Criminal IT: Wanted - better laws for cyber crimes

Sometimes the law really is an ass...

Sometimes the law really is an ass...

If we are going to make any progress in fighting cyber crime, we are going to need better, clearer laws, says Neil Barrett. The ones we rely on now are unfit but could there be some more obscure ones that fit the bill?

"If the law presumes that, Sir, then the law is an ass!" Or so Charles Dickens had Mr Bumble say in Oliver Twist. But in fairness, sometimes the law really is an ass.

We have, I'm sure, all heard of the numerous weird and apparently still valid laws of the land: that sticking a postage stamp upside down counts as treason; that on Sundays English males over the age of 14 must practise for two hours with the longbow; that it is not illegal to shoot a Welshman in Chester provided that it is within the city walls and after midnight, or a Scotsman in York provided that it isn't on a Sunday.

Some of these laws are plainly silly; others simple haven't been repealed; and others... well, who can tell where and how they arose?

In Switzerland, for example, it is illegal for a man to relieve himself standing up after 22:00 local time - reasonable, I would assume, in a block of flats where the noise might disturb. In New York, the penalty for jumping off a building is death - a bit harsh, though I would suspect that with skyscrapers there's seldom a need for the courts to impose the sentence. In Scotland, it is illegal to be drunk in charge of a cow; in Iowa, one-armed pianists must perform for free; in Florida, having sexual relations with a porcupine is an offence; in Tampa Bay, it is illegal to eat cottage cheese after 18:00 local time; and in New Orleans, a woman can only drive a car if her husband waves a warning flag in front of it.

Laws are strange things and, setting aside these specific oddities, most of them are the embodiment of Solomon-like decisions that have had to be taken over the centuries.

In modern times, criminal laws arise exclusively from the decisions of parliament to address a particular mischief that might not have been adequately covered by the existing body of law. A member produces a bill for debate, either with the support of the government because the law is positively desired, or on a private basis in an attempt to force the government's hand. Following debate, the bill might be passed and discussed in the Lords, before being formally presented for 'Royal Assent' and passing onto the statute books.

The laws as written then stand, and the courts must find ways to establish decisions and judgements within the meaning of the words used in the statute itself - so that, even more than in the case of a computer program or a formal contract, the exact words chosen for the legal text are vitally important.

This is particularly important for those aspects of the laws which are relevant to the use and abuse of computers - a technology that was certainly not anticipated by the decisions of any court before the last 30 years, making it very much the 'new kid on the block'.

The Data Protection Act talks of 'processing', 'data' and 'information'; it talks of 'structured', 'transmitted' and of 'displayed' - and it makes only the vaguest of definitions of what is meant by any of those terms. Similarly, the Computer Misuse Act talks of 'computers', 'access' and 'modification' - again, without defining the meaning of those terms.

This allows the courts to interpret the words in any way that they see fit. In this way, a law framed when computers were predominantly accessed by multiple users from dumb terminals using a simple password can be made to apply to the radically different environment of the world wide web or of handheld smart devices.

Having said that, however, there are some of the older laws which can, with a little interpretation, be applied to the modern problems of computers - even though the laws arose from decisions taken not decades but centuries before electronic computers became a dream let alone a ubiquitous reality, and make no mention of data or processing or computing. Take one of the most important, landmark decisions of common law, that of Rylands v Fletcher, 1868.

Rylands owned a mine which stretched beneath the land belonging to Fletcher, who built an inadequate reservoir on it. The reservoir split, flooding the mine and causing Rylands to sue Fletcher for the loss of income and the cost of making good the resulting damage. The decision in the case was in Rylands' favour, with a ruling that "anyone who brings or collects and keeps on his [sic] land anything likely to do mischief if it escapes must keep it at his peril and if he does not do so is prima-facie strictly liable for all that damage which is the natural consequence of its escape".

Rylands v Fletcher establishes the principle for responsibility in cases of negligence - and arguably, though it makes no reference to computers, can be applied in the world of networks. This computer is on my land and can be thought of as having 'escaped' if I were to lose control of it - that is, if it were controlled remotely by a hacker using a Trojan or similar. And if it does indeed 'escape', it can do 'mischief' in the sense of being a part of a zombie army used in a distributed denial of service attack or similar.

The ruling in Rylands v Fletcher says that I keep this computer 'at my peril'; it is my responsibility to take measures to ensure that it does not 'escape' - that is, it is my responsibility to secure my own computer against use by hackers, or suffer liability for any damage resulting in its escape.

Could such a ruling be applied in practice? I know of no situation in which Rylands v Fletcher has been applied in cases of supposed computer negligence but it would be nice to believe that those people operating unsecured computers used by hackers to attack third parties have at least some responsibility for the damage arising from their negligence.

And it would be nice to have at least some legal tool with which to encourage improved security. The law might well be an ass - but just like an ass, it often stubbornly gets the job done.