The crimes of hacking | 20 October 1989

The Law Commission’s proposal to criminalise the activities of computer hackers is welcome. Only a few months ago we argued in this column that to make hacking a crime was a necessary, though not in itself sufficient, step in the battle against computer fraud.

By recommending that three new criminal offences should be created, the Law Commission has recognised that hacking presents a number of tricky problems which are not susceptible of a single, simplistic solution. Thus it is suggested that there should be a widely-drawn basic summary offence of unauthorised entry into a computer system. Naturally there must be safeguards to ensure that employees of system operators who are merely negligent, for instance, do not become classified as criminals. The argument that the basic offence will criminalise a ‘fun’ activity holds no more water than would a plea on behalf of ‘joy-riders’ who borrow other people’s motor cars without having any intention of permanently depriving the owners of their means of transport. The Commission acknowledges that in practice there may be few convictions of those who hack for fun; it argues that the important thing is to send out the right message to would-be hackers and the point is well made.

An aggravated offence of unauthorised entry into a system with intent to commit or assist in serious crime, and a further serious offence of altering data or programs held on computer, will both carry maximum five-year prison sentences. In contrast, the basic crime will attract a maximum penalty of three months in jail and will not carry police powers of arrest and search. In this way the Commission draws an important and sensible distinction between the irresponsible and anti-social pest and the major-league villain. To criminalise ‘hacking with intent’ may not reduce the need for large businesses to invest heavily in computer security but it should mean that a number of fraudsters are apprehended sooner rather than later. The introduction of the anti-sabotage offence will enable the courts to deal with saboteurs, including disgruntled employees who are tempted to introduce a virus into their company’s system, who fall outside the net of the law of criminal damage.

The government has indicated that legislation will be brought in ‘when a suitable opportunity arises’. Nevertheless, it would be wrong to suggest that the Commission’s proposal has universal support. One may dismiss the special pleading of self-confessed hackers such as Stephen Gold. But a number of experts in the field – even the Data Protection Registrar – have voiced reservations about measures of the kind suggested, and their views deserve serious consideration. As a point of general principle, too, it must be wrong to extend the bounds of that activity which society deems to be criminal unless the case of change is clear and compelling.

On close inspection, though, there is no good reason to believe that, as some have claimed, criminalisation will actually decrease the chances of catching hardened computer criminals, or that high-spirited young hackers will become easier prey for ‘evildoers’. Nor is the Commission giving the green light for computer suppliers to carry on selling insecure systems for inappropriate applications. The logic behind the Commission’s report is convincing; the sooner the government acts, the better.