Tsunami 'hacker' conviction worries experts

The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee's fundraising Web site has left security experts leafing through the magistrate's decision to try and understand the full implication of the verdict.

On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year's Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.

During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access.

The defence also pointed out that Cuthbert had not attempted to defraud the site. Security expert Peter Sommer is concerned by the conviction.

"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted,” said Sommer, senior research fellow at the London School of Economics’ Information Systems Integrity Group.

Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site.

As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."

In making his decision, district judge Mr Q. Purdy said that the court would have to take into account Cuthbert’s previous conduct when deciding whether he was guilty.

"This is not an infallible guide," Judge Purdy said. "If it was, there would be no first time offenders." But he indicated that as Cuthbert had no previous convictions and an "unblemished" record he would be inclined to find him not guilty.

This is thought to be the first time that a judge had indicated that — despite the letter of the act — knowingly accessing a system when unauthorised to do so is not necessarily a crime.

Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said.

Sommer backed up this point.

"The major problem was that he gave them an overly complex explanation which turned out not to be true, and involved them in a lot more work. That's probably why the judge didn't give him a conditional discharge, which was open to him," Sommer told ZDNet UK.

Sommer is now digesting the implications of the judge’s ruling.

"There are a number of long term issues," said Sommer. "We've now got a very strict interpretation on how Section 1 works and how it might be interpreted in terms of an attempt. Some of the tests you might instinctively want to run to see if a site is valid may fall foul of a strict interpretation."

Sommer added that there are also public policy implications. "Once someone's charged, there's almost no defence. Is it in the public interests to prosecute people who haven't done anything very serious if you know they'll lose their profession as a result?"

"I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help," Sommer said.