Is the state the biggest cyber criminal of all?

The internet is the first thing humanity has built that humanity doesn’t understand

Cyber crime is one of the fastest growing areas of criminal activity in the world and policing it is no longer considered exclusive to law enforcement. INTERPOL Secretary General Jürgen Stock in January 2016 stated “[…] cyber space, is no longer the exclusive preserve of law enforcement. The private sector, academia, and citizens themselves all need to be involved.”

Acts of cybercrime penetrate our lives in many different ways: cyber warfare, cyber terrorism, cyber fraud, cyber laundering and the list goes on. Cyber space, to the law, is a new unregulated world which we as human beings are still adjusting to and as a result of this it is exploited at the inconvenience and often harm of others.

The legal implications of cyber crime present a non-exhaustive list but evidence suggests that its exploitation leaves large sections of society with no redress. In 2015 TalkTalk was the subject of a cyber attack in which its customers’ information was the target. The incident was reported to have affected up to 156,959 customers in which their personal and banking details were suspected to be at risk.

Hacking operations like these implicate commercial organisations safety measures and the vulnerabilities of the general public, bringing into question whether it is a case of lack of security or highly-skilled organised crime, or maybe both.

Monty Raphael QC has made the, very good, point that an online service that does not work properly is “just as obvious to cyber criminals as it is to digital marketers.” Not that those digital marketers lack vital cyber skills, but there is a high degree of technical expertise involved in developing cyber attacks. However, it cannot be the case that commercial organisations can absolve themselves from liability where there is a failure on their part to put sufficient safeguards in place.

Where data breaches have occurred that contravene the Data Protection Act, the Information Commissioners Office has the power to issue monetary penalties up to £500,000 with the highest fine to date being the TalkTalk penalty of £400,000. Despite that fine being onerous and enforcement notice being made there was no evidence of formal redress to safeguard the risks posed to your average consumer; those affected have no way to recover their digital information by removing it from the free-flowing space that is cyberspace. The law in this instance has failed to provide sufficient protection to consumers as a financial penalty does not reverse the free-flow of customer’s private information.

The Computer Misuse Act

As cyber crime will often involve the use of a computer (as originally defined by s5(6) of the Civil Evidence Act 1968) it is useful to examine the legal impact to date of the Computer Misuse Act 1990.

Generally speaking the act covers unauthorised access, or modification, of computer material and the facilitation of other offences. While the act has the capacity to open up the doors to a variety of offences it is yet to be used as a means of prosecution for hacking.

Unfortunately for the UK, the Computer Misuse Act is the only piece of legislation which covers attempts to penetrate computers in an offensive way, making cyber crime a grey area for the courts and general public in assessing what a cyber crime actually is; there is not enough case law to illustrate the broad scope of cyber space and the criminal activity it is home too.

Legitimate hacking

Despite hacking being acknowledged as a legitimate method of gaining unauthorised access to computer material we are yet to see a definition in law as to what hacking actually means. The Serious Crime Act 2015 refers to s1 of Computer Misuse Act as “hacking”, but we are yet to have an affirmative interpretation from the courts as to whether we describe the act of hacking specifically as crime.

If the courts were to explore the definition as to what hacking means it would call into question the methods used by the likes of our domestic and international intelligence agencies such as the recent revelations relating to Vault 7.

The ‘public interest’ defence would be called into question where intelligence organisations may use it to legitimise the act of hacking and, because cyber space is not tangible in its existence, it would test the moral boundaries of hacking for legitimate and illegitimate purposes.

There are very visible instances where hacking is clear cut wrong, such as attempts to steal money from a bank or hacking government IT systems. But how far can our institutions go before their methods of monitoring, observing or hacking become a breach of our right to privacy?

Tempora and PRISM are reportedly the biggest institutional forms of cyber surveillance to date, giving GCHQ and the NSA unfettered access to vast quantities of information belonging to us: the public. While most of us can understand surveillance is intended for our own protection, we do have ask our institutions: why are you so paranoid?

By taking away the rubber stamp that legitimises these activities by our own intelligence agencies it becomes clear that the unauthorised access to computer material is exactly the same action performed by those deemed cyber criminals, the only difference is context.

However, context in cyber space is a funny thing. It exists but only insofar as we make it. Despite the context in which our institutions act bona fide on our behalf to protect us, the lack thereof could be creating one of the biggest cyber crimes known to the Western world.

Indeed, Eric Schmidt, ex-chief of Google, quite rightly pointed out that: “The internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we ever had.”

Giovanni Parcou is an aspiring solicitor and University of Brighton law graduate. This post was one of the standout entries we received for the BARBRI International Cyber Crime Blogging Prize.