This document discusses cybercrime legislation and substantive criminal law provisions related to cybercrimes. It summarizes key parts of the Council of Europe's Convention on Cybercrime and the EU's directives on illegal access, illegal interception of data, computer misuse, and denial of service attacks. It examines cases from the UK related to unauthorized access by authorized users and discusses how legislation addresses dual-use tools and botnet crimes.

1. CYBERCRIME LEGISLATION
PART 2

2. SUBSTANTIVE CRIMINAL LAW
PROVISIONS
This Chapter is based on Chapter 10 of IT LAW by Ian J Lloyd. Additions have been
made to flesh out the Irish law sections.

3. INTRODUCTION
In the previous chapter, the Council of European’s convention on CyberCrime was
discussed and has become accepted as the leading international instrument in the IT
law field.
Its provisions which are largely replicated in the EU’s directives will be used in this
chapter to indicate the major headings in which IT crime may be prosecuted.
1) offences against confidentiality, integrity and availability.
2) computer related offences, computer fraud
3) content related offences such as child pornography
4) offences related to infringements of copyright and related rights.

4. ILLEGAL ACCESS
Council of European’s convention Article 2
Each Party shall adopt such legislative and other measures as may be necessary to
establish as criminal offences under its domestic law, when committed intentionally,
the access to the whole or any part of a computer system without right. A Party may
require that the offence be committed by infringing security measures, with the
intent of obtaining computer data or other dishonest intent, or in relation to a
computer system that is connected to another computer system.

5. ARTICLE 3 OF EUROPEAN DIRECTIVE
PROVIDES THAT
Article 3 – Illegal interception
Each Party shall adopt such legislative and other measures as may be necessary to
establish as criminal offences under its domestic law, when committed intentionally,
the interception without right, made by technical means, of non-public transmissions
of computer data to, from or within a computer system, including electromagnetic
emissions from a computer system carrying such computer data. A Party may require
that the offence be committed with dishonest intent, or in relation to a computer
system that is connected to another computer system.

6. QUESTION revisited
If a person enters your office “the door is unlocked”. The person walks over to your
desk and takes a picture of a bank statement which is on your desk, the person then
departs.
Has an offence been committed?

7. APPLICATION IN MEMBER
COUNTRIES
The Council of Europe formulation confers considerable discretion upon signatory states.
It is dealing largely with provisions of criminal law, these tend to be guarded closely by
nations.
The issue that criminality should be dependent upon access having been obtained through
overcoming security devices has been debated extensively.
If a person obtains entry to a premises by overcoming a security system such as a lock then
an offence has been committed.
If there is no lock and the person does not damage or remove objects then no offence has
been committed.
The Law commission in the UK argued that the mere fact of obtaining unauthorized access
should suffice.

8. COMPUTER MISUSE ACT 1990
A person is guilty of an offence if -
(a) he causes a computer to perform a function with intent to secure access to any program
or data held in any computer or to enable any such access to be secured;
(b) the access he intends to secure, or enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that this is the
case.
The offence of unauthorized access requires proof of two elements;
there must be knowledge that the intended access was unauthorised;
there must have been an intention to secure access to a program or data held in a computer.

9. TO BE CONSIDERED
Three elements call for detailed consideration
1)The scope of access raises a number of issues and the scope of the definitions are
extremely broad.
2) Next comes the questions of if the access in authorised
3) it must be established by the prosecution that an accused knew that access was
sought without authority.

10. OBTAINING OR ENABLING ACCESS
TO COMPUTERS OR DATA
The Computer Misuse Act of 1990.
“Causing a computer to perform any function with intent to secure access to any
program or data held in the computer.”
Case: A person returns to a former place of work and they know the IT System. They
purchase an item for £711 and when the terminal is left unattended they gave
themselves a 70% reduction to £205.
Can the person be successfully prosecuted using the above section of the Computer
Misuse Act 1990?

11. Judgement
In court the defendant was acquitted as the law stated that cases of computer
misconduct required ‘one computer should be used to access a program or data held
on another computer’
The Attorney General had to make a decision on this case.

12. 2012 EU Directive
The European Union 2012 directive required that member states also criminalise
conduct which is intended to aid and abet those committing offences.
When committed intentionally and without right, the production, sale, procurement for
use, import, distribution, or otherwise making available of:
1. Access devices, including computer programs,
2. Computer passwords, codes, or other access data, for the purpose of committing a
cyber crime; access devices with a legitimate use are generally not contraband unless
the primary purpose is illegal (Convention, Article 6)

13. QUESTION
Where does this leave penetration testing tools?

14. DUAL USE
Many tools can be classified as dual use.
Software packages are marketed for network operators to check the effectiveness
of their own security but can also be used by hackers to gain unauthorised access.

15. WHEN IS ACCESS UNAUTHORISED
In many cases the simple act of making contact with a computer system will not be
sufficient to demonstrate knowledge that access is unauthorised.
Even a hacker making contact with computer systems at random may well suspect that
their intentions are not welcome, it may be very difficult to establish that they had
knowledge that access was unauthorised at the point of initial contact.
Typically websites and systems which intend to restrict access will display a message
on their home screen stating; “Unauthorised access to this system is ILLEGAL under the
provisions of the Computer Misuse Act 1990”
The installation of a security system, allocating authorised users with passwords would
reinforce this position.

16. UNAUTHORISED USE BY
AUTHORISED USERS
In the case where users have no access or rights to a system the case is fairly
straightforward.
Difficulties have arisen when employees are allowed access to systems but have used
this access for unauthorized purposes.
In the UK, Case R v Bignell: Two police officers obtained access to information held on
a computer in order to identify the owner of a number of motor vehicles. This was for
the police officers own personal use.
The police officers were convicted on trial under section 1 of the Computer Misuse
Act. On appeal they were cleared in court, the judges contended “ a person who
causes a computer to perform a function to secure access to information held at a
level to which the person was entitled to gain access does not commit an offence
under S1 even if he intends to secure access for an unauthorized purpose”

17. ACTIVITY
Review the case of R v Bow Streets Magistrates court ex p Allison.
Located in the International Cyber crime section under Part 2.

18. UNAUTHORISED USE BY
AUTHORISED USERS
No offence has been caused under the Computer Misuse Act however it was
suggested that charges might be brought under the Data Protection Act of 1984.
More on this later.
The consequences of the Divisional Courts decision in Bignell and Allison cases for the
operation of the Computer Misuse Act 1990 were potentially significant. Most
instances of computer fraud are committed by insiders. The decisions were seen as
conferring a degree of immunity upon such actors.
An appeal was made in the case of Allison and resulted in a robust rejection by the
House of Lords on the notion that the misuse of access right could not incur criminal
sanctions.

19. LORDS DECISION
Section 1 of the Computer Misuse Act 1990 refers to the intent to secure unathorised
access to any programme or data. These plain rules leave no room for the suggestion
that the relevant person may say “Yes, I know I was not authorised to access data but
I was authorised to access other data of the same kind”.
The decision in Allison 1999 by the Lords closed a significant loophole that has arisen
with the Computer Misuse Act 1990.

20. INTERCEPTION OF
COMMUNICATION

21. DATA AND SYSTEM INTERFERENCE
The council of Europe convention contains two articles which prohibit data and system
interference.
Data interference (article 4) criminalises the intentional “damage, deletion,
deterioration, alteration or suppression of computer data without right”
System interference (article 5) criminalises the serious hindering without right of the
functioning of a computer system by inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data.
Both offences are similar but system interference would apply to incidents such as
DOS attacks by networks of infected computers called botnets.

22. BOTNET CRIME
The sheer amount on insecure devices out there – particularly IoT products –
means it's simple for cyber criminals to create botnets and lease them out.

23. DOS ATTACKS
Section 3 of the Computer Misuse Act was effective against disseminating viruses,
conduct involving DOS attacks is more problematic.
Section 3 states “Unauthorised Acts with intent to impair, or with recklessness as to
impairing the operation of a computer”

24. DENIAL OF SERVICE ATTACKS
DPP vs Lennon (2006); here the defendant downloaded Avalanche from the Internet
and used it to bombard his former employers with over 5million emails. Lennon is 16
years old.
The Avalanche tool allowed the accused to customize, create and select random mail
headers and in this case the emails purported to come from the company's HR
Manager.
Charges were brought under section 3 of the Computer Misuse Act. The defence
made the argument that;

25. DENIAL OF SERVICE ATTACKS
“the defence made a submission of "no case to answer" on the grounds that the
accused modification, by sending emails, was not capable to indicate that his activities
have been unauthorised. The basis of the defendant's argument was that since the very
function of the email server was to receive emails, then each individual email sent
to the server is authorised to modify it and there can be no threshold over which
a vast quantity of authorised transactions becomes unauthorised.[12]
Therefore,
D&G must have consented to receive emails and modify the server, so he could not be
guilty on the s.3(1) offence.

26. DENIAL OF SERVICE ATTACKS
The District Judge Grant, sitting as a youth court, accepted the defence's argument
and held that there was no case to answer, dismissing the charges against Lennon. He
also held that s.3 was to deal with the sending of malicious material like viruses,
worms and Trojan horses which modify data, but not the sending of emails.
The prosecutor appealed this decision and was successful in convincing the Divisional
court that DOS attacks were covered in Section 3.
Sentence: The respondent was convicted and sentence to a 2 month period of
electronic curfew.

27. DAMAGE TO DATA
What happens when a party alters or deletes data without the consent of the system
owner.
A user may bring a powerful magnet into close proximity of a storage device.
Here is one way!
https://www.youtube.com/watch?v=gzCXowhks80

28. DAMAGE TO DATA
Other actions may be driven by the intent to cause disruption to the computer owners
activities.
This might involve the manipulation of the data by using logic bombs. The perpetrator
controls the function of the computer.
Another more common trend involves the use of “ransomwear”. The users data is
encrypted and the only way they can access this data is by paying a ransom usually
in bitcoin.
As enacted by section 3 of the Computer Misuse Act is provides that it would be a
punishable offense of up to 10 years imprisonment in knowingly cause an
unauthorised act in respect to the contents of any computer.

29. COMPUTER MISUSE ACT CASES
Typically an employee or a student will be entitled to use the facilities of a computer system
but will not be entitled to delete any portions or add any features.
A Software developer AAS Management Systems installed bespoke software with covert
timelock for Protech Formulations Ltd. Timelock activated and denied access to software
after dispute arose over unpaid fees.
Installing and activating a covert software time-lock is an Unauthorised modification.
Defendant convicted. Conditional discharge. Decision widely reported as "time-locks are
illegal".
The accused claimed that he was owed £2000 in fees. The computer was rendered unusable
for several days with loses estimated at £36,000. The accused was convicted and fined
£1650.

30. DETAILS OF CASES
http://www.computerevidence.co.uk/Cases/CMA%20Stats.htm
Details of all cases prosecuted under the act.
http://www.computerevidence.co.uk/Cases/CMA.htm
For Irish cases
https://www.claruspress.ie/shop/information-and-communications-technology-law-in-i
reland/

31. MISUSE OF DEVICES
A market exists for the trading of usernames and passwords.
Article 6 of the cybercrime convention seeks to deter such activity by providing that;

32. POLICE AND JUSTICE ACT 2006
SECTION 3A

33. MISUSE OF DEVICES
The offence attracts a maximum penalty of 12 months or two years following
conviction on indictment.
The manner of its implementation was subject to extensive criticism in Parliament. The
problem lies in the fact that those developing and supplying tools for legitimate
checking in computer security know that these tools can also be used with ill intentions.
The UK approach is stricter than required by the convention which refers to articles
“primarily” used for criminal purposes.
It is suggested however that liability will arise only in the event that a developer or
distributer supplies articles knowing that the acquirer will use them for criminal
purposes.

34. TWITTER COMMENT

35. MALICIOUS COMMUNICATION
Publicity has been given to cases of the use of social media sites to disseminate
communications which might be regarded as threatening to other people.
The case of Chambers vs DPP is a very notable case.
The tweet was spotted by airport officials and a week later police arrested him.
Chambers was fined £1,000 and later lost his job over the incident.
Review the full case in link at the notes section below.

36. REVENGE PORNOGRAPHY
Much attention is paid to these topics and there has been recent legislation concerning
these activities.
Generally perpetrated by an unhappy ex partner this tends to involve posting
intimate images in a public forum, normally an internet website. An alternate form
involves the sending of these images to family members.

37. SECTION 33 OF CRIMINAL JUSTICE AND
COURTS ACT 2015

38. CRIMINAL JUSTICE AND COURTS
ACT 2015
The act also covers pseudo photographs, where the head of a person is placed on the
naked body of another person. This is unlawful under the act.
In 2016 more than 200 prosecutions had been brought under this statue in England
and Wales.
Details of some of these cases are listed at the link below in the notes section.

39. IRISH LEGISLATION
Where do we stand in December 2020 with regards to a revenge pornography
laws? Link Below
Where do we stand in December 2020 with regards to trolling laws, laws with
respect to comments on Twitter/Facebook/etc?
Harassment, Harmful Communications and Related Offences Bill will cover both of these areas when it comes into
force in 202?

40. TROLLING
The essence here is that false comments are posted, typically on social media
websites with the intention to cause distress to another person.
The Malicious Communication Act of 1998 is the principal statute used here.

41. TROLLING
The Communications act 2003 is also relevant here, it states that it is an offence to
send “by means of public electronic communication network a message or other
material that is grossly offensive or of an incident, obscene or menacing character’
In 2015 over 1200 people were prosecuted for offences under this provision, this is
by a factor of 10 greater than the number prosecuted in 2004. Between the two
statutes it is estimated that 5 people a day are convicted in the UK of offences.

42. CONCLUSION
Twenty years of computer crime legislation has seen its ups and downs.
The Law Commission has stated that “there is recurrent (and understandable) difficulty
in explaining to judges, magistrates and juries how the facts fit in with the present law
of criminal damage’.