Friday, January 04, 2008

Interpreting the Law

Many of you will not realise quite how fluffy and vague the whole legal process is, even if we stick to the criminal law. Interpretation occurs at many stages of the construction, prosecution and disposal of any case, hence there is widespread ability to deviate from the strict intent of the framers of the statute (if we even have any idea what that was.)

Let's take a look at the process (I am assuming here, just for the purposes of this traipse through the system, a lack of both error and of deliberate malice):

  • Once something has happened, it may or may not appear high enough up the priority list the police are given by the Government to be investigated. (Actually, it may not even be recorded, or be recorded as something else with a higher or lower, depending on how the ubiquitous 'they' wish to massage the stats.)
  • The investigation, assuming it happens, will try to collect evidence - there may simply not be enough left behind. Witnesses may be mistaken (they very often are), may not come forward (through ignorance, fear or loyalty to a presumed suspect) or may appear unreliable.
  • If there is some evidence (I am not a cop but, by repute, there is some leeway here for less serious alleged crimes) a report may be written, summarising the evidence, for presentation to the prosecuting authorities. They also have their government imposed priorities (like the current concentration on the low rate of rape convictions) and may decide not to proceed as "not in the public interest" or they may decide that there is insufficient for any charge or that a lesser charge is more appropriate (which causes all the aggro in (death by) dangerous driving / careless driving type cases). Appropriate here hopefully meaning more likely to gain a conviction of a presumed guilty party (as opposed to providing 'suitable' vengeance for a victim or their family) but quite possibly meaning "a more politically attractive (or, far worse, better for my career*)charge.
  • Normally, there will be a long wait. Evidence may be lost, or damaged (including contaminated.) Memories often fade, stories become blurred. People sometimes become less certain, sometimes irrationally sure in their convictions (Ed notes: apols for the pun.)
  • Court. Lawyers get to play clever games. The judge may decree no case to answer or direct the jury to convict.
  • Jury. 12 or 15 or however many you are entitled to. They certainly interpret.
  • Sentencing. Judges, certainly in the UK, have less flexibility than they used to but there is everything from unconditional discharge to life without parole (and the death sentence if your mileage varies.)
  • Appeal. And round the process again.

Why all this? Well, the CPS have finally released their guidance on the Computer Misuse Act, 1990, as amended by the Police and Justice Act, 2006. Richard has some things (mostly derogatory) to say about it. Now, apart from the fact that it does not apply in the civilised world (we have the Prosecutor Fiscal up here), hence the references to things southern such as the Fraud Act 2006, there is quite a lot to comment on here.
  • The bit about DPP v Bignell is really quite interesting. If I am allowed to do something on a computer, provided you present me with the right justification / bit of paper / whatever, and you con me into doing it - forgery, "I'll get it signed as soon as the boss is back", or straightforward lying - then neither you nor I have committed a CMA offence. This seems reasonable.
  • Using Section 55 of the Data Protection Act 1998 (Unlawful obtaining etc. of personal data) rather than CMA Section 1 (Unauthorised Access) seems a good thing, especially if the current raft of highly public data breaches results in a strengthening of the penalties above the current fine (Section 60, para 2, if you are interested.) Of course, this is restricted to an albeit important subset of illegal access.
  • There is very little about CMA Section 2 offences - this is not surprising as placing of charges under Section 2 seems very rare to me (never mind convictions.)
  • There is a little about the new (or, at least, specific) criminalisation of DDoS, with some interesting vague stuff about intent.
  • Of course, the most interesting is the guidance on the new Section 3A offences, "Making, supplying or obtaining articles for use in offence (sic?) under section 1 or 3".
There is some really good stuff here, never mind Richard's points re grammar and language:
  • There is explicit recognition of the legitimate computer security industry, thankfully, and a requirement for prosecutors to "ascertain ... criminal intent".
  • There is more useful discussion of "likely", as in "he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence", than there was with the Home Office's incredible (no, actually, credible but outstandingly incompetent) 50% usage figure.
  • Although there is a clear bias towards commercial as in pay-for use as determining legitimacy, there is also mention of "widely used for legitimate purposes."
Overall, I think this is good guidance which, unfortunately, is not capable of completely fixing bad law. The last bullet is the one I would hang my hat on, hypothetically, if I was being prosecuted under Section 3A(2) - which is the difficult bit.

Expect briefings on the Computer Misuse Act, at least on paper, for pen-testing courses in England and Wales - but, then, those have always been a good idea, especially around the "Who do I need to get permission from" aspects of the law.

Update: Just realised that the first paragraph didn't make sense. Reworded, sorry.

* Thankfully, as British prosecutors are appointed not elected, we don't have the dance to please the baying mob that seems such a feature of American trials.

No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.