Only bad guys benefit from bad law

The conviction of Daniel Cuthbert for attempted illegal computer access has done nobody any good.

His career as a professional IT security analyst is almost certainly at an end, despite the fact that he attempted nothing malicious and caused no harm. Other security professionals are now constrained from investigating suspicious sites unless they have explicit permission from the site owners, which inevitably means that fewer frauds will be detected.

The police have lost the trust and possibly the cooperation of the penetration testing community, which feels that a respectable and well-liked member has been unfairly and harshly treated. And the law itself falls under the suspicion of being poorly created and dangerously over-endowed, with little defence available once the suspect has been charged.

As is so often the case, the blame for this unfortunate affair can be widely spread. Cuthbert's fatal mistake was to try and cover up what he did with a complex and unconvincing explanation that annoyed the investigators and wasted their time. "It's a fair cop, I've been a total arse" may not feature largely in law books as a successful defence, but it's saved many scalps.

Those investigators in turn decided to push ahead with the prosecution despite the transparent lack of malice and harm done. Open goals are hard to resist, especially when the other side has been treating you like an idiot, but it's hard to identify where the public interest was served.

Finally, the judge decided to ignore options that would leave Cuthbert chastised but employable, and that would have avoided setting case law that discourages valid and important investigation of online fraud. It may have been a legally impeccable conclusion, but that doesn't make it wise.

Although it is much more difficult to prosecute if malice needs to be proven, absence of malice together with absence of damage and lack of scope should be a strong defence. A brief and expert check of a site that establishes its bona fides should not be a career-threatening move, nor should it tie up police resources better used elsewhere.

The Computer Misuse Act (1990) should be amended to reflect the human and technical realities of online access (2005), otherwise it will protect those who it should be protecting us against.