Cybercrime and the UK

June 30, 2005

1 Introduction

The Council of Europe Convention on Cybercrime has been in force since 1 July 2004, the date on which it received the necessary five ratifications.[1] The United Kingdom has yet to submit its ratifying declaration that it has put in place the required harmonising legislation. Is the UK spinning its wheels in addressing a problem that the National High-Tech Crime Unit recently estimated costs this country £2.45 billion a year.[2] Or, is revising the legal framework further to address cybercrime the needed focus?

This has been questioned. Additional and specialist resources, not more laws, were recently urged by some in the telecommunications industry[3] responding to the recent report by Her Majesty’s Inspectorate of Constabulary, part of the Home Office, that police investigating child pornography online have an increasing workload not matched by training and resources.[4] Indeed, within a month, Government announced the creation by April 2006 of a specialist national unit comprising staff from police, child welfare experts and industry, called the Centre for Child Protection on the Internet.[5] While Government will not devote more resources itself, spending £6 million as currently,[6] the Centre will have additional resources from industry, a single national point of contact, 24-hour service and the synergies of specialist experts[7] from each area focused only on this problem. It is hoped that these will enable it to better counter a problem that has been estimated to have grown by 2000% in the last 10 years[8] as well as do more than ‘touching the tip of a very ugly iceberg’.[9]

The private sector can play a very important role in partnering with government to fight cybercrime. Another such partnering is the Child Exploitation Tracking System software newly developed by Microsoft to help police track and link pieces of information from investigations in separate agencies around the world and make connections that individual forces could not.[10] As well, as recently urged by UN Special Rapporteur Juan Miguel Petit, international credit card companies could serve as a more effective choke point in their processing of online child pornography transactions and ISPs could better monitor sites.[11] Yet, cybercrime’s cross-border nature takes it out of any one country or private actor’s resources no matter how great. Also, the lack of an adequate legal framework can cripple cross-border efforts, a point made clear by Petit reporting the greatest hole in law enforcement’s web against child pornography as the lack of specific or adequate laws criminalising child pornography, a defect remediably by conformity with one of two primary international legal instruments, including the Council of Europe Cybercrime Convention.[12] This reinforcement of the importance of an adequate legal framework for cybercrime at both a national and international level suggests examining what this might be and how the UK measures up.

2 The International Framework and UK Compliance

The Council of Europe’s Convention on Cybercrime[13] is the first international treaty to address exclusively issues involving computers and crime. The Convention encompasses criminal substantive and procedural requirements as well as provisions for mutual international cooperation. This paper considers only substantive offences that signatories must criminalise and that can be divided into three categories: (1) ‘offences against the confidentiality, integrity and availability of computer data and systems’ and that of devices;[14] (2) ‘computer-related offences’ of forgery and fraud;[15] and (3) content-related offences.[16] Other content-related offences contained in an Optional Protocol concern racist and xenophobic speech and are not considered here.

The Convention has been signed by 38 COE members and 4 countries having observer status: Canada, Japan, South Africa and the United States.[17] Ten COE member signatories have since ratified it, leaving 32 signatories to do so, including the UK. Despite having provoked much criticism, it now appears likely to be a driving force of and model for significant harmonization. Its status as a primary international instrument ‘worthy of emulation’ has been acknowledged by such as the UN Rapporteur due to its clear definitions and detailed list of acts.[18] A ‘Model Law on Computer and Computer Related Crime’, based directly on the Cybercrime Convention, was adopted last year by the British Commonwealth law ministers, representing 53 Commonwealth nations.[19]

EU legislation intended to comply with the Cybercrime Convention has been adopted, reinforcing the requirements of the Convention for those countries who are members of both the EU and the Council of Europe, as is the UK. In February 2005, the European Union adopted a Framework Decision on ‘attacks against information systems’.[20] It is intended to conform to the Convention’s approach regarding offences against the confidentiality, integrity and availability of computer systems and data.[21] Framework Decision 2004/68/JHA of 22 December 2003 on combating the sexual exploitation of children and child pornography[22] also intends compliance.

The following will in turn examine the elements of Convention’s substantive criminal provisions that ratifying states must implement, their stated EU equivalents and how the UK is perceived to comply.

2.1 Offences against confidentiality, integrity and availability of data and systems

The substantive offences to be implemented here include illegal access,[23] illegal interception,[24] data interference,[25] system interference[26] and misuse of devices.[27] All Convention offences must be committed intentionally for criminal liability to attach; the intentional requirement must be read into each of the following.[28]

2.1.1 Illegal Access

The Convention defines ‘illegal access’ to mean the access to the whole or any part of a computer system without right. The Explanatory Report indicates that this is to be set by States. It means not only classic legal defences such as ‘consent’ or ‘necessity’ but other principles where criminality would not be appropriate.[29] It is to be particularized in the context of the individual offence. In the context of illegal access, the Report notes that ‘it means that there is no criminalisation of the access authorised by the owner or other right holder of the system or part of it’ such as for testing or security.[30] States may limit what otherwise is a basic ‘hacking’ offence to those (1) where security measures are infringed, (2) with the intent of obtaining computer data or other dishonest intent, or (3) in relation to a computer system that is connected to another computer system.[31] Offences premised solely on the status of the computer being networked as the determinant for criminality may be problematic for those concerned about strict liability for what may not be intended to produce harm; that for the infringement of security measures seems to address concerns raised about computer misuse statutes with vague authorization standards.[32]

The EU’s Framework Decision requires criminal sanctions imposed on ‘illegal access to information systems’ that is ‘intentional access without right to the whole or part of an information system.’[33] ‘Without right’ means ‘access or interference not authorised by the owner or other right holder of the system or part of it, or not permitted under the national legislation’, [34] but for the last clause largely tracking the Convention meaning as above. The Decision, however, qualifies the offence requirement requiring it ‘at least for cases which are not minor.’[35] It permits Member States the option of an offence committed only via infringing a security measure[36] which it does not define but which clearly narrows the Convention options and departs from earlier proposals. Penalties of two to five years’ imprisonment are optional where the security bypass has caused serious damage or affected essential interests.[37]

The EU’s addition of the ‘not minor’ language creates issues. First is whether this is in keeping with the Convention. While the Convention’s Explanatory Report makes clear that ‘petty or insignificant misconduct’ is to be excluded from all of the computer integrity offences,[38] subsequent language, however, suggests that its higher optional specifications of criminality are the steps to ensure this flexibility.[39] The Framework Decision, while seeming to particularize this higher criteria then simultaneously lowers the bar without providing any definition or criteria as to what minor cases it encompasses. The second issue concerns the effect on harmonisation.

The UK‘s Parliamentary All Party Internet Group reviewed the UK‘s Computer Misuse Act 1990[40] (CMA) for effectiveness and compliance with the Convention and the Framework Decision. It concluded that, with very minor exceptions such as the possibility of increased sentences for s.1 unauthorised access offences beyond a year to meet extradition requirements, the Act is essentially sufficient and need not be ‘gold plate’ or otherwise changed to meet either international obligation.[41] Government has apparently reached essentially the same conclusion.[42]

The CMA’s s.1 offence does not require any mens rea beyond that access be secured knowingly and without authorisation. The possibility exists that EU and COE member states may require more to make the conduct illegal via the permitted specified conduct. This could mean that dual criminality for mutual assistance from such states might not exist for solely s 1 offences.[43] The potential for further variation arises from the failure to define ‘intentional’, ‘security measure’ and ‘minor cases’, possibly creating dual criminality problems but, at a minimum, boding ill for the prospects of extensive EU harmonisation.

2.1.2 Illegal Interception

The Convention includes the offence of ‘illegal interception.’ It defines this to mean interception without right, made by technical means, of non-public transmissions of computer data to, from, or within a computer system, including electromagnetic emissions from a computer system carrying such computer data.[44] Electromagnetic emissions from a computer could encompass not only transmissions over wireless computer networks but technologies reading optical emanations from screens or fibre optic cables or emissions from phones, including wireless. Also, the offence may be limited to dishonest intent.[45] It is also likely to encompass interception of communications using both public and private networks and those within non-networked computers, which are sometimes used for the greatest security.

The Framework Decision does not include this. While Member States are likely to have laws that protect personal data and criminalise unauthorized interceptions of communications data, at least over public networks, pursuant to other EU legislation (eg, the UK‘s Regulation of Investigatory Powers Act 2000), there appear to be gaps, especially with regard to computer systems on private networks and stand-alone computers. This creates the possible need for further action, possibly at the Member State level, to meet individual COE obligations, a piecemeal approach requiring EU members to determine the extent to which uses of sniffing technologies are encompassed within their existing legislation as well as keystroke logger programs and other spyware. The likelihood of commensurate approaches among EU Member States seems remote. The UK‘s All Party Group suggestion that the Law Commission expedite work on the Misuse of Trade Secrets Act to criminalise theft of commercial data[46] and OFCOM investigate a Code of Practice for spyware and education of end-users[47] is likely to be unique.

2.1.3 Data Interference

Damaging, deletion, deterioration, alteration or suppression of computer data without right comprises the Convention’s ‘data interference’ offence. States may limit this to conduct resulting in serious harm.[48] As the definition of ‘computer data’ under Article 1 includes a program that can cause a computer to perform a function, this offence encompasses damage or deterioration to programs.

The Framework Decision requires Member States to criminalize acts that exactly track the Convention’s but adds the act of ‘rendering inaccessible’ computer data. It also qualifies that the duty arises in relation to cases that are not minor.[49] While the latter language gives rise to the same concerns as stated above, it is unclear what is further accomplished with ‘rendering inaccessible’. Whether ‘not minor cases’ is the equivalent of the Convention’s ‘serious harm’ is also unclear. [50]

2.1.4 System Interference

The Convention’s ‘system interference’ offence requires criminal laws encompassing ‘serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data’.[51] The Explanatory Report explains that ‘serious’ interference is required but what this means is left to each state to determine, one option being to include a minimum damage figure.[52] It is intended to include sending data in such amounts, form or frequency that the transmission would ‘prevent or substantially slow the operation of the system’, ie denial of service (DOS) attacks.

The Framework Decision requires measures addressing ‘serious hindering or interruption of the functioning of an information system’ committed without right via the same acts listed by the Convention. It again adds the act of ‘rendering inaccessible’ computer data and specifies this for ‘cases which are not minor.’[53] The Explanatory Memorandum to the Commission’s Proposed Framework Decision indicated that ‘interruption’ was necessary for purposes of clarity[54]and that this section was ‘intended to include DOS attacks’ by use of the words ‘inputting’ and ‘transmitting’.[55] Again, the further act is not explained nor is ‘cases that are not minor’.

The UK‘s CMA might not encompass DOS attacks within the s. 3 offence as it addresses the modification, whether or not permanent, of the contents of a computer where the person is not authorized to determine whether such modification should be made nor has permission of the person that does.[56] This was considered by the All Party Internet Group.[57] While concurring that the Act is quite likely to cover such acts,[58] it recommended a new offence of ‘impairing access to data’ to heighten concern about engaging in such unlawful conduct.[59] The Group noted the drafting difficulty of establishing the necessary intent and arising from free speech concerns in some Web expressions of protest.[60] The Government has indicated its intent to bring forth changes needed to clarify DOS.[61]

2.1.5 Misuse of Devices

The final Convention offence here is Article 6, ‘Misuse of devices’. It addresses the sale, import, procurement, distribution or making available of devices, including computer programs, designed or adapted primarily for the purpose of committing any of the above offences, or computer passwords or access codes by which a computer system or part of a system is capable of being accessed. [62] Possession of such an item with intent that it be used to commit one of the other crimes is also to be criminalised although minimum thresholds can be established.[63] Only sale, distribution or otherwise making available of passwords and access codes must be criminalised. Criminalising the remaining acts is optional.

The Framework Decision does not specifically address these offences. Rather it requires Member States to ensure criminal penalties for ‘intentional instigation of, aiding or abetting’ of the illegal access or interference offences.[64] Attempt is also included, although optional for the illegal access offence.[65] Selling or intentionally distributing or making available a password or code that enables unauthorised access to a computer or computer system could fall within inchoate offences and thus be sufficient to meet COE obligations. Under UK law, the actus reus of incitement is the act of persuading, encouraging or threatening another to commit a crime.[66] The requisite mens rea is that the incitor intends that, as a result of his persuasion, the incitee will commit an offence.[67] This would be likely to be successful, however, only where there is no real other use for that password or access code so as to amount effectively to the burglar tools sold to known burglars as dicta in CBS v Amstrad suggest.[68]

The All Party Internet Group, however, noted that the inchoate offences, although referring to ‘attempt’ cannot apply to the s.1 CMA offence as it is currently unindictable.[69] It also recommended that the UK not adopt any of the optional Article 6 Convention provisions, while noting that UK law does not currently comply with the mandatory provision. It made no recommendation how this should be redressed. Its recommendation that penalty levels for indictability be encompassed within a Home Office review of penalties seems to have been taken.[70]

2.2 Forgery and fraud, the computer-related offences

The Convention’s computer-related offences comprise only computer-related forgery and fraud. The former is defined in Article 7 as ‘without right, the input, alteration, deletion, or suppression of computer data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible.’ States are free to limit offences to those involving intent to defraud or similar dishonest intent.[71] The data need not be acted upon or even considered. There need not be a loss or resulting harm. The acts overlap to some degree with those in ‘data interference’ which may result, practically, in its being a lesser-included offence.

The Convention defines computer-related fraud as ‘causing of a loss of property to another by’ any of the acts comprising fraud or any interference with the functioning of a computer system ‘with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or another.[72] Here the mens rea of fraudulent or dishonest intent to procure economic gain is compulsory, unlike with fraud. Also, a resulting loss to another of property is required within the actus reus. The Convention does not define property. Signatory states will need to ensure that their laws encompass intangible property, such as computer data and/or the value it can represent, eg funds transfers or debt instruments, to be effective in the context of computer-related frauds. While the framework requires a loss, it does not require actual deceit, neutral wording that makes only the outcome and the dishonest intent relevant and avoids reference to deceiving a person or the question of whether a computer can be deceived where the loss is incurred by some automatic processing.

The EU Framework Decision on attacks against information systems is limited to that alone. It does not encompass the computer-related offences. The UK law needs to be revised to clarify the above issues, an undertaking that the Government has indicated it will do via a new Fraud Law.[73]

2. 3 Computer Content-Related Offences

The final category of Convention offences concerns the possession and distribution of materials that are illegal by virtue of the content itself. Title 3 ‘Offences Related to Child Pornography’ defines ‘child pornography’ to include pornographic material that ‘visually depicts’ either a minor, a person appearing to be a minor or realistic images representing a minor engaged in sexually explicit conduct.[74] This encompasses computer-generated images of children, morphed images of a child’s head on an adult’s body and images of adults who appear to be children. These are viewed as creating demand for or normalizing child pornography although not themselves comprising actual child abuse, the illegality underlying the depiction of a minor. While the Convention defines ‘minor’ as persons under 18, signatories can lower this to 16. The criminal acts involving child pornography include: producing, offering, making available, distributing, transmitting, and procuring it for oneself or others through a computer system as well as possessing it on such system or a computer-data storage medium.[75] ‘Visually depicts’ is intended to encompass data that can be converted to a visual image. [76]

The EU Councils Framework Decision 2004/68/JHA defines these three categories of child pornography, although with slightly different wording.[77] A child is under 18 years. Production, dissemination, transmission, supplying, making available, acquisition or possession of child pornography whether by means of a computer system or not is to be criminalised. However, Member States may exclude where the person appearing as a child is over 18 when depicted and where realistic images of a ‘non-existent child’ are solely for the producer’s private use but where there is no risk of dissemination.[78]

UK law appears compliant with both. The UK‘s Protection of Children Act 1978 and Criminal Justice Act 1988 encompass within possession and distribution of indecent photographs of children those that may be made by computer graphics where they have the appearance of photos[79] and convey the primary impression that the person shown is a child notwithstanding some adult features.[80] The Sexual Offences Act 2003 raised the age of a ‘child’ for purposes of indecent photographs from 16 to 18.[81] UK courts have held ‘voluntary downloading’ to a computer screen to be making such an indecent photograph or pseudo-photograph.[82]

Finally, the Convention on Cybercrime requires criminal sanctions for infringements of copyright and related rights as defined under national law and pursuant to obligations under the Bern Convention, TRIP Agreement or the WIPO Copyright Treaty ‘when such infringements have been committed by means of a computer system and on a commercial scale’. [83]

EU law, while making reference to appropriate and effective sanctions for, inter alia, infringements of copyright and related rights, eg in the Enforcement Directive, does not directly address criminal sanctions. The UK Copyright, Designs and Patents Act 1988, however, has criminal sanctions that more than meet Convention obligations under ss. 107 and 198 for both copyright and related rights. These encompass commercial use and infringements that are not commercial but which are ‘affecting prejudicially’ the rights of the owner – much broader than the Convention. While making no reference to use of computers, theoretically irrelevant here, practically speaking one probably could not infringe at the level for criminal sanctions without a computer.

3 Conclusion

One cannot argue with those who espouse the need for more resources to address this growing threat to all who use information systems. I do agree that more laws are not really needed in the UK. However, this is because, beyond the very few identified gaps (the new Fraud Act and the minor adjustments to the Computer Misuse Act), UK law is compliant and adequate to meet international obligations and the challenges of most cybercrime today.

Anne Flanagan, JD, LLM (Lon) is Lecturer of Communications Law at the Centre for Commercial Law Studies, Queen Mary, University of London.

[1] See Opening for signature/Entry into force status, COE Convention on Cybercrime, CETS No.185, at <>.

[2] See L. van Grinsven, ‘Cybercrime costs Europeans billions’,, 2005-04-26, at <;jsessionid=3PZUHDK0JWD5QCRBAEZSFFA?type=reutersEdgeNews&storyID=715791>.

[3] D. Ilett, ‘UK Police struggling to fight cybercrime’, ZD Net UK News (March 04, 2005)

[4]HMIC, ‘Keeping Safe, Staying Safe: Thematic inspection of the investigation and prevention of child abuse’ (Home Office London 2005)<> .

[5]‘Centre to tackle paedophiles’, (BBC NEWS April 1, 2005),

[6] Ibid.

[7] See ‘National Centre for child protection on the net is approved’, Internet Watch Foundation

[8] ‘Microsoft hunts child pornography’, (Wired News April 8, 2005),

[9] ‘Unit needed’ to tackle net porn, (BBC NEWS, March 4, 2005), .

[10] ‘Tool Thwarts Online Child Predators’, (Microsoft Toronto April 7, 2005),

[11] Juan Miguel Petit, ‘Report on the sale of children, child prostitution and child pornography’ United Nations Commission on Human Rights, 61st Session, Agenda Item 13, 14 March-22 April, 2005. Señor Petit also urged laws requiring ISPs to monitor and stop such sites when found, a recommendation not likely to be successful given the many years of lobbying in the U.S. and the EU, etc. to have any such duty statutorily eliminated. [12] Ibid. The other is the United Nations ‘Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography’, entry into force 18 January 2002.

[13] Convention on Cybercrime, Nov. 23, 2001, Europ. T.S. No. 185, Convention on Cybercrime>.

[14] Ibid. at arts. 2-6.

[15] Ibid. at arts. 7, 8.

[16] Ibid. at arts. 9, 10. The Convention distinguishes content-related offences of child pornography in Title 3 as a category separate from ‘offences related to infringements of copyright and related rights’ in Title 4. As, however, the latter would be an offence solely due to the unlawful nature of its content, they are addressed together here.

[17] None of the observer states has yet to ratify the treaty. See COE Status site, supra note 1.

[18] See Petit Report, supra note 11 at ¶¶ 28-36.

[19] LMM (02)17, at <>.

[20] Council Framework Decision 2005/222/JHA on attacks against information systems, OJ L 69/87 (16.3.2005). See also, Proposed Council Framework Decision on ‘attacks against information systems’, COM (2002) 173 final, Brussels, 19.4.2002.

[21] See Decision 2005/222/JHA at Recitals 7-9. See also, Proposed Framework Decision, supra.

[22] OJ L13/44 (20.1.2004)

[23] Convention on Cybercrime, supra note 13, art. 2.

[24] Ibid., art. 3.

[25] Ibid., art. 4.

[26] Id., art. 5.

[27] Id., art. 6.

[28] Convention Explanatory Report, 8 November 2001 at.  39.

[29] Ibid. at ¶ 38.

[30] Ibid. at ¶ 47.

[31] Ibid., art. 2.

[32] See, e.g., O.S. Kerr, ‘Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes’, 78 N.Y.U. L. Rev. 1596 (2003) at II .

[33] Framework Decision, supra note 20 at art. 2(1).

[34] Ibid. at art. 1(d).

[35] Framework Decision, supra note 20 at art. 2(1).

[36] Ibid. at art. 2(2).

[37] Ibid. at art.7 (1).

[38] Convention Explanatory Report supra note 28 at ¶ 37.

[39] See ibid. at ¶ ¶ 49-50.

[40] UK Computer Misuse Act (ch.18) 1990.

[41] See Revision of the Computer Misuse Act: Report of an Inquiry by the All Party Internet Group‘ (All Party Parliamentary Internet Group London June, 2004 (‘Report’).

[42] See Home Office ‘Review of the Computer Misuse Act’, (Home Office London 2005), <>.

[43] The Report, supra note 36 at 15, cites claimed failures of extradition to the UK under this provision.

[44] Convention on Cybercrime, art. 3.

[45] Ibid.

[46] See Report, supra note 36 at ¶ 36.

[47] Ibid. at p.9, ¶ 55.

[48] Convention on Cybercrime at art. 4.

[49] Framework Decision, art. 4.

[50] Art. 4(2), Convention on Cybercrime..

[51] Ibid. at art. 5.

[52] See Convention Explanatory Report, supra note 28 at ¶ 67.

[53] Framework Decision, art. 4

[54] See Proposed Framework Decision, supra note 20, at Explanatory Memorandum, s. 3.

[55] Ibid.

[56] See s. 3, Computer Misuse Act, 1990, supra note 35.

[57] Report, supra note 36 at 9-12.

[58] A view with which the author also concurs.

[59] Ibid. at s. 66.

[60] See ibid. at ss. 67-70.

[61] See Home Office Review, supra note 37.

[62] Convention on Cybercrime, art. 6 (1)(a).

[63] Ibid., art. 6 (1) (b).

[64] Art. 5(1), Framework Decision.

[65] Art. 5(2) and (3), Framework Decision.

[66] Invicta Plastics Ltd v Clare [1976] RTR 251 (sale of radar detector to avoid speed traps incitement where use would contravene strict liability provision of Wireless Telegraphy Act of 1949).

[67] Ibid. But see, CBS Songs Limited & Others v. Amstrad Consumer Electronics Plc [1988] R.P.C. 567, 591 HL (dual recorder merely permitted but did not authorize unlawful copying; Invicta rather more comparable to ‘selling or advertising jemmies generally and selling them to known burglars.’)

[68] CBS Songs Limited & Others v. Amstrad Consumer Electronics Plc, supra at 591.

[69] Report, supra note 36, at 14, ¶ 93.

[70] See Home Office Review, supra note 37.

[71] Art. 7, Convention on Cybercrime.

[72] Ibid., art. 8.

[73] See ‘Fraud Law Reform: Government Response to Consultations’, (Home Office London January, 2005). Also see A. Flanagan, ‘The law and computer crime: Reading the script of reform’, Vol. 13 No 1 Int’l .J. of L. & Information Tech. 98 (2005), pp. 101-104.

[74] Art. 9(2), Convention on Cybercrime.

[75] Ibid. at art. 9(1).

[76] See Convention Explanatory Report, supra note 28 at ¶ 99.

[77] Framework Decision 2004/68.JHA, OJ L13/44 (20.1.2004) at art. 1(b), <>.

[78] Ibid. at art. 3(2)(a) and (c).

[79] PCA, s. 7(7) and CJA, s. 160(4), inserted by the Criminal Justice and Public Order Act 1994, s. 84. See also the recommendations made in House of Commons, Home Affairs Committee, Computer Pornography, 1st Report, Session 1993-1994 H.C. No. 126.

[80] PCA, s. 7(8).

[81] Sexual Offences Act, ch 45 (2003), s. 45.

[82] See R. v Jayson [2002] EWCA 683 (CA Crim.).

[83] Convention on Cybercrime, art.10.