st25_the_law.md

---
title: The Law
---

The law surrounding cyber security is made up of a number of different
overlapping components.  It includes data protection through the Data
Protection Act and GDPR; intellectual property, through copyright,
patents and so on; and others.  In this article, we look at the law
specifically around computer misuse or "hacking".

* Computer Misuse

In the middle of the 1980s Robert Schifreen and Stephen Gold
discovered the log-in details of an account on British Telecom's
Prestel by watching what an engineer typed in to their terminal. They
logged in and explored the system, managing to find details of
accounts belonging to other people, including members of the royal
family.

British Telecom discovered the unauthorised use and the pair were
charged. At the time, there was no UK law that covered their
activities exactly, so they were charged with manufacturing a "false
instrument" under the Forgery and Counterfeiting act 1981. The
argument was that by entering their unauthorised commands into the
Pentel system, they had changed its internal state and somehow created
something that infringed on the intellectual property of British
Telecom.

They were fined less than £1500, but the case highlighted two things:
one, that British Telecom had not taken security seriously (the
username and password were 2222222222 and 1234 respectively) and the
second that the law being applied did not quite fit the situation.

Schifreen and Gold appealed the finding on that second point and it
was upheld. Lord Justice Brandon said that "we have accordingly come
to the conclusion that the language of the Act was not intended to
apply to the situation which was shown to exist in this case. The
submissions at the close of the prosecution case should have
succeeded. It is a conclusion which we reach without regret. The
Procrustean attempt to force these facts into the language of an Act
not designed to fit them produced grave difficulties for both judge
and jury which we would not wish to see repeated. The appellants'
conduct amounted in essence, as already stated, to dishonestly gaining
access to the relevant Prestel data bank by a trick. That is not a
criminal offence. If it is thought desirable to make it so, that is a
matter for the legislature rather than the courts."

This led to the creation of the Computer Misuse Act 1990, which set
out three offences:

1. unauthorised access to computer material
2. unauthorised access with intent to commit or facilitate commission
   of further offences
3. unauthorised modification of computer material

The punishment, in terms of fines and prison sentences, was also laid
out.  Since then, these three offences remain in subsequent revisions
of the act, although the fines and prison terms have changed. Two
additional offences have also been added. At the time this article was
written (May 2019), the list of offences is:

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission
   of further offences.
3. Unauthorised acts with intent to impair, or with recklessness as to
   impairing, operation of computer, etc.
4. Unauthorised acts causing, or creating risk of, serious damage
5. Making, supplying or obtaining articles for use in offence under


# Links
 - https://www.itpro.co.uk/it-legislation/28174/what-is-the-computer-misuse-act
 - https://www.cps.gov.uk/legal-guidance/computer-misuse
 - https://www.legislation.gov.uk/ukpga/1990/18/contents

<!--  LocalWords:  Telecom Prestel
 -->
	---
	title: The Law
	---

	The law surrounding cyber security is made up of a number of different
	overlapping components. It includes data protection through the Data
	Protection Act and GDPR; intellectual property, through copyright,
	patents and so on; and others. In this article, we look at the law
	specifically around computer misuse or "hacking".

	* Computer Misuse

	In the middle of the 1980s Robert Schifreen and Stephen Gold
	discovered the log-in details of an account on British Telecom's
	Prestel by watching what an engineer typed in to their terminal. They
	logged in and explored the system, managing to find details of
	accounts belonging to other people, including members of the royal
	family.

	British Telecom discovered the unauthorised use and the pair were
	charged. At the time, there was no UK law that covered their
	activities exactly, so they were charged with manufacturing a "false
	instrument" under the Forgery and Counterfeiting act 1981. The
	argument was that by entering their unauthorised commands into the
	Pentel system, they had changed its internal state and somehow created
	something that infringed on the intellectual property of British
	Telecom.

	They were fined less than £1500, but the case highlighted two things:
	one, that British Telecom had not taken security seriously (the
	username and password were 2222222222 and 1234 respectively) and the
	second that the law being applied did not quite fit the situation.

	Schifreen and Gold appealed the finding on that second point and it
	was upheld. Lord Justice Brandon said that "we have accordingly come
	to the conclusion that the language of the Act was not intended to
	apply to the situation which was shown to exist in this case. The
	submissions at the close of the prosecution case should have
	succeeded. It is a conclusion which we reach without regret. The
	Procrustean attempt to force these facts into the language of an Act
	not designed to fit them produced grave difficulties for both judge
	and jury which we would not wish to see repeated. The appellants'
	conduct amounted in essence, as already stated, to dishonestly gaining
	access to the relevant Prestel data bank by a trick. That is not a
	criminal offence. If it is thought desirable to make it so, that is a
	matter for the legislature rather than the courts."

	This led to the creation of the Computer Misuse Act 1990, which set
	out three offences:

	1. unauthorised access to computer material
	2. unauthorised access with intent to commit or facilitate commission
	of further offences
	3. unauthorised modification of computer material

	The punishment, in terms of fines and prison sentences, was also laid
	out. Since then, these three offences remain in subsequent revisions
	of the act, although the fines and prison terms have changed. Two
	additional offences have also been added. At the time this article was
	written (May 2019), the list of offences is:

	1. Unauthorised access to computer material.
	2. Unauthorised access with intent to commit or facilitate commission
	of further offences.
	3. Unauthorised acts with intent to impair, or with recklessness as to
	impairing, operation of computer, etc.
	4. Unauthorised acts causing, or creating risk of, serious damage
	5. Making, supplying or obtaining articles for use in offence under



	# Links
	- https://www.itpro.co.uk/it-legislation/28174/what-is-the-computer-misuse-act
	- https://www.cps.gov.uk/legal-guidance/computer-misuse
	- https://www.legislation.gov.uk/ukpga/1990/18/contents

	<!-- LocalWords: Telecom Prestel
	-->