Only bad guys benefit from bad law

Only bad guys benefit from bad law

Summary: A brief check on a charity web site has left a career in ruins. This can only hinder, not help, the fight against cybercrime

TOPICS: IT Employment

The conviction of Daniel Cuthbert for attempted illegal computer access has done nobody any good.

His career as a professional IT security analyst is almost certainly at an end, despite the fact that he attempted nothing malicious and caused no harm. Other security professionals are now constrained from investigating suspicious sites unless they have explicit permission from the site owners, which inevitably means that fewer frauds will be detected.

The police have lost the trust and possibly the cooperation of the penetration testing community, which feels that a respectable and well-liked member has been unfairly and harshly treated. And the law itself falls under the suspicion of being poorly created and dangerously over-endowed, with little defence available once the suspect has been charged.

As is so often the case, the blame for this unfortunate affair can be widely spread. Cuthbert's fatal mistake was to try and cover up what he did with a complex and unconvincing explanation that annoyed the investigators and wasted their time. "It's a fair cop, I've been a total arse" may not feature largely in law books as a successful defence, but it's saved many scalps.

Those investigators in turn decided to push ahead with the prosecution despite the transparent lack of malice and harm done. Open goals are hard to resist, especially when the other side has been treating you like an idiot, but it's hard to identify where the public interest was served.

Finally, the judge decided to ignore options that would leave Cuthbert chastised but employable, and that would have avoided setting case law that discourages valid and important investigation of online fraud. It may have been a legally impeccable conclusion, but that doesn't make it wise.

Although it is much more difficult to prosecute if malice needs to be proven, absence of malice together with absence of damage and lack of scope should be a strong defence. A brief and expert check of a site that establishes its bona fides should not be a career-threatening move, nor should it tie up police resources better used elsewhere.

The Computer Misuse Act (1990) should be amended to reflect the human and technical realities of online access (2005), otherwise it will protect those who it should be protecting us against.

You can have your say about Cuthbert's conviction by voting in this poll.


Topic: IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I guess i was always worried how the press would report this, but you have restored my faith in the press!

  • I'm sorry but I 100% disagree with this article. This gentleman is a professional information security consultant and thusly he has a skillset and knowledge level that would disallow him to feign ignorance for the crime committed. Why would the pen testing community be in an uproar? Professional testers know better than to go out and attempt to crack websites out of curiousity? They use their skills to break into systems only after signing lengthy contractual stipulations that allow them to do without repercussion... The simple fact is that the person tried to gain unauthorized access into a system through the directory traversal exploit (how old is that btw...) If I felt that ZDNet were selling my personal information without my permission does that mean I have the right to attempt to break into their network to see? The answer is no. The community has been screaming for stricter laws/punishments and now we are seeing them. (Also lets not forget that this professional initially lied to police regarding his activities!) All-in-all I feel sorry for him, but he got caught and punished for what was a really stupid, but still illegal thing to do.
  • Presumably this opinion will also hamstring police operations, which could now need additional oversight before attempting a directory traversal on suspicious sites.
  • From the article: "Cuthbert's fatal mistake was to try and cover up what he did".

    That should be "try _to_ cover up...".