Specialist IT lawyer and Head of Technology at national law firm, Clarke Willmott LLP, Susan Hall, warns that the idea of ‘hacking’ can cover a number of offences and online pranksters should be aware that what they’re doing probably won’t be considered harmless fun.
Online pranks can carry serious consequences. When a journalist asked Kemi Badenoch M.P., “What’s the naughtiest thing you’ve ever done?” they probably were not expecting her to confess to a crime. However, when she admitted that “about ten years ago” she hacked into a Labour MP’s website and “changed all the stuff in there to say nice things about the Tories” that was exactly what she did.
Unauthorised access to computer systems can cover hacking, as in this case, or accessing a system to which you have legitimate access for an unauthorised purpose. It’s important to have strong passwords, keep them secure and change them regularly, but someone who opportunistically takes advantage of a slip up when it comes to security is still breaching the law, and could go to jail for it. All office computer policies need to make this clear, especially where people are handling valuable data which is a magnet for hackers.
Hacking was criminalised in 1990 by the Computer Misuse Act (the Act). This creates three distinct offences:
- unauthorised access to a computer
- unauthorised access to a computer with intent to commit further offences
- unauthorised access with the intent to impair the operation of a computer or to erase, block or corrupt data or programs.
The conduct Badenoch admitted to appears at first sight to come within the first and the third offences: unauthorised access to a website and changing its contents. Both offences can be now tried either in the Crown Court or the Magistrates Court and the current maximum penalties are currently two and ten years’ imprisonment respectively.
Hackers convicted under the Act have frequently been sent to prison or given suspended sentences, even when there has been no financial motive behind the hacking. A police constable who accessed police intelligence systems to snoop on his ex-girlfriends received a nine months suspended sentence, and a hacker who shut Sports Direct’s website down for half an hour received a ten months suspended sentence. Other penalties have included community service orders, curfews and prohibitions on using internet-enabled devices.
The arguments put forward by Badenoch to excuse her actions – that it was “a prank”, that it stemmed from “youthful exuberance” and that it involved “guessing a password” rather than “real hacking” – have not found favour in earlier cases under the Act.
The Act only requires that access to the computer in question must be unauthorised, and that the person gaining access must know it to be unauthorised. Guessing a password falls precisely within this wording. Furthermore, many of the “phone hacking” cases, brought under a different Act, also involved the perpetrators exploiting lax password security on voicemails.
“Youthful exuberance” also looks a little hollow when applied to the 28-year-old Badenoch. Cal Leeming, the youngest hacker convicted under the Act, was a mere twelve years old at the date of his first conviction, and was still a teenager, serving a fifteen month sentence, at the time when Badenoch claims to have carried out her own hacking.
Furthermore, the Act owes its very existence to a prank which the authorities at the time took very seriously indeed. In 1984 the 27-year-old Stephen Gold and the 21-year-old Robert Schifreen hacked into BT’s Prestel online mailbox system, using logon details they had seen a BT engineer enter at a trade show: user ID 2222222222 and password 1234.
The users whose emails they accessed included Prince Philip. BT, understandably, were under some pressure to prosecute, and brought proceedings under a 1981 anti-forgery act. Although the prosecution succeeded before the magistrates, the House of Lords eventually held Gold and Schifreen not guilty, partly because of their lack of intention to profit financially, but also because they held that one could not “deceive” a computer.
Seeing this as a gap in the law, Emma Nicholson, MP for Taw and Torridge, pushed for the adoption of an anti-hacking bill. This became the Act. Like Kemi Badenoch, Emma Nicholson had worked as a software engineer and systems analyst before entering Parliament as a Conservative MP.
Although Badenoch refused to say which Labour M.P. she had hacked, on-line sleuths linked her admission to an April 2008 hacking of Labour Deputy Leader Harriet Harman’s blog, in which posts purportedly by Harman announced her resignation from the Labour party and urged her supporters to back Boris Johnson’s bid for London Mayor in the upcoming mayoral election. Harman has tweeted to say she has received an apology from Badenoch.
As in the earlier Prestel case, the hack was facilitated by lax security on Harman’s part: her logon ID had been “harriet” and her password “harman”.
It seems unlikely proceedings will be brought against Kemi Badenoch, but the incident could hardly have come at a worse time. Fake news and cyber security concerns are issues which go to the root of our democracy. With the GDPR coming into effect next month, everyone is sensitive to risks of security breaches, which give rise to an obligation to notify the Information Commissioner and to the risk of fines. Treating hacking flippantly undermines a lot of hard work done by civil servants and politicians of all parties in getting cyber issues onto the table and properly addressed.