Interpreting and understanding law is a difficult thing. However many Information Security, Ethical Hacking, and Cyber Security degree courses feature understanding the law as a requirement. There’s also an awful lot of law and literature out there about the many offences that an individual could commit during the normal course of careers in offensive security roles such as penetration testing.
Here I aim to give a gentle summary of the law in the UK and some nice links to useful resources. Certainly anyone working in the field of offensive security should have at least an overview knowledge of the law, this is not a complete guide but simple a post that highlights some of the interesting aspects of the law and aims to dispel some misconceptions.
Firstly please note, IANAL. I’m keenly interested in Cyber Crime Law and offensive security. There’s a big difference between a lawyer and me – TL;DR saying to a judge in a court “But this blog post I read said…” is not a good way to start a defence.
The only law to cover hacking is the Computer Misuse Act, right?
When it comes to hacking and penetration testing, there are a whole lot of applicable laws out there, such as the Computer Misuse Act, the Serious Crime Act, the EU Directive 2013/40/EU, Police and Justice Act, the Terrorism Act, Human Rights Act, Digital Economy Act, Extradition Act, Interception of Communications Act, Regulation of Investigatory Powers Act, Lawful Business Practice Regulation, and more. Additionally many acts have been amended over the years and further, many of these acts are only partly relevant or relevant only to specific edge case offences. So there’s a lot to dig through if you want to understand where UK law is in regards to cyber crime.
It’s also important to differentiate between a cyber-enabled crime and a cyber-centric crime. Cyber-centric crimes are things like unauthorised access to computer systems, new crimes brought about through the existence of computers. However cyber-enabled crimes are crimes that have always existed, but benefit from the existence of computers such as fraud. I aim to cover only cyber-centric issues such as hacking and the interception of communications.
Perhaps the most well known relevant act is the Computer Misuse Act 1990, which brings in three offences:
1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
3ZA.Unauthorised acts causing, or creating risk of, serious damage
3A. Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA
Each of these offences carries a different potential prison sentence with offence 1 and 3A having a potential sentence of 2 years imprisonment, offence 2 is five years imprisonment, 3 is 10 years, but offence 3ZA is the most serious crime covered by this act and has a maximum sentence of life.
The changes brought under by the Serious Crime Act were partly to cover the requirements of the EU Directive 2013/40/EU. They went further than merely adding offences though. First of all it the offence 3A not longer requires intent due to the Serious Crime Act section 42. Also arguably the most dramatic change comes in section 43 which amends the Computer Misuse Act such that an offence is committed even if the accused is outside of the United Kingdom at the time of the offence, so long as the act is illegal in that country too and the offender is a United Kingdom national.
The Police and Justice Act amends the Computer Misuse Act to include: “Unauthorised acts with intent to impair operation of computer” which effectively adds Denial-of-Service attacks as an offence. The amendment makes explicit that the offence does not have to be against a specific computer, program or data. Additionally it states that an offence is caused even if Denial-of-Service is only temporary.
Finally, you may hear talk of computer hacking being considered a terrorist act in the UK by law. I believe this is a reference to the Terrorism Act 2000 (1)(2)(e) which is in regards to the disruption of computer systems. The section reads:
[An offence is committed if the action] is designed seriously to interfere with or seriously to disrupt an electronic system.
Which may indicate that hacking (or hacking like activities such as Distributed Denial of Service attacks) could be considered terrorism however for this to be true the action must fit with the following interpretation guidance for the term “terrorism”:
In this Act “terrorism” means the use or threat of action where—
(b) the use or threat is designed to influence the government or to intimidate the public or a section of the public, and
(c) the use or threat is made for the purpose of advancing a political, religious, racial or ideological cause.
So it’s certainly not as simple as a significant disruption is suddenly an act of terrorism.
The legalities of and offences related to interception were originally covered in the Interception of Communications Act 1985, however this was repealed by Schedule 1 of the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA is a long and complex act which covers many things including recording transmissions for legal purposes (i.e. the police for the purposes of law enforcement) and covers many details such as interception with and without a warrant.
Under RIPA, it is illegal to intentionally intercept any communication transmitted by means of a public telecommunications system, without lawful authority. It is also illegal to intentionally intercept any communication transmitted by means of a private telecommunications system, if they do not have the right to control the operation of the system; or does not have the express or implied consent of such a person to make the interception.
In short, a person may not intercept a communication without either – being a law enforcement agent with a appropriate authorisation (such as a warrant), or being a party to the communication. For example, a person may record a phone conversation to which they are a party legally – however they may not then share that recording with a third party.
Another law relevant to the interception and recording of communications is The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. This effectively covers the legalities of a company recording transmissions for business practices, whereas RIPA centres on interception by law enforcement.
Lawful Business Practice Regulations cover the interception of communications on business systems, for activities such as establishing the existence of facts, the purpose of compliance applicable to the business, protecting the interests of national security, preventing crime, for the prevention of unauthorised use of a business system. It should also be noted that business interception must be inline with the protection of personal data covered by the Data Protection Act 1998. To make this task easier, the Information Commissioners Office made available a guide, which under section 3 covers “Monitoring at Work”.
Additionally, the Data Protection Act 1998 (DPA) is relevant here as it covers processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. So when it comes to the monitoring and recording of communications in transit a company must consider the DPA. Although the act defines principles for the protection of data it does not list specific actions a company must perform. The principles are:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
So here you can see that the DPA requires data be protected against unauthorised or unlawful access, although the act does not define how this is to be implemented, it simply states “Appropriate technical and organisational measures shall be taken”.
Finally, in regards to interception, it’s common to see discussion around the Human Rights Act 1998, as one of the protections this act affords is a person’s “Right to respect for private and family life”. Therefore you may consider that a person who illegally monitors a persons communications is in fact breaching their human rights, through the right to respect for privacy. However, Schedule 1 goes on to state:
“2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
This raises the point that the Human Rights Act only binds public authorities, which covers government departments, local authorities, schools, etc – but not individuals. Although all courts in the UK must apply the law in a way which is compatible with human rights. This means they must interpret and give effect to the law in a way which is as close to the Human Rights Act as possible. They must do this in all cases they hear even if they don’t involve a public authority.
Therefore this is a potentially confusing situation, The Equality and Human Rights Commission elaborates:
“The Act regulates the relationship between individuals and the state, and aims to protect individuals by making sure the Government and public bodies use their powers responsibly. So for example, you can’t sue your neighbour for a breach of human rights. But public authorities can use existing laws to ensure that one individual doesn’t abuse the rights of another individual. If a woman was violently abused by her partner, she couldn’t sue him for breaching her rights. However, the police would be responsible for protecting her human rights by using other laws to convict him for domestic violence, and if they knowingly failed to offer adequate protection this could be a breach of her human rights. Nor do private organisations come under its remit, except in certain circumstances such as where they provide services on behalf of a public authority.”
So the Human Rights Act cannot be invoked specifically against an individual.
Cyber-centric laws are interesting in regards to extradition because actions performed in one country can have impacts the world over. It’s common to see hackers targeting other nation states to where they live. Therefore the risk of extradition is important. Especially when it’s noted that the UK has extradition relations with over 100 territories around the world.
The Extradition Act 2003, part 1, implements the European Arrest Warrant (EAW) which allows extradition to 28 territories designated as Category 1 territories. In urgent cases the person a country is requesting be surrendered for prosecution or for punishment can be arrested before the receipt of an EAW, although the EAW must be received in time for a court hearing which must be held within 48 hours of the arrest.
The Extradition Act 2003, part 2, defines a significant number of countries for which extradition relations exist although are non-EU and therefore do not fall under the European Arrest Warrant scheme. This includes countries such as the United States of America. The UK Government has outlined the process of extradition on its website although in short a person who is arrested for extradition will face two hearing – the first is an “initial hearing” to confirm the persons identify, inform them of the process, and fix a date for the second hearing if the person does not voluntarily consent to extradition. The second hearing, the “extradition hearing” is to allow a judge to ensure there are no bars to extradition, as there are certain protections built into the act that may prevent extradition. For example:
A person may not be extradited to a country if they will face the death sentence. Specifically:
1 Extradition to category 1 territories
(3) A territory may not be designated for the purposes of this Part if a person found guilty in the territory of a criminal offence may be sentenced to death for the offence under the general criminal law of the territory.
94. Death Penalty
(1) The Secretary of State must not order a person’s extradition to a category 2 territory if he could be, will be or has been sentenced to death for the offence concerned in the category 2 territory.
(2) Subsection (1) does not apply if the Secretary of State receives a written assurance which he considers adequate that a sentence of death—
(a) will not be imposed, or
(b) will not be carried out (if imposed).
The death penalty is not the only way that extradition can be blocked however, as of October 2013, the Crime and Courts Act 2013 introduced the idea of a “Forum Bar” which is one protection mechanism a person can invoke to prevent extradition from the UK. The bar was enacted due to perceived imbalance with extradition between the UK and US.
The Forum Bar requires the court to determine if extradition is in the interests of justice in regards to the following matters:
- if a substantial measure of the defendant’s relevant activity was performed in the United Kingdom
- the place where most of the loss or harm resulting from the extradition offence occurred or was intended to occur;
- the interests of any victims of the extradition offence;
- any belief of a prosecutor that the United Kingdom, or a particular part of the United Kingdom, is not the most appropriate jurisdiction in which to prosecute the defendant in respect of the conduct constituting the extradition offence;
- whether evidence necessary to prove the offence is or could be made available in the UK;
- any delay that might result from proceeding in one jurisdiction rather than another;
- the desirability and practicability of all prosecutions relating to the extradition offence taking place in one jurisdiction, having regard the jurisdictions in which witnesses, co-defendants and other suspects are located, and the practicability of the evidence of such persons being given in the United Kingdom or in jurisdictions outside the United Kingdom;
- the defendant’s connections with the United Kingdom.
However the prosecution can effectively block the Forum Bar through a Prosecutors Certificate if:
- there would be insufficient admissible evidence for the prosecution;
- the prosecution would not be in the public interest.
- prosecution would impact national security,
- international relations, or
- the prevention or detection of crime (such as without extradition prosecution would endanger undercover law enforcement agents.
In summary, when it comes to UK Law there a significant number of acts, directives and regulations to consider when it comes to malicious computer hacking and careers in offensive security, such as penetration testing. If you want to dive deeper into the law, here’s a list of related acts:
Computer Misuse Act 1990
Police and Justice Act 2006
Serious Crime Act 2015
EU Directive 2013/40/EU
Terrorism Act 2000
Regulation of Investigatory Powers Act 2000
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
Data Protection Act 1998
Human Rights Act 1998
Extradition Act 2003
Crime and Courts Act 2013
Telecommunications (Data Protection and Privacy) Regulations 1999