办事指南

Hacker's acquittal casts doubt on law

点击量:   时间:2019-03-01 02:03:01

By CHARLES ARTHUR European action against computer hackers and virus writers is being held back by weaknesses in national laws and the lack of specialised police departments to cope with computer crime. And efforts in the US to prosecute hackers could be hindered by a loophole in the law there which overlooks the increasing miniaturisation of computers. Britain’s police were shocked by last week’s acquittal of self-confessed hacker Paul Bedworth, who was found not guilty in the first major trial of its kind under the Computer Misuse Act of 1990. Bedworth faced two charges of conspiracy under the act and one of conspiring to dishonestly obtain telecommunications services. John Austen, head of Scotland Yard’s Computer Crime Unit (CCU), was amazed by the verdict. ‘I just don’t know where we’re going,’ he says. A central plank of Bedworth’s defence was the evidence of James Griffith-Edwards, an expert in addictive behaviour, who said that Bedworth had a ‘nonchemical dependence’ on using a computer. Although he knew what he was doing was wrong, he could not prevent himself – much like an obsessive hand-washer – argued Griffith-Edwards. The acquittal sets a legal precedent: previously obsession was not thought an adequate defence if the defendant could be shown to know what the results of an act would be – and so be able to form what is known in law as ‘the guilty mind’. Griffith-Edwards said in his evidence that Bedworth clearly knew he was breaking the law by hacking after August 1990, when the Computer Misuse Act came into force, but his obsession denied him the freedom of choice to stop. Bedworth’s activities began in 1987 when his mother gave him a £200 BBC Micro for his 14th birthday, and stopped on 26 June 1991 when he was arrested at his home in Ilkley, West Yorkshire. Although his mother tried to stop him, Bedworth broke into cupboards to retrieve his modem, illicitly used his mother’s phone, and became physically aggressive when she tried to stop him using his computer. Bedworth hacked into computers across Europe, including the Financial Times in London, a cancer research institute in Brussels and European Community offices in Luxembourg. The trial judge observed that the full list of computers that had been attacked would be ‘as long as a telephone directory’. Austen chairs a committee within Interpol which is trying to set up links between computer crime units in European countries. National forces currently have a haphazard approach to computer crime. ‘We may only have eight people in the CCU, but that’s eight more than they have in France or Belgium or Spain, and six more than they have in Germany or Australia,’ he says. At present Austen is helping Italy to set up a unit similar to the CCU to assist in a trial of some alleged hackers there who broke into systems based in Italy and Finland. ‘They were arrested under Italian law, which doesn’t have anything like the Computer Misuse Act, so they’re still trying to decide what they can prosecute them for,’ says Austen. In Britain, hacking and viruses are a growing commercial burden. A survey published in 1992 showed that computer systems in more than a third of British enterprises, in both the public and private sectors, had been infected with a virus or accessed by unauthorised users. Large organisations tended to suffer more than small ones. The total estimated cost from such security breaches in 1992 was £530 million. This makes each incident twice as costly as accidents from fire or flood, which happened twice as often and cost an estimated £580 million. The fastest-growing threat to European computer systems comes from the countries of Eastern Europe. While they were under Communist rule, the US restricted exports of computers and computer programs. This forced people who had access to computers to become expert in developing and designing their own hardware and software. When export controls were relaxed the quality of commercial software coming in from the West left these experts with little to do, says Austen. ‘I think they got bored.’ As a result he thinks they turned their hands to hacking and writing disruptive viruses. Despite the setback in the Bedworth case, the police are confident that British law will prove to be effective in future cases. It avoids certain pitfalls of laws in some other countries. The US, for example, in its 1986 Computer Fraud and Abuse Act, defines computers in a way that excludes hand-held devices – because they seemed improbable at the time. ‘Now they’re really stuck – palmtop computers are all over the place,’ notes one former member of the CCU. The US did not set up its centralised unit to combat computer crime until January 1992. ‘Before that it was always a fight between the Secret Service and the FBI as to which of them was going to get a case, because it meant kudos for whoever won it,’ comments a CCU source. A team from the Washington headquarters of the unit is to visit the CCU to observe its operation. Bedworth’s arrest came after an intensive police operation. Karl Strickland, 22, of Liverpool and Neil Woods, 26, of Oldham in Lancashire were arrested at the same time. Both pleaded guilty to conspiracy charges and have yet to be sentenced. Staff at the CCU were surprised by Bedworth’s acquittal. They say it is ‘a one-off’, although they do fear that it could lead to an increase in attempts to hack into systems. ‘I would say to anyone who thinks they are the victim of computer crime to contact the police,’ says Andrew Laptew of the West Yorkshire police. ‘Most forces now have officers trained to deal with computer crime.’ The police say they noted ‘a definite falling-off of hacking activity’, after the trio were arrested. They monitored the activity of suspected hackers on public bulletin boards – files held on computers to which large numbers of users can gain access through the phone system. Enthusiasts use bulletin boards to exchange messages and computer programs. Bedworth, Strickland and Woods communicated with each other on bulletin boards using nicknames such as Gandalf, Wandii and Lizard, to discuss methods of hacking and likely targets. Details from the bulletin boards formed part of the prosecution evidence, which was not disputed. This led to an unusual feature of the trial: it was the first conspiracy charge in which none of the participants had met or spoken to each other, did not know each other’s real names or addresses, and had never seen each other’s handwriting. ‘We introduced them to each other when they were first charged,’ says Austen. ‘They were intrigued when they found out what the others looked like.’ After the trial, Bedworth said that he would advise anyone who finds themself becoming obsessed with hacking ‘to concentrate on programming and not get into hacking’. Programming, he said, was ‘useful and equally absorbing’. He is now working on artificial intelligence in a computer science course at the University of Edinburgh,