Criminal IT: The crime you can still get away with

While the law is quickly catching up with computer crimes, there is still one offence police can't nail you for. Fortunately, says Neil Barrett, that is set to change - and not a moment too soon.

In the field of computer crime, there is one glaring problem: the law. Until relatively recently, there was no law to criminalise what might be recognised as obvious 'mischiefs' performed against computers; there was no legal framework to make hacking, viruses, denial of service or the theft of intellectual property positively illegal. That these were unwelcome activities was obvious but finding a law within which such actions could be prosecuted and punished was simply not possible.

The defacement of information contained in a computer could be considered a form of vandalism - but vandalism is prosecuted as a form of criminal damage when, for instance, a young hooligan kicks down a bus shelter or the like. Unfortunately, the law of criminal damage talks of destruction of property and does not include what are called 'intangibles'.

Originally applied to such things as electricity, intangibles does not encompass 'information' but refers only to physical - or 'real' - property. In order for modification of information (such as data stored on a computer) to count as damage to real property, it would have to impair the physical nature of the disk drive. Since changing a '1' to a '0' is a central function of a working disk drive, and simply changing the information on a disk drive doesn't impair its physical nature, altering a file could not be counted as 'damage' within the meaning of the law.

So, vandalism of computer information cannot be considered to be the same as vandalism of a bus shelter; the criminal damage law cannot be applied to computer data.

Similarly, hacking a computer by persuading it to accept a fraudulently-presented password cannot be considered as a form of fraud, as defined within the various laws of theft. For a fraud to occur, the law requires that a person has been deceived. Since only a computer is deceived by a fraudulent password - or any other form of authentication mechanism - that cannot be counted within the various elements of fraud, even if the hacker has entered that password so as to obtain access to money. Another possibility, attempted in the famous trial of two Prestel hackers in the 1980s, would be to consider the false password as being somehow counterfeit - but that too was shot down in the courts, when it was found that a password is simply too transient to be considered a 'false instrument' in the same sense as a counterfeit banknote, for example.

Finally, a hacker who steals information from a computer, such as credit card details or secret information, is not guilty of 'theft' in the meaning of the law. To steal requires the intention 'permanently to deprive the owner' of some property. First, information is not property in this sense, since it isn't 'real' and doesn't count as one of the intangibles, such as electricity or water. And second, a hacker can copy a file without depriving the owner of it: they still have their copy but have somehow lost the confidentiality of it. This was established back in the 1970s by a case ruling in which a university student was accused of stealing an exam paper when he took a copy of it so as to help in his revision.

Hacking cannot be fraud, it cannot be a form of counterfeiting, it cannot be theft and it cannot be criminal damage - but yet it is still an act that deserves to be criminalised. The result, of course, was the forming of the 1990 Computer Misuse Act - to make specific criminal offences of hacking and of malicious damage to computers. Other than in a very few related laws - such as the laws of data protection and a minor part of the terrorism law - this is still the main legislative instrument to prosecute hackers.

The law is very well framed, making it an offence to hack into a computer whether for curiosity or for criminal gain, and making it an offence to modify a computer so as to cause damage. Unfortunately, there is one all-too-prevalent offence which appears to be untouched by the law: denial of service.

What if someone attacks a computer in order to block access to it but does so without gaining access or modifying its contents? Section 1 of the law cannot touch you, because you haven't accessed the computer; and section 3 cannot touch you, because you have made no change to the contents. You are untouchable.

If you launch your attack by using zombie bots on multiple computers in a 'distributed denial of service' then you will have accessed those zombie computers and you will have modified them. You can be prosecuted for that. But if you launch your attack from your own computer (which you are allowed to use) and simply make a large number of requests for the index page of a website, for example, then you will not be making unauthorised modifications to that server.

We need to change this, of course. We need a specific alteration to the Computer Misuse Act so as to make denial of service - whether a 'simple' or an 'aggravated' offence - a criminal act.

The first attempt to introduce this change was a dismal failure: the wording of the proposed new section 3A offence was dramatically different from that of the rest of the Act, and it would have criminalised many entirely innocent activities which accidentally block a website.

With this proposal kicked out, a parliamentary committee spent the best part of last summer researching possible answers. The result will be a modified Computer Misuse Act which will make offences of simple and aggravated denial of service.

Not before time, given the growth in such attacks over the last couple of years. Finally we will have a workable law - and then all we'll have to rely on is that victims report an offence, the police capture the perpetrators and the courts punish them. That's the hope at least.