The Computer Misuse Act 1990 was controversially and ineptly amended by the police and Justice Act 2006 to try to curb Denial of Service attacks and a new "Making, supplying or obtaining articles" offence. The territorial scope of this Act was broadened to include the whole world, regardless of whether you are a British citizen or not and the penalties were increased so that they were serious enough for Extradition to the UK to apply.
Spy Blog used to think that the House of Lords did a better job of scrutinising the detail of Bills, especially in regard to technical details, than the House of Commons, but now there are doubts, judging by the Serious Crime Bill.
Perhaps it is because this typical Home Office "Christmas tree" Bill covering lots of topics was, for no good reason, introduced in the Lords rather than the Commons, that the standard of detailed scrutiny regarding the Computer Misuse Act amendments seems to be as poor as if it the Commons had had first crack at cocking things up.
The Computer Misuse Act is a vital in safeguarding "the economic wellbeing of the UK", but like the Regulation of Investigatory Powers Act is showing its age due to fast moving technological change. We deserve a full new Act, with proper public consultation and detailed pre-legislative scrutiny, not just a few stupid amendments sneaked in as part of a wider Bill, without any public consultation at all..
The Serious Crime Bill is making major changes to the Computer Misuse Act to combat "cyber attacks", without any public consultation or any actual evidence of need.
It also risks legally crippling the activities of GCHQ and SIS / MI6 and their computer software and hardware suppliers with the stupid criminalisation (with a penalty of up to imprisonment for life and or an unlimited fine) of "serious damage to the national security ofany country" - even enemy countries !
"Cyber attacks" are not just directed at the UK, they could originate from the UK against the "economy" or "national security" of other enemy countries
The Home Office pretends in its Serious Crime Bill computer misuse policy documents especially the CMA Aggravated Offence Impact Assessment document that:
"Although to date no cyber attacks have had an impact of this nature, a longer maximum sentence should be available should such an attack occur in future"
"There is no evidence that cyber criminals will necessarily be deterred by a longer sentence, but there may be deterrence benefits and/or benefits in public confidence."
No ! There will be a further reduction in public confidence in the Home Office and the Government in general as a result of s
"A full public consultation will not be taken due to the tight time frame if the 4th session"
Only Ministry of Justice, Crown Prosecution Service, Scotland Office, Northern Ireland Office, GCHQ, Police and National crime Agency
were consulted as "stakeholders".
Note that no NGOs, Regulators, RIPA Commissioners, Information Commissioner industry, or the general public were consulted at all.
Note that there is no published Privacy Impact Assessment, something which they probably also never bothered with.
The Serious Ccrime Bill was introduced in June and after the Summer Recess, the House of Lords is set complete the Report stage next week. However they "considered" the Computer Misuse Act amending clauses on 14th October 2014
and passed 3 Amendments, none of which addressed the important bits.
Clause 40: Unauthorised acts causing, or creating risk of, serious damage
Moved by Baroness Williams of Trafford
17: Clause 40, page 30, line 40, leave out "country" and insert "place"
we have given further consideration to the position of installations such oil rigs, ships and so on that are located outside the territorial waters of any country. Although I acknowledge that this scenario is extremely unlikely, it is not clear that the offence as currently drafted would capture an attack that caused serious damage to the human welfare of those living and working on such an installation, or to the surrounding environment.
To provide greater clarity on this point, therefore, Amendment 17 replaces the reference to damage to human welfare in any country with a reference to damage to human welfare in any place. Amendment 18 similarly replaces the reference to damage to the environment in any country with a reference to damage to the environment of any place.
Once these changes are made, there is no longer any need to extend the meaning of "country" to include its territorial seas. References to damage to the economy or national security of any country will remain, as either the economy or national security of a country has been damaged or it has not. In these cases, it is not necessary to include territorial seas within the definition of a country, so Amendment 19 removes this reference.
Amendment 17 agreed.
Amendments 18 and 19
Moved by Baroness Williams of Trafford
18: Clause 40, page 31, line 1, leave out "in any country" and insert "of any place"
19: Clause 40, page 31, leave out line 23
Amendments 18 and 19 agreed.
So the Lords have broadened the territorial scope of the probably unenforceable new "b) damage to the environment of any place" offence to cover offshore oil rigs and pipelines outside of any country's national territorial waters.
At this point their Lordships collective minds seem to have wandered as they should also have looked at the very next two lines of the Bill
(c) damage to the economy of any country; or (d) damage to the national security of any country.
Why did they not think to apply exactly the same argument for changing "any country" to "any place" in respect of international telecommunications cables, physical or "cyber" damage to which would clearly " damage to the economy of any country" and which are even more than oil pipelines likely to be further out to sea than being merely adjacent to to national coastlines or territorial waters ?
As it stands, this criterion is far to broad and is likely to be unenforceable internationally or only selectively enforced, bringing the whole law into disrepute.
Even worse is the next line
(d) damage to the national security of any country.
Imprisonment for life and / or an unlimited fine for serious damage to the national security of any country ? Even Russia, China, Iran, Syria, Cuba etc. ?
Did nobody (including GCHQ) notice that this makes much of what GCHQ and SIS/MI6 do, or could do, illegal if it involves computers at all (which is very likely) ?
It will certainly make the
Intelligence Agencies' staff are not Constables (i.e. Police Officers) or Enforcement Officers (i.e. Court appointed Bailiffs, or even Civilian Enforcement Officers i.e. Traffic Wardens) so none of the Computer Misuse Act section 10 Saving for certain law enforcement powers applies, regardless of the Serious Crime Bill amendment to this section to include any Act in England, Wales, Scotland and Northern Ireland.
If the worldwide scope of these stupid Computer Misuse Act amendments is not removed before the Bill is enacted then Spy Blog predicts:
- Whitehall control freaks will try to use the "national security" offences of the amended Computer Misuse Act against journalists and whistleblowers, instead of the Official Secrets Act. Even if nobody is ever actually prosecuted, it will have a chilling effect on UK investigative journalism and reporting of e.g. Manning, Assange or Snowden sourced stories all of which involve potential direct Computer Misuse Act offences or the "Making, supplying or obtaining articles for use" offence, or conspiracy to commit any of these.
- Foreign Countries will issue Mutual Legal Assistance Treaty requests or, in Europe, simply issue a European Arrest Warrant for the extradition of GCHQ or SIS/MI6 staff who may be implicated in breaches of the "national security of any country.
- Activists and non-governmental pressure groups will make formal complaints to the British Police, regarding the activities of UK companies who supply GCHQ and SIS/MI6 or the Ministry of Defence etc. with software of hardware which could be used to help "damage the national security of any country". N.B. there does not have to be any actual use of such articles, only a belief that they are" likely to be used to commit, or to assist in the commission of, an offence" which will now also apply to the new "economy" or "national security" "of any country" offences.
N.B. unlike the Official Secrets Act etc. the Computer Misuse act has no involvement of the Attorney General who might stop "national security" prosecutions from grinding their way through the Police & Crown Prosecution Service & Extradition proceedings.