended in 2000 to
exclude mass-market products.
709 R v Strickland, R v Woods, Southwark Crown Court, 21 May 1993.
710 Southwark Crown Court, 17 March 1993.
711 See eg ‘Bedworth case puts law on trial’, Computing, 25 March 1993, at 7.
182
with multiple requests for information.712 Sometimes the DOS attacks succeed by causing
congestion in the communications links, rather than the target machine; which was the
case in October 2002 when the thirteen domain name system (DNS) root name servers
were subjected to an attack.713 Whether the attack impacts on connection capacity or band-
width, the primary objective is to compromise the availability of the online resource, rather
than its confidentiality or integrity. Motivations range from extortion attempts, such as
against gambling sites,714 to political protest, such as anti-globalization activists against the
WTO site715 or against companies.716
To achieve the necessary volumes and to conceal the location of the perpetrator, ‘distributed 3.295
denial-of-service’ (DDOS) attacks are usually the normal mode of attack. To mobilize the
multiple computers required, the perpetrator will generally surreptitiously seize control of
what are known as ‘zombie’ computers, or ‘botnets’, computers acting under the control of
the perpetrator without the owner’s knowledge. Indeed, there is a black market in ‘botnets’,
where computers, in sets of hundreds, thousands, or even hundreds of thousands, can be
hired for criminal activities;717 as one security professional has noted: ‘Hackers don’t want
to damage computers any more, they want to own them’.718
In terms of criminal conduct, a distinction should be made between the obtaining control 3.296
of the individual systems that comprise the ‘botnet’, which will generally involve illegal
access, and the launching of a DDOS attack against the target systems, which is usually
designed to impact its availability.719 Prior to the amendment of the s 3 offence, attempts
to prosecute those considered responsible for launching DDOS attacks encountered prob-
lems from two sources, in relation to both the conduct and fault elements. First, in respect
of conduct, as discussed further in Chapter 6,720 one avenue of defence is to deny that you
712
Such actions should be contrasted with the sending of multiple requests for supposedly legitimate
purposes, eg a competitor checking current prices. See eg eBay v Bidders Edge, 100 F Supp 2d 1058 (ND Cal
2000), where eBay successfully obtained an injunction on the basis of a claim for trespass to chattels.
713
Vixie, P, Sneeringer, G, and Schleifer, M, ‘Events of 21 Oct 2002’, 24 November 2002, available at
<http://d.root-servers.org/october21.txt>.
714
eg Ward, M, ‘Bookies suffer online onslaught’, BBC News, 19 March 2004, available at <http://news.
bbc.co.uk/2/hi/technology/3549883.stm>.
715 eg DJNZ and The Action Tool Development Group of the Electrohippies Collective, ‘Client- side
Distributed Denial-of-Service: Valid campaign tactic or terrorist act?’, 34(3) Leonardo 269 (2001).
716 On 22 May 2006, a German Higher Regional Court held that an online demonstration by 13,000
demonstrators against Lufthansa’s corporate website, through a two-hour DDOS attack, was not unlaw-
ful coercion or data modification.: Case against Andreas Thomas Vogel, Case No 1 Ss 319/05 991 Ds 6100
Js226314/01-1009, see further at <http://post.thing.net/node/1370>.
717 See DoJ, ‘Computer virus broker arrested for selling armies of infected computers to hackers and
spammers’, Press Release, 3 November 2005, available at <http://www.justice.gov/archive/criminal/cyber

crime/press-releases/2005/anchetaArrest.htm>. See also Cullen, D, ‘Dutch smash 100,000-strong zombie
army’, The Register, 7 October 2005, available at <http://w ww.theregister.co.uk/2005/10/07/dutch_police_
smash_zombie_network/>.
718 Johnson, B, ‘Of worms and woodpeckers: The changing world of the virus-busters fighting rise in
internet crime’, The Guardian, 6 February 2006, available at <http://w ww.theguardian.com/u k/2006/feb/
06/russia.security>.
719 See T-C Y, ‘Provisions of the Budapest Convention covering botnets’, Guidance Note No 2, T-C Y
(2013) 6E Rev, 5 June 2013, available at <https://w ww.coe.int/t/dghl/cooperation/economiccrime/Source/

Cybercrime/TCY/TCY%202013/TCY_2013_6REV_GN2_botnets_V7adopted.pdf> and T-C Y, ‘DDOS
attacks’, Guidance Note No 5, T-C Y (2013) 10E Rev, 5 June 2013, available at <https://w ww.coe.int/t/dghl/
cooperation/economiccrime/Source/Cybercrime/TCY/TCY%202013/T-C Y%282013%2910REV_GN5_
DDOS%20attacks_V7adopted.pdf>.
720 See paras 6.95–6.96.
183
were the person responsible for initiating the attack from the source machine, even if you
own it! In an environment where there is a prevalence of ‘zombie’ machines, establishing
the required evidential link between a machine and the conduct of its owner may prove
difficult. In Caffrey,721 the defendant successfully argued that the DOS attacks launched
from his machine, which brought the Port of Houston in the US to a standstill, had been
initiated by a ‘Trojan horse’ virus operating on his machine without his knowledge. This
was despite the absence of evidence of the presence of such malware. As he was held not
to have done the actus reus causing the modification, there was no need for the question of
fault to be addressed.
3.297 Because of the different means of carrying out a DDOS attack, there was concern that
the unauthorized modification offence may be unable to address all such activities. With
direct attacks, the nature of the communications sent to the target machine will often fall
within a class of transmission which the target machine was designed to receive. As such,
while there may be the necessary intent to cause a modification and impairment, the modi-
fication itself may not be considered unauthorized. Such an argument was accepted in a
written judgment in Lennon722 given by District Judge Grant at Wimbledon Magistrates’
Court in November 2005, a case involving a teenage boy. The defence had been argued
after the teenager had admitted to carrying out a DOS attack against his former employer,
Domestic and General Group, using a specialist email-bomber program called Avalanche.
Some five million emails had been sent, causing the company’s servers to crash. On the issue
of authorization, Judge Grant stated:
the individual emails caused to be sent each caused a modification which was in each case an
‘authorized’ modification. Although they were sent in bulk resulting in the overwhelming of
the server, the effect on the server is not a modification addressed by section 3 (of the CMA)
. . . On the narrow issue of an authorized or unauthorized modification, I concluded that no
reasonable tribunal could conclude that the modification caused by the e-mails sent by the
defendant were unauthorized within the meaning of section 3.723
In this decision, the court adopted a limited perspective on the perpetrator’s activities. If it is
clear that the defendant caused the modification and had the ‘requisite intent’, to treat each
message in isolation when addressing the issue of authorization, rather than as a totality,
seemed to be unnecessarily literal. If each message is treated as separate, it is inevitably logic-
ally difficult to argue that at a certain increment all the messages, those already received
and those to be received, become unauthorized. However, if the perpetrator’s initial act is
viewed as triggering the sending of a sum x of messages that are designed to overwhelm the
recipient system, then a lack of authorization could be found by implication.
3.298 Such an approach was indeed taken on appeal by the Director of Public Prosecutions, by
way of case stated.724 The Divisional Court allowed the appeal, stating:
721 Southwark Crown Court, 17 October 2003.

722 L [2005] ECLR 5(5), 3 (the defendant was under eighteen at the initial trial, hence his name was not
disclosed).
723 See Espiner, T, ‘British teen cleared in “email bomb” case’, ZDNet (UK), 2 November 2005. See also
‘Teen cleared over e-mail salvo’, BBC News, 3 November 2005, available at <http://news.bbc.co.uk/1/hi/
technology/4 402572.stm>.
724 An appeal by way of ‘case stated’ may be made by the prosecution or defence, and is made under the
Magistrates’ Courts Act 1980, s 111(1). See also Criminal Procedure Rules 2005 (SI No 384), Pt 64.
184
The owner of a computer able to receive emails would ordinarily be taken to have consented
to the sending of emails to the computer. However, such implied consent was not without
limits, and it plainly did not cover emails that had been sent not for the purpose of commu-
nication with the owner but for the purpose of interrupting his system.725
While the amended definition of ‘unauthorised’ would not necessarily remove the problem
raised at first instance in Lennon, an ‘act’ is now explicitly defined as including a ‘series of
acts’,726 which enables DOS traffic to be treated as a sum rather than as individual messages.
On returning to the Magistrates’ Court, Lennon pleaded guilty and was given a two-month
suspended sentence with a curfew order.
With DDOS attacks, offences under ss 1 and 3 are likely to have been committed against 3.299
the ‘zombie’ computers, by the person surreptitiously installing the malware, even if uncer-
tainty existed about the nature of what is carried out against the target computer. Where a
DOS or DDOS attack effectively disabled the communication links to the target computer
through congestion, rather than the target itself, the original s 3 offence may not have been
applicable, since it may not be possible to show any modification of the ‘contents of any [ie
the target] computer’. Obviously, the computers comprising the congested network, such
as routers, would have been modified and a prosecution could focus on the act of compro-
mising these resources, although the issue of authorization arises here as well. As a result of
the legal uncertainty, there were a number of proposals to address the potential lacuna.727
In June 2004, the All Party Parliamentary Internet Group proposed the creation of a new
offence of ‘impairing access to data’, which would have a similar tariff to the CMA s 1
offence.728
In July 2003, the Government announced its intention to review the 1990 Act,729 in part to 3.300
address existing lacunae, such as the need to tackle certain DOS activities, as well as to com-
ply with its international commitments. The provisions to amend the CMA were contained
in the Police and Justice Act 2006.730 Rather than establishing a supplementary offence, the
amendment replaced the s 3 offence.
The offence of ‘unauthorised acts’ shifts the locus of the crime from the ‘contents of the 3.301
computer’ to potentially any point in a network which is held to be ‘in relation to’ the target
computer, a phrase not further defined. The wording thus further weakens the conceptual
link between the s 3 offence and criminal damage. While Cox v Riley and Whiteley extend
the meaning of damage to include impairment of value or function, both are located in
the property itself. By shifting the locus away from the computer, such provisions become
more analogous to the common law offence of public nuisance,731 similar in kind to the
725 DPP v Lennon [2006] All ER (D) 147 (May).

726 CMA, s 3(5)(b).
727 Private members bills were proposed by the Earl of Northesk (2002), Derek Wyatt MP (2005), and
Tom Harris MP (2005).

728 APIG Report, above, n 541, para 75.
729 Caroline Flint MP, Parliamentary Under- Secretary, Home Officer Minister in speech made at a
EURIM meeting, 14 July 2003.
730 PJA, s 36.
731 Although see the House of Lords’ judgment in Rimmington [2005] UKHL 63; [2006] HRLR 3, which
while recognizing that such an offence was sufficiently clear, precise and rational to be consistent with Art 7 of
the European Convention on Human Rights (ECHR) (4 November 1950, entered into force 3 November 1953,
213 UNTS 222) was severely limited to use against conduct that was not subject to express statutory provision.
185
obstruction of a highway,732 especially where the communications links are congested and
collateral damage in the form of loss of connectivity is extensive. The wording also has some
similarities with the US formulation of a ‘protected computer’ in that both recognize that it
is the networked quality of computers where the ‘integrity’ threat resides, as much as other
features of a computer.
3.302 The new provision was intended to comply with the ‘illegal system interference’ offences
under the Convention on Cybercrime and 2005 Decision.733 However, the terms of these
offences are not identical. Both list a series of possible intentional acts against a system,
‘deletion, damaging, deterioration, alteration, suppression’; but the Decision also refers to
‘rendering inaccessible’. While the common list would seem to be located within the system,
akin to damage, the latter phrase takes us away from the computer, akin to obstruction.
The only instrument that expressly uses the language of obstruction is the Commonwealth
Model Law, in respect of data interference:
6(1) A person who, intentionally or recklessly, without lawful excuse or justification, does
any of the following acts:
(a) destroys or alters data; or
(b) renders data meaningless, useless or ineffective; or
(c) obstructs, interrupts or interferes with the lawful use of data; or
(d) obstructs, interrupts or interferes with any person in the lawful use of data; or
(e) denies access to data to any person entitled to it.734
3.303 To date, DOS attacks have been primarily discussed in terms of an external attack against
a website, in contrast to the unauthorized access, which often involves insiders. However,
other forms of availability attacks may occur. For example, it was reported in 2006 that
Second Life,735 an online gaming environment, passed on details of a group of its users
to the FBI accusing them of a DOS attack by repeatedly causing the ‘virtual world’ to
crash.736
3.304 As noted earlier, in April 2015, a new offence was inserted in the CMA: that of ‘unauthor-
ised acts causing, or creating risk of, serious damage’.737 It is designed to address ‘the most
serious cyber attacks’738 against critical national infrastructure, such as transport and finan-
cial systems, which can result in damage of a ‘material kind’.739 The perpetrator must know
that his conduct is unauthorized, and either intend to cause serious damage or be reckless
as to whether such damage is caused.740 Where the serious damage is caused to human wel-
fare or national security, the maximum tariff is life imprisonment; while for damage to the
732 Now a statutory offence under the Highways Act 1980, s 137.
733 See Police and Justice Act 2006, Explanatory Note, para 301, available at <http://w ww.legislation.gov.
uk/u kpga/2006/48/notes>. See also the Convention on Cybercrime, Art 5 and Framework Decision, above,
n 580, Art 3, respectively.
734 Commonwealth Model Law, Art 6(1).
735 See <http://secondlife.com>
736 See Krotoski, A, ‘Population explosion puts our virtual worlds at risk’, The Guardian,
12 January 2006, available at <http://w ww.theguardian.com/technology/2006/jan/12/games.

guardianweeklytechnologysection>.
737 CMA, s 3ZA.
738 Home Office, Serious Crime Act 2015, Circular 008/2015, 25 March 2015, para 8, available at <https://
www.gov.uk/government/publications/circular-0 082015-serious-crime-act-2015>.
739 CMA, s 3ZA(2).
740 ibid, s 3ZA(1)(b) and (d), respectively.
186
economy or the environment, it is up to fourteen years.741 This represents a very substantial

increase in the potential tariff available for a computer-integrity offence in the UK and is
recognition within government of the scale of damage and disruption that can result from
successfully targeting such systems.
Terrorism
In our post-11 September world, a major concern of policy-makers is the ‘blended threats’ 3.305
that terrorists may pose.742 Combining a series of explosions with attacks against the avail-
ability of the local phone system, for example, would create greater terror, disruption, and
impact than either act on its own. Cyberterrorism is simply a means of labelling the offences
examined already in this chapter with a specified motivation.
In the UK, legislation has defined the concept of what constitutes an act of terrorism to 3.306
include actions ‘designed seriously to interfere with or seriously disrupt an electronic sys-
tem’,743 akin to ‘unauthorised acts’. However, to be an offence under the Terrorism Act
2000, as opposed to a CMA s 3 offence, the other constituent elements for an ‘act of terror-
ism’ would also have to be present:
• that the ‘use or threat is designed to influence the government or an international govern-
mental organisation or to intimidate the public or a section of the public’; and
• the use or threat is made ‘for the purpose of advancing a political, religious or ideological
cause’.744
Once all the elements are present, there are a number of discrete offences that a person may
commit, such as possessing an article for a purpose ‘connected with the commission, prep-
aration or instigation of an act of terrorism’,745 or collecting or possessing information likely
to be useful for the commission of an act of terrorism.746 So, for example, a person found
with keystroke logging software or an access code, following an investigation into a DDOS
attack, could be charged with terrorist offences if the other elements were present. The max-
imum tariffs for such offences were considerably greater than under the CMA, prior to the
introduction of the s 3ZA offence discussed above.747
At a broader level, terrorism and the threat of terrorism is impacting on criminal law in a 3.307
number of different ways. One example is the concept of ‘incitement’ to commit an offence.
Under the Terrorism Act 2006, indirect acts of encouragement and inducement have been
criminalized, as well as direct acts of incitement,748 as discussed above in respect of hate
speech crimes.749
In the Directive 13/40/EU, it states that Member States shall provide that attacks that have 3.308
caused ‘serious damage or … are committed against a critical infrastructure information
system’ be considered an aggravating circumstance giving rise to greater criminal penalties
741 ibid, s 3ZA(7) and (6), respectively.

742 Interview with Tim Wright, Head of Computer Crime Team, Home Office, 1 February 2006.
743 Terrorism Act 2000 (TA 2000), s 1(2)(e).
744 ibid, s 1(1)(b) and (c) respectively, as amended by the TA 2006, s 34.
745 TA 2000, s 57(1).
746 ibid, s 58(1).
747 eg fifteen years under TA 2000, s 57(4)(a) and ten years under s 58(4)(a) respectively.
748 TA 2006, s 59.
749 See paras 3.192–3.200.
187
of a least five years’ imprisonment.750 The term ‘critical infrastructure information system’
is not further elaborated in the Directive, which leaves considerable discretion to Member
States, which can be seen in s 3ZA of the CMA. The concept of ‘critical infrastructures’ is
subject to harmonization measures at an EU level, although they are currently limited to
energy and transport networks.751
Unauthorized interception
3.309 The integrity offences discussed so far in this section are directed at data ‘at rest’, ie data
residing in a system that is accessed or modified by a perpetrator. However, the criminal
law also protects data ‘in transmission’ across networks from being intercepted by others.
While the motivations for attacking data in transmission may be the same as when the data
is ‘at rest’, ie to impact on the confidentiality, integrity, and availability of the data, the pri-
mary harm has traditionally been perceived to be the breach of the confidential or private
nature of communications. This bias is reflected in the relevant legislative instruments, for
example:
This provision aims to protect the right of privacy of data communication.752
Measures should be taken to prevent unauthorised access to communications in order to
protect the confidentiality of communications . . .753
This privacy focus has meant that illegal interception has often been viewed primarily as a
component of an individual’s private life that requires protection from interference by the
state,754 rather than as a form of computer-integrity offence. Although interception offences
are concerned with access to the content of a person’s communications, it is not categorized
as a form of content-related offence because the law protects the right to confidential com-
munications, irrelevant of whether the content itself is private or public, legal or illegal.
3.310 As with the other computer-integrity offences, such as ‘hacking’, interception may be car-
ried out in the course of criminal conduct or by law enforcement agencies as a tool of
criminal investigation, although current law and policy-making is more concerned with
the latter situation. The following discussion focuses on the commission of the offence; the
operation of the legal framework in respect of computer forensics and criminal procedure
is examined further in Chapter 4.
Regulation of Investigatory Powers Act 2000

3.311 The primary governing statute in the UK is Part I, Chapter I of the Regulation of
Investigatory Powers Act 2000 (RIPA). Part I is sub-divided into two chapters, concerned
respectively with the interception of the content of a communication and the acquisition
and disclosure of communications data. The Act is primarily addressed at law enforce-
ment activities, regulating the exercise of investigatory powers in accordance with human
750 Directive 13/40/EU, above, n 159, art 9(4).

751 Council Directive 2008/114/EC on the identification and designation of European critical infrastruc-
tures and the assessment of the need to improve their protection, OJ L 345/75, 23 December 2008.
752 Explanatory Report to the Convention on Cybercrime, above, n 1, para 51.
753 Directive 02/ 58/EC of the European Parliament and of the Council concerning the processing of
personal data and the protection of privacy in the electronic communications sector, OJ L 201/37, 31 July
2002, Recital 21.
754 eg ECHR, Art 8(1) and Charter of Fundamental Rights of the European Union, Art 7.
188

Computer_Crimes_and_Digital_Investigations_----_(Pg_199--229)

Uploaded by

Copyright:

Available Formats

Computer_Crimes_and_Digital_Investigations_----_(Pg_199--229)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer_Crimes_and_Digital_Investigations_----_(Pg_199--229)

Uploaded by

Copyright:

Available Formats

Committing Crimes: Substantive Offences

531 47 USC s 223(a)(1)(C).

Of computers, systems, and devices

this is the approach commonly taken in UK legislation when addressing technology.540

Misuse Act’, 31 January 2006.

<https://​w ww.proofpoint.com/​us/​t hreat-​insight/​post/ ​Your-​Fridge-​is-​Full-​of-​SPAM>.

para 17, available at <https://​w ww.cl.cam.ac.uk/​~rnc1/​A PIG-​report-​cma.pdf> (‘APIG Report’).

542 Directive 13/​40/​EU, above, n 159.

549 18 USC s 1030(e)(2).

27.8.2002, at Art. 2(d).

in ‘serious harm’ (Art 4(2)).

The installation of malware by deceiving consumers and without Microsoft’s authoriza-

Of authorization, right, and lawful excuses

00987-​GMN-​GWF, 19 June 2014, para 58.

78(5) New York University Law Review 1596 (2003).

569 ie 18 USC ss 1030(a)(2)(C) and 1030(b)(2)(A).

Art 2(2) ‘(Framework Decision’).

Advisor to Jan Albrecht, received on 7 July 2015.

(1989-​90) col 15 (14 March 1990).

chattels in respect of unwanted emails. The claim was unsuccessful.

593 See further paras 3.328–​3.331.

power of access to a computer system’ (Art 6(2)).

Self Storage, Inc, 119 F Supp 2d 1121 (WD Wash 2000).

of unauthorized access, rendering it inapplicable where officers were exercising powers of

available at <http://​w ww.computerevidence.co.uk/​Cases/​CMA.htm>. See also a related appeal for judicial

. . . nothing designed to indicate a withholding of consent to access to any program or data

against a ‘specific computer … via a telecommunications line’.

minimum term was set for the Art 2(1) offence.

654 MCA, s 44(1).

system’. See generally UNODC Cybercrime Repository, available at <https://​w ww.unodc.org/​cld/​index-​

Computer Misuse Act 1990’, 6(6) Computers and Law 22 (1996).

and Security Bulletin (1994), at 4–​5.

market demand has exceeded supply.

whether real or personal’.

681 Report No 186, above, n 538, para 2.31.

mine whether the act may be done; and

695 ibid, s 3(5)(c).

701 Report No 186, above, n 538, para 3.72.

spammers’, Press Release, 3 November 2005, available at <http://www.justice.gov/archive/criminal/cyber

(2013) 6E Rev, 5 June 2013, available at <https://​w ww.coe.int/​t/​dghl/​cooperation/​economiccrime/​Source/​

721 Southwark Crown Court, 17 October 2003.

725 DPP v Lennon [2006] All ER (D) 147 (May).

Tom Harris MP (2005).

12 January 2006, available at <http://​w ww.theguardian.com/​technology/​2006/​jan/​12/​games.

economy or the environment, it is up to fourteen years.741 This represents a very substantial

741 ibid, s 3ZA(7) and (6), respectively.

Regulation of Investigatory Powers Act 2000

750 Directive 13/​40/​EU, above, n 159, art 9(4).

You might also like

<https://w ww.proofpoint.com/us/t hreat-insight/post/ Your-Fridge-is-Full-of-SPAM>.

para 17, available at <https://w ww.cl.cam.ac.uk/~rnc1/A PIG-report-cma.pdf> (‘APIG Report’).

542 Directive 13/40/EU, above, n 159.

00987-GMN-GWF, 19 June 2014, para 58.

(1989-90) col 15 (14 March 1990).

593 See further paras 3.328–3.331.

available at <http://w ww.computerevidence.co.uk/Cases/CMA.htm>. See also a related appeal for judicial

system’. See generally UNODC Cybercrime Repository, available at <https://w ww.unodc.org/cld/index-

and Security Bulletin (1994), at 4–5.

(2013) 6E Rev, 5 June 2013, available at <https://w ww.coe.int/t/dghl/cooperation/economiccrime/Source/

12 January 2006, available at <http://w ww.theguardian.com/technology/2006/jan/12/games.

750 Directive 13/40/EU, above, n 159, art 9(4).