§ Order for Second Reading read.
9.36 am§ Mr. Michael Colvin (Romsey and Waterside)I beg to move, That the Bill be now read a Second time.
As the title of the Bill suggests, it deals with certain forms of computer misuse. Perhaps I had better begin by explaining what I mean by computer misuse.
There are three main categories of computer misuse. The first is unauthorised access to computers and computer systems. The second is unauthorised access with further ulterior intent, such as fraud, and, finally, there is unauthorised modification, which is the computer equivalent of criminal damage.
The Bill would make those three forms of computer misuse criminal offences. The underlying principle is to safeguard the integrity—what I call the trustworthiness—of computers and not to protect the information that computers contain. I do not want the House to be under any misconception about that.
Computer misuse probably costs the United Kingdom between £400 million—the CBI's figure—and perhaps as much as £2 billion a year, in terms of damage to systems. Those figures are based on estimates from industry sources, users of systems and manufacturers of computer hardware and software. I am afraid that there are no reliable statistics, because there is no central recording of incidents. Unfortunately the perception is that there is a very low probability of successfully prosecuting computer misuse under present law. That leads to organisations being reluctant to admit unauthorised access because they see that as a bit of an embarrassment.
It is significant, for example, that of 270 cases that have been verified by the Department of Trade and Industry as involving computer misuse over the past five years, only six were brought to court for prosecution and only three of those were successfully prosecuted for fraud. There must be some inadequacy in the law as it stands.
Costs from misuse arise because any unauthorised access undermines the trustworthiness of a computer. An organisation usually cannot tell precisely what has happened when access has been achieved. As a result, it must spend resources on checking and restoring computer software. When there are several computers in a system that process can be very expensive—probably costing tens of thousands of pounds. For example, I may hack—that is the jargon for unauthorised access—into a local hospital's computer. Whether or not I succeed in modifying medical records for some malicious purpose, a computer manager in the hospital, having discovered me, which he can do because I would have left electronic footprints around, must check and verify perhaps all computer records. If I succeed in modifying the system, it could be disastrous, as I am sure hon. Members will appreciate.
Another possibility is that I will render the computer and any others connected with it in the network inoperable, and the cost of cleaning up such a network can amount to hundreds of thousands of pounds. The first conviction for such an activity has just occurred in the United States.
1135 That is occurring when we are in the vanguard of countries seeking to encourage greater use of information technology to create wealth and when we are doing our best to attract inward investment to the United Kingdom, with 1992 and a single Europe in mind. The United Kingdom is one of the few major western industrial countries that have no computer crime laws to deal with a serious problem. There is a real risk that, if nothing is done, the United Kingdom could become an international hackers' haven.
Why is our law unable to deal with computer mischief? It is principally because it simply has not kept pace with the rate of progress and because computer misuse is fairly new. My "Oxford English Dictionary", which was published in 1964, does not even mention the noun "computer". The pace of technological development has been so rapid that, over three or four decades, computers have come into widespread commercial use. In one decade—the 1980s—the technological revolution has extended to the home, with the use of personal computers. Undoubtedly, in the next decade many further advances will be inevitable. In the 1980s, we witnessed a vast increase in knowledge of computers and the production of easier-to-use machines. Computers are much more user friendly. Prices have tumbled, and computer technology is now available to virtually everybody.
Modern telecommunications enable one to connect with a computer through a modem. Some people think that a modem is an expensive and bulky piece of equipment. I have a modem in my hand. Hon. Members can see that it is rather smaller than a cigarette lighter, and not very costly either. With such a device people can connect into telephone networks. International networks are expanding quickly and are carrying many more messages since the introduction of fibre optics. Anyone with a simple home computer and a modem can access another computer if it is connected to the telephone network. That vastly increases the speed of modern communications and aids the welcome free exchange of information, but it leaves computers vulnerable to misuse.
Security fears block the free flow of information. Scientific and social progress can take place only in the open. The paranoia that hackers leave in their wake stifles work and forces administrators to disconnect their links with network communities. Open systems need trust, but hackers destroy trust. The information technology industry has recognised that risk. Responsible vendors and service organisations have put in place comprehensive development programmes to create secure information products and services—not least Her Majesty's Government, through the work of the Central Computer Telecommunications Agency staff, to whom I spoke only yesterday. However, the fact remains that the lack of appropriate legislation in the United Kingdom provides a loophole for hackers, particularly if legitimate user systems have been outmoded by rapid technological advances. We find ourselves in the 1990s with new, well-defined mischiefs that the law does not address at all or does not address with any certainty.
I have been asked why, as someone who is barely computer literate, although I am learning fast, I should bring forward a Bill on computer misuse. I may not know much about computers, but computers know a great deal 1136 about me, and that is why the Bill is of general interest. I am still counting, but, so far, I have identified 102 computer systems in Britain that contain personal information about me, and the same is probably true of all hon. Members.
Most homes now boast a personal computer of some sort. Certainly, many people sit at computer terminals at work. Most hon. Members have invested in computers or word processors to cope with the flood of constituency mail that we receive. Unfortunately, since the fall in the price of such instruments and the growth in user friendliness, our constituents are also investing in such machines. One computer is now talking to another computer, and hon. Members sit somewhere in betweeen. There are probably as many computers in offices, factories and homes as there are cars outside.
Just as at the beginning of the century, when the first motor cars appeared on our roads, we had to introduce special laws to govern their use and misuse, in spite of existing legislation on horse-drawn carriages, so too are special laws required today to cope with computers. The Bill would provide such laws.
1 have closely based the Bill on the excellent and well-reasoned recommendations of the Law Commission of England and Wales in its report No. 186, which was published in October 1989. So that the Bill should apply to Scotland as well, I have drawn on an earlier Scottish Law Commission report, No. 106, which was published in 1987. I offer my thanks to Mr. Richard Buxton QC of the Law Commission of England and Wales. He is a principal member of that commission and has been closely involved in the preparation of the Bill. The Law Commission stated that an adequate deterrent would not be provided against the threat of computer misuse simply by trying to stretch or patch up existing criminal law. It took the view that society needs to say clearly that unauthorised access to any computer system is now so anti-social as to be a criminal offence.
That view is shared by a large majority of the 100-odd organisations and individuals who made submissions to the Law Commission of England and Wales when it conducted its year-long study of the nature and extent of computer misuse, following the publication of its working green paper No. 110. Evidence came from a wide range of organisations—computer users in the public and private sectors, computer software manufacturers, hardware manufacturers, and the law enforcement agencies to many of whom I have spoken in the past five weeks, and I thank them most sincerely for their help.
In carrying out its review, the commission was considerably helped by the report of the Scottish Law Commission. Primarily, the extra evidence that has been provided by the passage of time and the difference between the two legal systems in Scotland and England and Wales led to slightly different recommendations. Since publication of the commission's report, some well-attended public debates have shown a broad consensus of support, if some difference on specific details.
I owe much to the parliamentary information technology committee—PITCOM—and to the efforts of my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson), who I am pleased to see in her place, and who has probably forgotten more about computers than I will ever learn. But for the luck of the draw, my hon. Friend would almost certainly have been bringing forward an update of her own Bill on this matter.
1137 My hon. Friend has done a great deal to raise public awareness of this issue and I am delighted to have her as a sponsor of my Bill.
To show the sort of twisted culture that the Bill is trying to stamp out, I have with me an extract from a bulletin board, which is a sort of electronic newspaper that is used by computer operators. It regards my hon. Friends enthusiasm as extremely unwelcome, stating:
who's seen the news in the 'Sunday Times'…page A5 about hacking…and phreaking Mercury…they also want restrictions on BBS's…it's that stupid cow …the devon MP 'computer expert'…don't make me laff…could be bad news tho…maybe someone should assassinate her?"Did somebody suggest that hacking is a harmless culture? All that I can say is that it is a privilege and I am honoured to join my hon. Friend on the hackers' hit list.Now to the Bill and the underlying policy——
§ Sir Geoffrey Finsberg (Hampstead and Highgate)I heard my hon. Friend's dulcet tones on the radio this morning, but one point about his Bill needs clarification. We all recognise the need for this action, but is he satisfied, first, that the police forces of this country have the professional ability to find out when there is a crime, and secondly—and perhaps more importantly—what about the Crown prosecution service? Will it be able to do an effective job if, as I hope, we give the Bill legislative effect?
§ Mr. ColvinI welcome that intervention. I shall be coming to those points later but, briefly, I am satisfied that the police have adequate powers at present to enforce the law, and I am sure that the Crown prosecution service will be careful about assessing evidence before it agrees to proceed with prosecutions. It is clear that what the Bill proposes by way of penalties means that it will be an adequate deterrent to put off a lot of the hacking that is now taking lace.
§ Mr. James Arbuthnot (Wanstead and Woodford)I am most grateful to my hon. Friend for giving way again. He has just been talking about bulletin boards and I have been following and agreeing with what he has said so far. Obviously, a great deal of action is necessary and the Bill is extremely good. However, I caution my hon. Friend about attacking the idea of bulletin boards because they are a bit like any other form of communication—they can be misused, but perhaps that misuse, rather than the medium through which the misuse is occurring should be controlled. Does my hon. Friend agree that attacking bulletin boards as such is a bit like attacking books?
§ Mr. ColvinThat would be an extremely dangerous thing to do. The whole essence of my Bill is that I am improving freedom of information, which is fundamental to this country. A bulletin board is like a newspaper, but if I persuaded somebody through a newspaper to commit an offence, I would be guilty of incitement. Bulletin boards must be extremely careful about what they say. My hon. Friend's point is extremely valid.
The Bill has two main elements. Clauses 1 to 5 make provision for the new offences. Clauses 6 to 11 introduce new rules governing the jurisdiction of the courts to try cases. Clauses 12 to 19 are consequential provisions, making technical amendments to the body of criminal law or amplifying the offences themselves.
I shall concentrate first on the main elements—the offences. Clause 1 creates a new offence triable summarily—that is, in a magistrates court—of unauthorised access 1138 to programs and data held in computers. The maximum penalty is six months in gaol or a £2,000 fine, which is the maximum that a magistrates court can hand out. The objective is to deter deliberate, unauthorised access or attempts to gain access, which is usually referred to as hacking. It is also aimed at insiders who try to get into parts of a system where they know that they should not be. "Intent" is the key element. It would be wrong to seek to catch the person who secures access simply because he or she is inattentive, incompetent, careless or not properly informed about the limits of his or her authority. It puts the onus on employers to ensure that, within contracts of employment or other instructions, employees are left in absolutely no doubt about what they are entitled to do. If they have authority, this law would in no way attempt to penalise them.
Clause 2 creates an offence, triable either summarily or on indictment, of unauthorised access with the intent to commit or to facilitate the commission of a more serious further offence, such as fraud or blackmail. The offence provides substantially greater penalties to deal with those who have distinctly criminal intentions. The maximum penalty would be five years in gaol and, of course, the fines would be unlimited. It is what lawyers call a preliminary offence, because it bites before the further offence is committed or attempted. If I use a computer to get information with which to blackmail someone, I have committed a clause 2 offence even before I have sent the blackmail note.
Clause 3 is the corresponding clause for Scotland. The formulation that is proposed for the rest of the United Kingdom would not work in Scotland because of the differences in the Scottish legal system. The formula that I have adopted is similar to that suggested by the Scottish Law Commission in its report on computer crime, to which I have already referred.
Clause 4 creates an offence, triable summarily or on indictment, to deal with the unauthorised modification of data or programs held in computers or computer storage media. The intention is to remove the current uncertainty that exists in the law concerning damage to intangible property, such as data. It is not intended to cover physical damage to a computer or to disks which would remain within the ambit of the criminal damage laws. It is intended to cover forms of conduct such as erasure, or the putting into circulation of disks that are infected with a computer code—the jargon is "virus"—that is designed to impair the performance of the computer. It is much like the, flu virus that replicates itself in the body and slows one down. Incidentally, it takes a real expert about two hours to write the software for a virus but, on average, about 350 hours to check out a system that is infected and to correct the damage that might have been caused.
There seems to be a whole zoo of malicious software. Since I have been investigating the matter, I have met Trojan horses, logic bombs, viruses, worms, bacteria and even rabbits. I am not sure that I can always tell one from another, but I know that they are all pretty nasty.
Hon. Members may have heard something about this little devil I have here. It is a diskette. The note accompanying it stated that it is an "AIDS introductory diskette". It was mailed to over 20,000 personal computer users in December last year. Those who loaded it into their machines found that it was extremely malicious in that it instructed them to sent money to a Post Office box in Panama or else the program contained on the diskette 1139 would impair the computer's memory after 90 accesses. Many organisations were affected. This one was posted to Kenya from London W1.
Dr. Lewis Popp was arrested last Saturday in Ohio for circulating the disks. He was charged with extorting money with menaces. If he did it, I hope that the police can make the charge stick. If they cannot, the accused will probably get away scot free because circulation of an infected disk, such as this, is not an offence. However, the Bill will make it one.
The prospect of new offences has stimulated considerable debate and interest and a number of views have been expressed about it, most of them in favour. However, there are some dissenters on specific issues and it might help the House if I were to comment on some of the reservations that have been expressed.
It has been argued that the basis of the offences should not be the safeguarding of the computer's trustworthiness, as I propose, but the protection of information, perhaps by conferring a property right on information. That has certain intellectual attraction but the Law Commission rejected that approach. Property rights to information raise complex issues about freedom of information, privacy, confidentiality and how information is valued—which have not been considered in depth. I suspect that it will take a long time to study them properly and to reach a consensus.
We are living in what people call the information society, so it is necessary to consider such issues for the future. We should not let present mischiefs go unchecked for 10 years while we debate freedom of information, privacy and confidentiality.
When pondering issues such as this it is natural to consider whether there is another more suitable and simpler remedy. The Law Commission concluded that there was not. It considered whether users could prevent unauthorised access or modification simply by taking security precautions. In much the same way as we lock our doors to deter burglars, it is possible to protect computers, and many people do.
There is now among users a far greater appreciation of the threat to computer systems and the need to take proper precautions. My research on the Bill certainly proved that. However, there is no complete form of protection for computers. High levels of security can be achieved but they are horrifically expensive, in terms of money, inconvenience or both. Security systems tend to slow up the computer. When speed is the essence, that can be extremely costly. We do not expect householders to turn their homes into Fort Knox. We expect them to take sensible precautions and we add to that the support of sound laws against burglary. That is precisely my approach in the Bill.
Computer owners do not have a statutory duty to protect their computer systems. When I discussed this aspect of the Bill with the Data Protection Registrar, Mr. Eric Howe, he pointed out that the Data Protection Act 1984 requires computer users who process information about individuals to follow certain good practices. These are laid down in the data protection principles. One of those principles is: 1140
appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.I do not accept the argument that, once misuse is made a crime, computer users will pay less attention to their security arrangements.The House will agree that good security requires constant vigilance and that computer users should be aware that their responsibilities under the Data Protection Act will not be diminished simply because they have legal protection against hacking. I stress to users that I do not see legislation as an alternative to computer security but as a complementary protection.
The response among users has been encouraging and there is clear recognition that legislation does not obviate the need for proper security. It would be wrong to think that all is well and that everyone is acting properly. Not everyone is acting properly. I know that the Government have launched an awareness campaign to do something about that and I look forward to hearing what my hon. Friend the Minister for Industry has to say when he replies to the debate.
The creation of any new offence invites comment on enforcement. My hon. Friend the Member for Hampstead and Highgate (Sir G. Finsberg) has already intervened on that point. This Bill is no exception. I spoke to the police and others, when formulating the provisions on enforcement. I am satisfied that the powers and expertise necessary to enforce the offences are available. I have no doubt that it would be possible to extend the powers currently available to gather and present evidence. I know that the House takes police powers seriously, but we should not change them without a convincing case.
I propose no provisions to reform the law on evidence. Under the current law, computer records would, in principle, be admissible. There is no firm evidence that the law is deficient and no consensus about how it should be changed if deficiencies were found. If, following enactment of the Bill, it were thought that the law in respect of evidence needed to be changed, that should be referred back to the Law Commission for further consideration.
The Law Commission recommended against reform of the existing law on evidence and I am prepared to accept its advice. If any hon. Member is still not satisfied on that and if we achieve a Second Reading, we could discuss the matters in depth in Committee. I am not yet convinced that the Bill needs to say anything on evidence.
People have expressed anxiety about the Bill because many of the people with the skills to commit the offences are juveniles under the law. I have been asked how my Bill will apply to them. My answer is that it will apply in exactly the same way as the general criminal law. The law lays down rules for the treatment of offenders between the ages of 10 and 20. The law would affect them in the same way, but the manner of trial and the penalties available are different. Nevertheless, I hope that the Bill will be as great a deterrent to them as to everyone else.
The Bill does not aim to cover electronic eavesdropping which is the remote monitoring of electromagnetic emissions from computer equipment. But certain forms of eavesdropping could fall within the meaning of access, as described in clause 18. There is insufficient evidence that eavesdropping is a serious mischief. If I included it in the Bill it would raise wider sensitive issues, outside the scope of the Bill.
1141 Clauses 6 and 7 and 8 to 11 are closely related and cover jurisdiction. Here again, I am indebted to the Law Commission. Its computer misuse report set out the rules that should operate in offences where cross-border activity is a significant feature. Its detailed recommendations are spelt out in "Jurisdiction Over Offences of Fraud and Dishonesty With a Foreign Element"—Law Commission report 180, which was published in April 1989.
Currently the rules provide that United Kingdom courts have jurisdiction only if the offence is regarded as taking place in the United Kingdom. That implies that the last act or event necessary to complete the offence took place here. Those rules are unnecessarily restrictive and are inadequate to deal with computer misuse committed across national boundaries, as happens more and more today. it is intended to make it possible to prosecute for the computer misuse offences if the accused or any affected computer was in the United Kingdom at the relevant time. In doing that, the Bill is trail-blazing. It will be the first piece of legislation to which these new elements on jurisdiction have been added.
I also intend to make parallel changes to the rules on the associated offences of conspiracy, attempt and incitement. I confess that those apparently straightforward provisions appealed to me greatly, so I was staggered when I saw the statutory provisions—the words in the Bill—that are needed to make them work. No doubt hon. Members who turn to the relevant pages in the Bill will be puzzled, too. I am reassured that the complexity of the provisions is necessary to keep the jurisdictional reach within acceptable bounds and to ensure that the provisions will make sense when read with the existing body of law.
The House will know that I am no lawyer, but my advice comes from impeccable sources and I ask the House for its trust on this matter. The detail can be examined in Committee. For the most part this is a Bill which even I can understand on a quick read. The House is indebted to the draftsperson. She has done a remarkable job. Although it is conventional not to mention names, the House should commend her on the way in which the Bill has been drafted. With private Members' legislation it is vital that the drafting is good. Hon. Members will appreciate that the time wasted on redrafting such a Bill can have a serious effect, especially as time is of the essence to get it onto the statute book.
Clause 12 contains "savings" for law enforcement powers under the Police and Criminal Evidence Act 1984, the Finance Acts 1985 and 1988, the Wireless Telegraphy Act 1949 and common law enforcement powers in Scotland. It preserves the authorities' existing powers to access computer records and to enter premises and access computers to obtain data in exercise of their investigatory powers without, committing the offence of unauthorised access which is provided for in clause 1.
Clause 13 provides that proceedings must be brought within six months from the date when the prosecutor decided that a prosecution was justified and not later than three years after the offence was allegedly committed. Clause 14 provides for the courts to convict a person of a clause 1 offence, the basic offence of unauthorised access—the long-stop offence—ven though the court might have acquitted the person of clause 2 or clause 4 offences. Equivalent provisions for Scotland in this respect are set out in clause 15. Clause 16 covers extradition and clause 17 1142 contains certain provisions needed to give proper effect to the Bill in Northern Ireland. Clause 18 covers interpretation.
This is a well-thought-out and well-defined Bill. It deals with specific mischiefs that I have no doubt are serious enough to merit the attention of the criminal law. I hope that the debate will dispel] any lingering belief that the computer hacker is some sort of Raffles of the microchip, a harmless irritant whose principal damage is to his own telephone bill. It is impossible to draw the line between a mischief-maker and the dangerous nuisance or professional criminal.
It is time for Parliament to say that hacking is always serious, even if the intention is mere mischief. I believe that it is time to give the Bill a Second Reading.
§ Mr. Norman Hogg (Cumbernauld and Kilsyth)I find myself in a rather strange position. I used to attend the House every Friday morning when I was the Opposition's deputy Chief Whip. When I was finally paroled from the Whips' Office I said to myself that I would attend the House on every Friday to speak on everything as it offers a wonderful opportunity for hon. Members to do so. The packed Opposition Benches clearly demonstrate that this morning. Everyone will be relieved to learn that I have not spoken every Friday, and that I have reserved myself for this occasion.
I congratulate the hon. Member for Romsey and Waterside (Mr. Colvin). He described himself as being computer illiterate, but he did not come over as such. He made a most competent and authoritative speech which demonstrated that he is thoroughly conversant with every provision of the Bill.
The hon. Gentleman is also to be congratulated on managing to draw a place in the ballot for private Members' Bills. We know that Government Departments are not happy with the private Members' Bill procedure because they always wonder what will happen and Ministers do not know what may be in store for them. On the basis of experience, I believe that such Bills must be short, well focused and clear in their objectives. This Bill fulfils those criteria.
I also congratulate the hon. Gentleman on his broadcast this morning on the "Today" programme on Radio 4. He argued his case concisely against a well-informed and well-organised opposition. That programme has a massive national audience and it was important for the Bill's case to be made on it. The hon. Gentleman succeeded in making that case, and I believe that the Bill will be well received.
So often a specific industry or interested parties seek to knock the proposals in a private Members' Bill and to suggest that it does not represent good legislation. They argue that the Government alone should introduce such legislation. The Bill, however, is well drafted—I do not believe that anyone who has read it would disagree—and I do not expect that it will detain us long in Committee.
§ Mr. ColvinDoes the hon. Gentleman agree that there are some advantages in this subject being dealt with in a private Member's Bill? We are attempting to maintain the precarious balance between introducing a new criminal law and police powers. If the Government had introduced 1143 such a Bill, it might have been heavier and, therefore, might have provoked a certain amount of opposition. As it is, the Bill has all-party support, which is welcome.
§ Mr. HoggI am aware of that and it is welcome. If its sponsors propose to be members of the Committee, it will be a useful Committee and I am sure that there will be a great deal of interest in it. When the Minister replies, I hope that he will welcome the Bill and that he will say that there is no need for extensive alterations to it.
The case for such legislation was first identified in Scotland. It is amazing what comes out of Scotland. I can say with conviction that it is a country where the question of law and the making of law is tackled cautiously. We are properly jealous of what we do with our law. Part of the agreement which led to the Union was that Scottish law would be maintained. I am no lawyer, but the basis of law in Scotland is different from that in England and Wales.
§ Mr. ColvinI cannot resist intervening because, as I am three quarters Scottish, I agree entirely with what my hon. Friend has said. It may interest him to know that in a reckless moment I thought of introducing a simple one-clause Bill that would bring all the laws of England and Wales into line with those of Scotland.
§ Mr. HoggThe case for the Bill gets stronger and stronger. [Interruption.] The Minister intervenes from a sedentary position and, as a member of the Chairmen's Panel, I must say that that is most improper.
In 1984 the Scottish Law Commission made a report on what changes should be made to the law in this respect. The report was published in 1987, and I am pleased that the hon. Member for Romsey and Waterside saw fit to have regard to the needs of the law in Scotland.
The Bill is wanted by industry, and we have been well briefed by the Confederation of British Industry. I do not always agree with the CBI and I do not know what my hon. Friend the Member for Kirkcaldy (Dr. Moonie) will say, but the briefing paper from the CBI makes it clear that it wants the Bill. I also believe that the computer industry will welcome the Bill because it cannot build into its technology the necessary safeguards to prevent hacking or other offences. At the moment such safeguards are technically impossible and, therefore, the law must fill the gap. That is important. The hon. Gentleman was right when he said that companies throughout the country have branches that are linked by computer. A few years ago the only tool to link them was the telephone, but now computers and information technology provide that communication.
Only a week ago I visited two companies in my constituency, both owned by British Oxygen—Transhield and Storeshield. They control the stock for Marks and Spencer. All Marks and Spencer's goods, as far north as Inverness, as far south as Warrington and west to Belfast in Northern Ireland, come from my constituency where a massive stock is held. Each day, and almost every hour, trucks leave the company for all the Marks and Spencer stores in the huge area of the United Kingdom. The stock control—filling the trucks and despatching goods—is done by computer.
I do not believe that Marks and Spencer's computers would be broken into or that its competitors would seek to do that—of course not. However, other companies that 1144 control their organisations by computer might be vulnerable to the kind of offence that this measure seeks to regulate. Therefore, the measure is worthwhile.
§ Miss Emma Nicholson (Torridge and Devon, West)The hon. Gentleman may already know, or may like to know, that I have just received an answer from Marks and Spencer to a survey that I carried out last year. I have a letter dated 18 January 1990 from Mr. Andrew Steet, the manager for finance and computer auditor, who must be known to the hon. Gentleman. In it, he says that he supports the measure and is happy to be included in any further debates and surveys although, quite properly, as the hon. Gentleman said, Mr. Steet has stated that, to the best of his knowledge, Marks and Spencer has not been affected by computer viruses or hacking. However, the company sees the dangers and warmly commends the measure.
§ Mr. HoggI am grateful to the hon. Lady, whose point serves to underline my own. I did not know that Marks and Spencer had expressed a view about the matter. Clearly what it says underlines the fact that it could face unfair competition due to the use of unlawful means. The Bill will get round that problem.
The hon. Member for Hampstead and Highgate (Sir G. Finsberg) referred to policing. I shall certainly want to know about that in Committee. I thought that the hon. Member for Romsey and Waterside dealt with that, but perhaps we can go into it in greater detail later.
The Bill is a good example of a private Member's Bill and it will reach the statute book, which must please the hon. Member for Romsey and Waterside. We shall have brought the law to a sector where it does not presently exist. It will do a great deal of good, and I am sure that the House will support it.
§ Mr. William Powell (Corby)It is always a pleasure to follow the hon. Member for Cumbernauld and Kilsyth (Mr. Hogg) and, on this occasion, reflect on his proud statement about the wonderful things that come out of Scotland. As a Member of Parliament who represents at least as many Scots as most Scottish Members, I heartily concur with his statement that wonderful things and people come out of Scotland, including my hon. Friend the Member for Romsey and Waterside (Mr. Colvin).
I congratulate my hon. Friend on his immense good fortune in securing a leading position in the ballot for private Members' legislation and having the good sense to take up this Bill. It has been made perfectly plain to the House today that this is a necessary measure, and I congratulate my hon. Friend on sponsoring it.
I should like to join in the warm tribute that he paid my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson), who has played a most distinguished part in preparing public and parliamentary opinion for the necessary change in the law that we are considering. Without the slightest doubt, without her active and committed sponsorship, those changes could have been delayed for quite a long time, with immense potential damage to the industry and public.
I declare two interests. First, in my misspent youth I was a practising member of the Bar and spent much time dealing with criminal work. The Bill involves the extension of the criminal law into subjects that are imperfectly 1145 covered at present. My interest is indirect because, alas, I no longer practise. However, I hope that at least some of my erstwhile friends will enlarge their knowledge of human behaviour as a result of the Bill.
Secondly, I am vice chairman of the Federation against Software Theft, commonly known as FAST. The House may recall that five years ago I sponsored a change in the copyright law in the Copyright (Computer Software) Amendment Act 1985, which cleared up uncertainties and difficulties for the software industry. Since the passage of that Act, I have remained actively interested in the subject and more recently have been involved in trying to eradicate breaches of the Act and the criminal law by pirates in the software industry. I have a large range of contacts in the industry, and all of them have been immensely impressed not only by the way in which my hon. Friend the Member for Romsey and Waterside has taken up the case, but by the rapid way in which he has mastered what can be a most difficult subject. Through its vocabulary and scientific mechanisms, it is almost designed to deter those of us who had a rather more primitive education than that currently available to our children.
I introduce a slightly critical note. I was disappointed, as were so many in the industry, that the Government did not decide to introduce this as a Government Bill. Private Members' legislation has certain advantages, but it has one massive disadvantage: it is the subject of arbitrary processes. It was perfectly plain from the Law Commission and the consultation processes both in Scotland and England that there was a problem that needed to be urgently addressed. My hon. Friend the Member for Torridge and Devon, West addressed the problem when she first brought the subject before the House and has pursued her campaign to change the law in a most determined way. I know that she would have wished to introduce the Bill if she had had the good fortune in the ballot that my hon. Friend the Member for Romsey and Waterside has had. He knows that if I had had the immense good fortune to come top in the ballot I would have sought to introduce the Bill, as would other hon. Friends and even the hon. Member for Cumbernauld and Kilsyth (Mr. Hogg).
However, there was always a real chance that the hon. Members who emerged at the top of the ballot might have had other priorities and this measure might have missed the legislative process in this Session and, who knows, in the next Session as well. The best way to deal with openings in the criminal law that emerge as a result of scientific and technological development is for the Government to take the initiative when it becomes plain that that mischief must be quickly eradicated.
§ Mr. ColvinMy hon. Friend has raised a valid point which I touched on in an earlier intervention. When the Law Commission makes a report it usually attaches to it a draft Bill. In this case the Law Commission report was produced in October and there was no time to attach a draft Bill to it, although to some extent that illustrates the degree of urgency in producing the report. As the House knows, by that time the Government have usually agreed the contents of the Queen's Speech. There is a limit to the amount of legislation which even this Government can force through the House. The extension of the criminal law 1146 requires careful thought. Because it is a private Member's measure, the legislation cannot go too far, and that is always the danger.
With respect to my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson), her measure may have gone further than mine, and had she succeeded in getting her earlier measure debated on the Floor of the House it might have been resisted by certain elements within the House. My hon. Friend has raised a valid point, and if the Minister of State catches your eye, Mr. Deputy Speaker, he will probably explain why it was not a Government measure.
§ Mr. PowellI am immensely grateful to my hon. Friend for that explanation which may have helped to show people outside why the Government did not include this among the measures outlined in the Queen's Speech as part of their legislative programme for this Session. I propose to leave that point, save to say to my hon. Friend the Minister of State that no one is a more welcome companion than a sinner who has repented. I know that, whatever may be the explanation why it was not in the Government's legislative programme, we can now expect from him the most robust and enthusiastic support for the Bill as it progresses through Parliament.
The main burden of my speech concerns police and enforcement. My hon. Friend the Member for Hampstead and Highgate (Sir G. Finsberg) raised valid points which the hon. Member for Cumbernauld and Kilsyth commented on absolutely correctly. I have some experience in law enforcement in these difficult areas which are rather different from ordinary police activities. Some years ago, when we were dealing with software, it was perfectly obvious that chief constables and members of the police forces regarded it as an unusual area of activity to which they might be reluctant to commit the necessary resources to ensure that those engaging in criminal activities were brought to justice. Then a special unit was established by FAST to collect, collate, analyse and prepare evidence for placing before prosecuting authorities in Britain. That unit, headed by a former chief superintendent in the Metropolitan police, has become the most expert unit not only in Britain but throughout Europe for tracking down computer criminals. That expertise is widely sought within the industry and internationally.
It may be necessary for those people who are affected by computer hacking to group together, just as the software industry did, to ensure that they engage in the collecting, collating and preparing of evidence to place not before the court but before the police and the prosecuting authorities to assist them in carrying out their responsibilities to the public and Parliament. I want to pay tribute to the way in which chief constables, the Crown Prosecution Service., the Director of Public Prosecutions and the Lord Advocate have been extremely helpful in dealing with various software matters which often involve substantial breaches of the criminal law.
By extending the law to cover computer crime the Bill will make the enforcement of a civil law, which is even more important, much easier. There are often hurdles to overcome in the preparation of necessary civil proceedings, but if one can ultimately fall back on the criminal law it is often easier to get the necessary civil admissions to avoid the danger of criminal conviction and so ensure that the civil law works more effectively. That has certainly 1147 happened in the software industry, and I expect that it will be an inevitable consequence of the Bill. I hope that my hon. Friend the Minister of State will comment on the international dimension. It may not be appropriate to include the international dimension in the Bill, and certainly I have no proposals to make to the Standing Committee in that regard. Of couse, computer crime is often international crime. It is all very well for us to have an effective law in Britain, but we must ensure that similar laws exist in other major countries. The really serious criminal activities are likely to be netted through international co-operation across frontiers rather than by laws which are limited to activities in Britain. Of course the proof of guilt in British courts will be exactly as it always has been, but cross-border co-operation is becoming increasingly important.
Yesterday I received a letter from a constituent who is a leading official in one of the world's leading banks. He asked me to support the Bill, and I am happy to assure him that I do so with enthusiasm. I do not suppose that he would have taken the trouble to write to me unless his bank was being troubled by hacking activities. That illustrates the menace that the Bill seeks to address. My hon. Friend the Member for Torridge and Devon, West, in a seminal article in The Times last April, identified some of the specific activities of hackers and the consequences of their hacking in financial and other terms. But specific evidence of individual cases is hard to come by because of quite understandable reticence about commercial activities and confidentiality. When such an important official troubles to write to a Member of Parliament about a specific piece of legislation, knowing the background of his career I have not the slightest doubt that the menace of hacking and its consequences is widespread.
Hacking may be innocent fun for some, but it is burglary. Much of the problem of dealing with computer crime stems from the fact that what would otherwise be perceived to be criminal activity, because it involves computers, is often thought of as being entirely innocent and, in some cases, just good clean fun, which is what the first offence that my hon. Friend proposes seeks to address. But there is malice in so much hacking and it is extremely important to punish the malicious.
§ Mr. ColvinI am glad that my hon. Friend has touched on that point, because it has also been suggested that the hacker actually provides a service to society, and we should thank him because he is identifying weak links in the network chain and systems which are insecure. He may well be doing that, but if companies really need that service they can authorise the hacker to access and if he has the authority to test the system he is not committing the crime provided for in the Bill.
§ Mr. PowellMy hon. Friend makes a valid point. I am unable to accept the argument that the house or warehouse burglar performs a public service by breaking into premises and revealing shortcomings in the security system. The hacker who says that he is performing a public service is doing exactly the same as the burglar who advances by way of mitigation the argument that he is performing a public service. In my time I have advanced many interesting arguments to Her Majesty's judges about why clients should receive prison sentences less severe than 1148 those that they were about to receive, but I have never had the cheek and the gall to suggest that such a line of mitigation would be likely to commend itself to judges.
We must think of hacking as a form of burglary. We must stigmatise such criminal activities for what they are. Because computer buffs use a different vocabulary and have a method of thought different from the conventional method that we all use does not alter the fact that the principles of criminal law are just as clearly at stake.
We must also bear in mind that, although some criminals will always stick to the traditional areas of robbery and violence, the more sophisticated ones will move into areas where they will hope to get ahead of the law enforcement agencies who will be unable to catch up with their dishonest activities. The Bill will go a long way towards making it perfectly plain to such people that they will engage in such activities at their peril. If their malice and greed are considerable, they will face the same sort of penalties that are imposed on people engaged in more conventional forms of fraud.
This is an excellent Bill, and I congratulate my hon. Friend the Member for Romsey and Waterside on his good luck and judgment. I wish the Bill godspeed and I enthusiastically support it.
§ Miss Emma Nicholson (Torridge and Devon, West)I am glad to be able to support the Bill and I am grateful to my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) for including me in his list of sponsors. We have a hefty batch of sponsors with a great deal of knowledge, as has been demonstrated by the hon. Members who have spoken.
This is a Bill of great importance, and in years to come society will thank us for it. I see it as the beginning of a package of computer misuse legislation. It builds on the Copyright (Computer Software) Amendment Act 1985. It also builds on the tremendously influential and important Copyright, Designs and Patents Act 1988 which followed it and which modified and built on the original clauses that were in the original Bill.
A private Member's Bill in the context of computer law has thus already proved its worth. The route is excellent and can lead to good legislation. After all, the Copyright, Designs and Patents Act is now the model for the directive from Brussels on copyright for computer software throughout Europe. People in the British computer industry who worked on the Act advised Brussels on how to frame the directive.
As my hon. Friend the Member for Romsey and Waterside said, it is not easy to translate very technical potential crimes into easily understood legislative words and phrases. We are fortunate that the computer industry speaks English. Hon. Members have said that perhaps it is not a form of English that comes easily to the ear. Hon. Members are highly literate and well versed in the English language, and the very brevity and simplicity of computer language may not fall easily on them. Those of us brought up on duodecimal and binary notation believe that the clarity of methemical thought is infinitely superior to the English tongue and, to us, the simplicity of computer language greatly commends itself. The English language now reigns supreme throughout the world and that is 1149 probably due to the computer and aviation industries rather than to the beauties of Shakespeare, the Bible and the Book of Common Prayer.
§ Dr. Lewis Moonie (Kirkcaldy)What about Greek and Hebrew?
§ Miss NicholsonMy copy of the Old Testament in Hebrew is, sadly, not opened very often.
Through the adoption of the English language as the computer tongue, the computer world has spread so widely that it has become international. That has been mentioned. It is so international that the very beginnings of the computer language in French have long since gone into oblivion. When talking to a French computer specialist no one thinks of a computer as a cerveau electronique. The very idea of an electronic brain makes one feel a little uncomfortable, but the word computer is international.
It is international because computer hardware has tumbled in price. Unlike the prices of so many consumer durables, hardware prices have gone down and down and so has the purchase price of computer software. The marvellous breakthrough is that computers have not just become human friendly, but are used everywhere. However, the very cheapness has brought an enormous problem. The simplicity of use and the widespread investment by companies and individuals in computers means that anybody who wants to can have access to a computer. It is also easy for people to have access to other people's computers.
The open-systems interconnection was introduced in 1978 when the great mainframe manufacturers agreed to make computer hardware and software interchangeable for practical purposes so that users could have free competition and free choice. People were able to buy one piece of equipment or software from one manufacturer and compatible equipment from another, whereas in the old days compatible equipment was available only by buying from the same manufacturer.
The introduction of open-systems interconnection has meant free access into other people's systems, and that freedom of access has attracted the criminal fraternity. I do not mean a burglar in an old-fashioned eye mask carrying a jemmy and with a sack over his back who, I hope, will end up in striped pyjamas in Dartmoor. I am talking about some very unpleasant people in the international criminal fraternity.
§ Mr. ColvinMy hon. Friend is canvassing for more constituents, but there is a point that needs to be made. We all welcome the introduction and development of open systems of which the Unix system is one. Without legislation that is agreed internationally, to the effect that unauthorised access is a crime, there is a real danger that owners of computer network systems will be encouraged to erect ring fences of security around their systems. One has in mind university systems that are useful for sharing information and data. Without the law to convict unauthorised users of those systems, there is a danger that the systems will be less open and less available and that society will suffer as a result.
§ Miss NicholsonI fully agree with my hon. Friend. The introduction of Janet, the joint academic network, has led to an enormous exchange of intellectual knowledge between universities, but it has also opened up those 1150 universities to unpleasant intruders. Under excellent Government initiatives, universities and research institutes are now undertaking private contracts. I am thinking of the movement towards near-market research which means that many Government-sponsored institutes take on outside contracts. They may undertake contracts that involve commercially sensitive information and which have wider implications. One professor told me how difficult it was for him to leave his computer on-line in the evening, having used it for some important research, knowing that in the morning he would wake up wondering whether someone had used it overnight to rifle a company's files, or even data about his students or his research. Janet and the open network system make it difficult to maintain confidentiality.
The Open university has suffered immense harassment and is being compelled to change the way in which it educates its students about computers. That university's telephone bills have risen dramatically and most unfairly because its computers have been used as a launch pad by hackers wishing to enter other computers internationally. If one thinks of it in ordinary terms, the university's telephones have been used to call computers in the United States and elsewhere in the world. Those of us who also receive large phone bills may sometimes wonder if hackers have not used our numbers through which to make their calls, because current technology makes that possible.
§ Mr. ColvinIf my hon. Friend will allow me to intervene again, and if you will permit me to do so, Mr. Deputy Speaker, it may remove the necessity for me to catch your eye later to wind up the debate.
My hon. Friend's point emphasises the importance of proper audits. She may recall that a book entitled "The Cuckoo's Egg" revealed that a deficit of only 75 cents in the accounts of an American university led to a major investigation into computer hacking, which unearthed an international network of intrigue and espionage that was extremely damaging to the western powers.
§ Miss NicholsonIt is crucial that proper audits are undertaken, and audit partnerships are in the forefront of those supporting the Bill. My hon. Friend referred also to Clifford Stoll. It is unlikely that we shall ever see as a Member of this House someone having his intelligence quotient. He has been attacking the international hacking problem, with the consequence that a case will soon come before the courts in West Germany. However, proper auditing remains crucial.
My hon. Friend the Member for Romsey and Waterside referred to the somewhat unflattering description of myself that he received through a network. I am pleased that those responsible recognise that the dominant industry in my constituency is not computer hacking but the production of milk. I may tell the House that one farmer in my constituency was overheard remarking to another, "I cannot understand why she is worried about commuter hacking. We don't go to London to work."
My hon. Friend made the point that the Bill will offer protection to bulletin board users. None of us wants to interrupt the free flow of information between bulletin board users, most of whom are private individuals who enjoy using their personal computers for exchanging information and knowledge in a way that has not been possible before. I can cite a particular example illustrating how important it is to encourage and not restrain bulletin 1151 boards. The members of one international club of disabled children use that facility to communicate with each other, gain knowledge and experience, and to make new friends in a way which would otherwise be a physical impossibility for them.
The Bill will protect such users in two ways. First, it will safeguard databases. Hackers are now playing nasty games with bulletin board users, by entering their systems and wiping out databases for no particular reason, but just to be nasty. If one has built up a database in one's spare time in the evening, for example, finding that it has been completely wiped out is a particularly miserable experience. That happened to one club in this country with 20,000 members.
Hackers are also breaking into bulletin board networks with pornography. I was foolish enough—but I have been told that—to ask someone to send me an example. All I can say is that I am very glad that I could not see it moving. It was repugnant. That is a particularly beastly thing to do to private bulletin board users, whose fun and interest is being wrecked by their screens being flooded with unspeakable pornography. Any right hon. or hon. Members or members of the public encountering such pornography should report it to the police.
§ Mr. ArbuthnotDoes my hon. Friend agree that bulletin boards, like telephone chat lines, are potentially beneficial and useful adjuncts to communication but have the potential for being misused? It is not that misuse that should be controlled, rather than the chat lines themselves?
§ Miss NicholsonOf course. At one time, computers were used by only a few professors and very disciplined professionals, to communicate with one another, but the tremendous growth in microcomputing has meant the entry into the arena of the unspeakable. I am confident that the parliamentary draftsman has the fine tuning right, so that bulletin board users will be protected and not squashed out of existence.
There are even nastier implications and even more unpleasant people involved—if there can be people even more unpleasant than those who peddle pornography or force it upon others. The "Electronics and Computing for Peace Newsletter" published last summer shows a bomber and a hand emerging from a computer terminal. It also organised a bulletin board debate on my earlier Bill, even though it had already been withdrawn; that simple fact did not seem to have got through to those responsible. That newsletter commented that my earlier Bill
would have serious consequences for investigative journalists and campaigning organisations who have to gain information in order to maintain democracy. How is it possible to campaign for decent social justice if you do not know what the Government is doing?That was matched by a letter that I received from a Green supporter who is fighting the Bill, who said that for their purposes Green supporters had to penetrate the secret files of companies and Government and that stepping outside the law for that purpose was crucial. That gives some insight into the minds of people who believe that they have a right of access to all knowledge and that everything should be out in the open—and should specifically be open to them.
§ Mr. Ian Bruce (Dorset, South)Have those who have contacted my hon. Friend and told her that they need 1152 access to electronic data also said that they should be able to commit burglary and other such crimes to gain access to information?
§ Miss NicholsonThere were comments on burglary in that same "Electronics and Computing for Peace" newsletter and they bear out what my hon. Friend said.
What is happening internationally? Towards the end of last year the Paris publication, L'Express identified much the same sort of movement and referred to the hackers of Hamburg. According to L'Express, in a few months the hackers of Hamburg were in touch with the Red Army through a contact derived from Amsterdam—it is a very international affair. In under a year the group had accessed and gone through a number of highly protected and important networks, including those at NASA and at CERN, the nuclear research institute near Geneva on the borders of France and Switzerland. They had been through Philips of France, and, through INTERNET, they had gained access to 20,000 American and European naval and military computers. In the same period, an active sympathiser of the Red Army had gone into the electronic mail boxes of the German post, which contained sensitive information emanating from officials and Government bodies. The problem has been identified not only in L'Express but in a mass of other publications; it is no idle worry.
An anarchist magazine called Insurrection—a British publication—gives us the key to the matter:
Information systems and the data they contain have become the backbone of capital and of the State. They could be compared to the blood circulation. What is certain is that the present economic, political and social information can no longer function without this network which is taking on greater and greater proportions.Pages of fine detail follow, telling supporters how to access Government, military and private computer systems. The understanding implicit in that article matches and surpasses the Law Commission's understanding of viruses and networks, and certainly surpasses all our knowledge, in telling us the physical details on how to break into computer systems. The article concludes:Without doubt any revolutionary prospect today also bases inself on the need to destroy the apparatus of dominion through the deepening of a knowledge of the arms which the class enemy has at its disposal.That may be rather poor English, but the message is clear.The Bill is also important on the domestic scene. Increasingly, the Government have sought to maximise our resources and minimise our expenditure by computerisation. That is especially true in the National Health Service. My hon. Friend the Member for Romsey and Waterside, briefly mentioned medical records. It is crucial that we should consider that question because we have computerised hospital and GP databases and the smart card or care card, a concept launched in Exmouth, whereby a small credit card-type card carries a microchip which can link in to a mainframe containing even more medical information. Computerised medical records bring maximum danger for the security and privacy of the individual.
My hon. Friend the Member for Romsey and Waterside has already said that there is no privacy in the United Kingdom and that no value is placed on information. We are unique among western nations in that respect. Nearly every other country has some sort of protection of the citizen's privacy and of information that is kept about him. I believe strongly that we need to 1153 address that concept before too long. It would be wrong, foolish and shortsighted to try to address it in the Bill, which is not about information but about computer systems security. They are two different concepts, and we should remember that a computer can store worthless or invaluable information.
Following the Law Commission's document No. 110 on information, which was published in 1983, I believe that we should most seriously reconsider the question. In the wake of the Bill—once it has reached the statute book—we must look into the problem of information.
I know of cancer victims whose medical records have been accessed. Such patients may not have told their husbands, fathers or employers how bad their cancer is or what their likely expectation of life is and they certainly do not want the information to be given to others without their agreement. They may not—dare I say it—even know themselves; the doctor may have deemed it better to keep the knowledge from the patient, in which case the decision was probably wrong, although that is another matter. In France there are well-documented cases of the most easily visible problem. AIDS victims can be discovered through their blood details and then they can be blackmailed. That is an extreme example but one can imagine other uncomfortable circumstances in which people's medical records are known by others who do not have their best interests at heart. Extremely unpleasant things have happened in the United States, where people have tried to kill patients in hospital by accessing their drug records and altering their prescriptions on computer. It is important to consider the implications as we rapidly computerise medical records in the United Kingdom. I know that we shall have to look into the matter.
The problem also applies to social security records. We have 22 million records on line—that is the number of social security claimants. Not only are those records on line; they are local, and it will therefore be difficult to protect them. With the introduction of the community charge, too, much information about individuals will be collected by local treasurers for the first time and held on computer. The only way in which to manage the community charge economically is to place the information on computer. I have heard of cases in Lothian and in other parts of Scotland where it is said that hackers have accessed district treasurers' computers and wiped out records of people over 18 and alive who are eligible to pay the community charge and substituted dead people's details. In my area, a gentleman who now resides in a grave received a demand for the community charge. The vicar who received the form on his behalf filled in the box in which one is asked to identify the head of household with "God".
I use those examples to point out the increasingly important part that computers play in the administration of Government services locally and nationally. The large computerisation programme being undertaken by the Inland Revenue is also crucial. It is most important that the extensive new computer systems are kept properly secure. The Inland Revenue has properly invested in the best possible security systems in terms of both hardware and software, but even so, that does not allow for the fact that, under current legislation, breaking in—I use that term, although we are not talking about physical break-ins—to a computer system, looking at people's records and corrupting those records is a wholly legal activity.
1154 It is no good saying that people must increase their protection, because hackers are very clever. They will find a way round every form of protection that one buys or creates. That is what they are there for. They make a great deal of money out of it and the German hackers, at any rate, support a drug-based lifestyle on their activities. I was about to say, "enjoy", but I should certainly not enjoy a lifestyle based on drugs. Because drugs are expensive, hackers need to make a great deal of money to support their lifestyle.
Government computerisation has made us all a great deal more vulnerable, as has company computerisation. The City of London money markets, Lloyd's and all sorts of financial organisations that have made Britain financially great and far advanced depend upon computers.
I am proud to say that all the main clearing banks support the initiative to outlaw hacking. I have letters from them all—and from the Bank of England and the great financial institutions of the City of London. The banks have been most public spirited. I do not hesitate to name Barclay's bank. Sir John Quinton was the first to say that Barclays had a problem. He was public spirited enough to stand up and be counted. When I carried out my research 18 months ago, everybody was willing to admit privately that there were problems, but nobody was willing to admit that publicly. Other great supporters of the initiative are the mainframe manufacturers, in particular IBM and DEC. Their chief executives have provided great help. A number of membership organisations have come forward, such as the British Computer Society, where John Brookes and his colleagues have been working so hard, and the CBI where John Banham and Judith Vinson have worked tirelessly on the problem and have been incredibly helpful to all of us.
At this point I ought to refer to the amendments that I intend to table in Committee. If the Committee turns them down, that will just be hard luck on me, but at least they will have been given an airing. They will at some point have to be incorporated in legislation. This may not be the right Bill in which to incorporate them. I shall propose that electronic eavesdropping should be outlawed and that computer evidence be receivable in court. I cannot believe that Judge Pickles will be able to understand how a computer crime may have been committed if he does not have in front of him a couple of print outs. I do not know whether he will ask the sort of questions that his colleague asked about Miss Bordes. I despair of our judges. I should prefer some of my colleagues who are computer literate to be the judges in such cases. They are wasting their talents. They ought to be where they would count.
§ Mr. ColvinMy hon. Friend gave the impression that under section 69 of the Police and Criminal Evidence Act 1984 computer evidence is not admissible in court. It is, in fact, admissible in court. Will she clarify that point?
§ Miss. NicholsonI should prefer to clarify it in Committee or I shall have to deal in detail with my amendments. I know that my hon. Friend does not want me to do that today. There is a time and a place for that.
There are ways in which computer evidence receivable in court can properly be strengthened. The Law Commission thought that the ways in which computer evidence could be receivable in court had not been properly explored. I, and others, believe that it would be 1155 sensible to address the problem now and to incorporate a provision covering that aspect in the Bill. That is why it took the form of a clause in the Bill that I introduced.
Apart from the police needing more resources to track down criminals, we shall also have to consider how the police go about that task. When the police investigate, say, a burglary they have to obtain a magistrate's warrant. That is the way in which the police ought to pursue these almost invisible criminals. I shall also table an amendment on electronic picketing.
As this is an international problem, we must fall into line with our international partners. However much we may wish to retain our sovereignty within the European Community, the fact is that there is no electronic sovereignty. Whether we like it or not, this is one world and we are late in introducing legislation to combat computer misuse.
The Netherlands, the Federal Republic of Germany, Iceland, Canada, the United States and France have already introduced legislation. France introduced a law in 1985. It is a very complicated law because the French language is so refined, with the result that they have gone so far with definitions that they have never been tested. Our law, drafted in English by our parliamentary draftsmen will be capable of being used.
The United States legislated in 1984 against hacking. They are now legislating against viruses. Switzerland's constitution contains a clause that relates to the protection of a citizen's reputation. They have used that clause against computer hackers. Switzerland now believes that comprehensive legislation is required.
Britain is a Johnny-come-lately. I do not accept that the Secretary of State could not have included a Bill covering computer misuse in the Queen's Speech. He has seen the light too late. If a Bill can be introduced now, it should have been possible to prepare one in time for Government legislation. That is where it rightly belongs. I give all credit to my hon. Friend the Member for Romsey and Waterside for having recognised the importance of introducing a Bill on computer misuse and for having taken up the matter with great energy and vigour. I am positive that he will ensure that it reaches the statute book. I most warmly congratulate him on introducing the Bill.
Legislation that may follow may point in two different directions. We shall have to address the problem of access to information. The second problem relates to the use of computers. This Bill is concerned with computer misuse. Standards vary greatly. The amount of information held on computers affects all our lives. It matters, therefore, that high standards, especially in the public sector, should be maintained. The United States has introduced much legislation to cover that aspect. I hope to introduce similar legislation after the Bill reaches the statute book.
I thank you, Mr. Deputy Speaker, for calling me to speak in the debate. I thank in particular lawyers such as Stephen Saxby, the chairman of the faculty of law at Southampton university, the British and Irish legal education and technological associations and other lawyers who have worked so hard to ensure the introduction of this Bill. I commend it to the House. I shall assist in what I hope will be its speedy passage on to the statute book.
§ Dr. Lewis Moonie (Kirkcaldy)I preface my remarks with an apology to hon. Members for the fact that I shall be unable to stay until the end of the debate. I have a pressing family commitment early this afternoon. I apologise to the hon. Member for Romsey and Waterside (Mr. Colvin) and to his hon. Friends and mine for that discourtesy.
I have many years of experience of working with computers. In the computer sense, I remain semi-literate. I know a great deal about what they ought to be able to do and what they can do, but I know very little about their methods of operation. I have used them in industry, in a personal capacity, in my work in the National Health Service and in local government. I can testify to the damage, so eloquently described by the hon. Member for Torridge and Devon, West (Miss Nicholson), which can be done to crucial health care systems. The unauthorised tampering with files relating to diabetes cases has had a serious effect on the management of a group of seriously ill patients. I hope that the hon. Member for Romsey and Waterside will forgive me if I direct mild criticism not at him but at his colleagues on the Front Bench.
The Bill is both important and necessary. It is a belated recognition of the growing and serious problem of unauthorised breaches of, and access to, computer files. The problem is compounded in many cases by interference with or destruction of the material in those files. The motive for many of those acts is simple to understand—human greed. We are all familiar with greed—not with personal greed, but as a general principle.
Although we do not condone theft, we can possibly understand the need or personal circumstances which may drive someone to commit that act. That is not the case with the kind of computer misuse that we are discussing. Very often the people involved are educated professional people and they have the wherewithal to afford to carry out such behaviour.
§ Mr. William PowellI hope that the hon. Gentleman will not overlook the fact that, while greed is obviously important, so is malice.
§ Dr. MoonieI was coming to that. Although we may not accept greed, we can understand it. The motive for malice is more difficult to comprehend. I can understand it thanks to my background in psychiatry. I have seen more examples of the human reasoning behind such apparently senseless and vicious acts which can result in wanton damage to someone's well-being or property.
The motives for malice are very complex. I believe that they are related to the kind of person who promotes pornography through bulletin boards and who then has a secret and nasty chuckle to himself in the security of his own room. They are similar to people who make obscene telephone calls or misuse short-wave radio. There are many kinds of people involved and most, although not exclusively all, are men. Although I have never professed to have espoused the cause of Freud in my psychiatric work, I believe that a profound sexual inadequacy is often related to such behaviour.
§ Miss Emma NicholsonDoes the hon. Gentleman agree that it is extremely unfair that amateur radio enthusiasts are strictly controlled by law, while amateur computer enthusiasts or professionals are not?
§ Dr. MoonieI agree wholeheartedly. The hon. Lady has said that she will introduce amendments in Committee, and the Opposition will look at them with great sympathy and interest to see whether we can support them.
As has already been said, the consequences of computer hacking can be very serious. Information technology, including the storage of data in computer files—which is what we are particularly concerned with today—and the ability to transfer it instantaneously anywhere in the world, plays a crucial role in modern society. Without it, many things that we take for granted would be either inconceivable or, at the least, extremely difficult and time-consuming to perform.
I have had wide experience of computer systems, but I have yet to see one that saves money for the organisation that employs it. The system may allow the organisation to do much more with its information, but sadly it will not save it money. Saving money was always the motive that we advanced in local government when requesting greater and better computer systems to operate our financial management and housing. I have yet to see a system which saves money, but they have become indispensable.
In many cases details of records and transactions are held only in electronic form—certainly only in the immediately retrievable sense. As a consequence, there are vast savings in storage space as the former manual records would have taken up a great deal of room. The electronic systems are therefore particularly valuable for small organisations for which space is often at a premium.
The loss of data in electronic form would be a crippling blow for many social and commercial organisations. One of the nastiest cases involving such loss of data occurred last year when a very worthy charitable organisation had its files interfered with by a so-called computer virus and suffered catastrophic loss of data as a result.
Every authority recognises that interference with electronically held data is growing. However, the true extent of the problem is still, sadly, difficult to estimate. After all, only the most florid examples hit the headlines—for example, major frauds and the so-called AIDS diskette to which the hon. Member for Romsey and Waterside referred. Those obvious examples hit the headlines while others do not. The evidence suggests that very few of the detectable offences lead to successful prosecutions for fraud.
To summarise the present position, I can possibly do no better than to quote the CBI briefing, possibly a rare occurrence for an Opposition Member. The briefing refers to three principles. It states:
There is a need for the law to keep pace with changes in modern information and control technology and its uses.The risks that accompany many forms of computer misuse are considerable.There is substantial evidence of the damage and losses that computer misuse can cause.The case for legislation is overwhelming. As the hon. Member for Corby (Mr. Powell) asked, why must we have a private Member's Bill to introduce this worthwhile legislation rather than the Government introducing their own primary legislation? Most hon. Members agree that action is urgent and necessary. I do not accept the defence that there was not enough time to introduce a Bill because of the timing of the Law Commission report. There may not have been time to mention a Bill in the Queen's Speech, but that did not prevent the introduction last year of a Firearms (Amendment) Bill when it proved necessary. Nor did it stop the Government introducing the Football 1158 Spectators Bill, which was not included in the previous year's Queen's Speech. There are ample precedents for the Government to introduce legislation when there is a pressing need for it.I am a representative of the Opposition Trade and Industry team, and I find it bewildering to understand why the legislation is being introduced through the Department of Trade and Industry and not through the Home Office. The Minister for Industry may have had his arm twisted to deal with the Bill, but he is well versed in the operations of the Home Office and perhaps he can bring that slant to our proceedings.
I am concerned that important and necessary legislation should be subjected to the vagaries of the private Member's Bill procedure. Often over the past few years worthwhile measures have bitten the dust because they ran out of time or because someone was not too keen on the following private Member's Bill and decided to use the present Bill as a means of thwarting someone else.
§ Mr. Ian BruceIs not one of the advantages of the private Member's Bill procedure that we hear excellent speeches from Opposition Members? They look at the measure on its merits instead of deciding how to oppose it?
§ Dr. MoonieI can assure the hon. Gentleman that the Labour party always considers measures on their merits. The fact that we find very little merit in most of what the Government do, does not preclude us on occasions accepting and even supporting measures. However, I accept that the Bill might have been framed more widely by the Government and we might have found more in it on which to take issue.
§ Mr. ColvinFurther to the point raised by my hon. Friend the Member for Dorset, South (Mr. Bruce), supporters of a private Member's Bill are encouraged to make useful and constructive interventions in Committee. However, with Government legislation, they often sit in Committee like a lot of tailors' dummies.
§ Dr. MoonieThat is one way of describing them. That is perhaps an argument for timetabling all Bills and, frankly, that is a measure which I for one would wholeheartedly support in the interests of adequate debate. However, I recognise that there might then be an overwhelming number of very long and boring inconsequential speeches from the Government Benches rather than from the Opposition Benches, as some would say happens at the moment.
§ Mr. William PowellAre we to detect a change in Labour party policy? When the matter was discussed and voted on previously, Opposition Front-Bench Members rejected it.
§ Dr. MoonieIt is an accepted convention that, on Friday mornings when a private Member's Bill is being debated, Front-Bench Members often speak in a personal capacity. I assure the hon. Member for Corby that that is what I am doing. [Interruption.] That was another sedentary intervention by the Minister. I am certain that he will defend his case with his customary vigour. When he defends the Government for allowing the private Member's Bill procedure to be used for this measure, it will be interesting to note by how many decibels his voice rises. I have served on many Committees with the Minister and 1159 I have noted an almost 100 per cent. Correlation—the louder the Minister's voice, the more inadequate his case. Opposition Members will listen with great interest.
On initial reading, the Bill is well drafted, and I compliment those who are responsible for it. The notes are excellent and comprehensive. However, the Bill should cover various degrees of offence. I shall not refer to all the clauses in detail, but I disagree with the suggestion that the Bill should not attempt to define a computer. We need to apply more thought to whether a computer can be defined in terms that are broad enough to act as a catch-all for future development.
§ Mr. ColvinI thought long and hard about definitions. The problem is that it was six weeks ago when I first defined the word "computer" to my satisfaction. That definition is already out of date. The passage of time and the pace of development within the computer industry mean that any definition of a computer or a computer system would soon be out of date. We would have to write in provisions for secondary legislation so that, every year, a Standing Committee could consider the matter and Ministers could redefine what they meant by a computer system. On balance, the matter is far better left to the courts to decide.
§ Dr. MooniePerhaps that is an over-mechanistic definition of "computer". Computers could adequately be defined by function.
§ Miss Emma NicholsonI recommend that the hon. Gentleman, whose acuity I cherish, looks at the French law. It was difficult for the Library to find the French law, but the staff kindly sent for it from France. I was interested to see the definition in French, largely because, when hon. Members were working on the Copyright, Designs and Patents Bill in Committee and I tabled new clause 13 which outlawed hacking for copyright purposes, the French copyright Act was much in my thoughts and reading. The French law against hacking, which was introduced in 1985 and has not yet been tested, amounts to many pages. The French brain, with all its brilliance, loves to define and redefine. The French have ended up with a mammoth Bill that is full of technical definitions which, as far as I can gather, have not been used.
§ Dr. MoonieOf course, there are also the inadequacies of the French language to contend with. We cannot really expect the French language to legislate in English.
§ Mr. Harry Cohen (Leyton)I was interested to hear the hon. Member for Romsey and Waterside (Mr. Colvin) say that he did not include a definition of a computer because it was difficult to do so. Does my hon. Friend agree that that is a rather poor excuse? Does not the lack of a definition create a great catch-all? The law could be brought into disrepute if people are charged with something that the House presumably does not presently envisage will be a crime but which will become a crime because there is no definition.
§ Dr. MoonieMy hon. Friend makes a good point. Hon. Members will be interested to hear what he says on the subject. Perhaps we can return to it in Committee.
I am grateful that Scottish circumstances have been properly covered. That is consequent on the Scottish Law 1160 Commission's report. I assume that the relevant clause has been drafted exactly as it proposed it and that, therefore, there will no difficulty with Scots Law.
I may have some difficulty with two clauses. For example, I should like an explanation of why clause 11 does not extend to Scotland. As a layman, I assume that it is because of some difference between the laws of the two countries. I may also have some difficulty with clause 12. I shall need an assurance that full and proper control will be exercised over access to computer files by the police or any other authority. I am not certain whether anomalies will be created by clause 12. Sadly, it is not inconceivable that a police officer will commit an offence under the Bill, and I should not like him to be protected by the wording of the clause. However, I accept that full discussion can take place in Committee. I have no comments to make about the remaining clauses.
The Bill is generally accepted as being worthwhile and necessary, and it will receive substantial support from both sides of the House. Of course, that does not mean that Opposition Members are entirely happy with it or that we shall not seek to amend it in Committee. I am quite certain that the hon. Member for Romsey and Waterside and some of his hon. Friends will attempt to do so.
There remain several fundamental questions that are probably common to criminal legislation. First, will the Bill provide adequate deterrence? It may deter the occasional recreational hacker, but the seriously disturbed person who perpetrates serious offences may not be adequately deterred by it. People will not be deterred if there seems to be little chance of being caught. Will the Bill be practicable and will the police be able to enforce it? The hon. Member for Hampstead and Highgate (Sir G. Finsberg) asked whether adequate training would be available for police officers to carry out proper investigations. It is easy to assume that the passage of a law makes it possible to convict people under it, but we must catch them first. It is not easy to locate someone who is committing a computer offence. With the development of electronic tracing, whereby a number is accessed—most computers are accessed through a modem—the source of the call can be immediately traced. That matter should be looked at carefully. We may need to make provision for it in the Bill in case there are difficulties. Will inventive minds find some way of circumventing the Bill? I hope that its drafting is secure enough to prevent that.
I support the Bill in principle. Its internal structure is sound, but it is a matter of conjecture whether it will do what it is purported to do.
§ Mr. Gary Waller (Keighley)I congratulate my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) on bringing forward one of the most important private Member's Bills in recent years and on his extremely comprehensive presentation. My hon. Friend the Member for Torridge and Devon, West (Miss Nicholson) must also be considered to be one of the true begetters of this important legislation.
Nobody really knows how widespread computer-linked crime is, both internationally and in this country. I use the phrase "computer-linked crime" because much of the wrongful activity that one associates with computers is already criminal. A great deal of what one might call "insider abuse" by people who work for a company or who 1161 have been dismissed by that company falls in that category, especially when they damage the company's programs or software.
One difficulty is that while we are aware of the tip of the iceberg, we do not know how much lies below the surface. With most crime, people realise that they have had a crime committed against them and it is a matter of detecting who has committed it. However, with a great deal of computer-linked crime, if one is aware that a crime has been committed, it is sometimes possible easily to identify the perpetrator.
There are signs that the activities that have been discussed this morning and other similar activities linked with computers exist on a vast scale. It is interesting to consider the position in Hong Kong because, remarkably, it has been estimated that at least 80 per cent. of the computers in Hong Kong are or have been infected with at least one kind of virus. Indeed, about eight different viruses are doing the rounds. Perhaps one reason for that is that even quite large companies in Hong Kong tend to use pirated software. That is another problem to which the House has devoted its attention and to which we shall doubtless return. That problem is compounded in Hong Kong because the security procedures there are often disregarded. A computer consultant with Price Waterhouse, Mr. Jimmy Mah, has said:
It's quite simple. If I wanted my competitor to go bankrupt I would just anonymously send someone in that company an infected games disk.That happens on a large scale in Hong Kong. I endorse everything that has been said about the Bill not being a substitute for security, but unless there is reasonable security, backed up by legislative provisions, we could face in Britain the dangers that have been well demonstrated in Hong Kong.Some would say that the existing provisions in the law are adequate. However, they have been tested only once or twice. Reference might be made to the famous instance in 1987 when the Duke of Edinburgh's Prestel mail box was penetrated. In what has come to be known as the "Gold and Shifreen" case, the House of Lords ruled that falsely persuading a computer that certain information had originated from a specific individual did not amount in law to forgery.
The applicability to computers of other offences such as false pretences and misrepresentation has yet to be tested by the courts. However, the whole area is shrouded in great doubt. It is right that the House should be sufficiently up to date to take account of the changes in technology that necessitate a modification of our existing law.
As has already been said, some people have suggested that some of the low-level activities that are dealt with in clause 1 do not do a great deal of harm. However, that is doubtful. It is worth considering the valuable work that has been carried out by Mr. Tim Hackworth of the British Computer Society, which has drawn attention to the serious harm that may sometimes have been caused unintentionally. Two French hackers, for example, broke into a life-support system in a hospital's intensive care unit and, perhaps unwittingly, turned it off. There are several known instances of people breaking into air traffic control systems. One trembles to think of the dangers of that. I shall refer later to actions that are being taken in respect of such critical systems. In another instance, somebody who was HIV-positive had his medical records penetrated and was subjected to blackmail. In another instance, an 1162 insurance company's records were penetrated and aspiring burglars had access to information about items that householders had declared as being of special value. Finally, and perhaps most commonly, there are many known instances of disgruntled employees disrupting their firm's records and perhaps taking commercially confidential product information with them in the hope of attracting a new employer or of selling it to the competitors of their previous firm.
The Department of Trade and Industry has done a great deal of work on the safety of critical systems and it is likely that, in future, systems such as those linked to air traffic control will be much more secure. It is important that such systems should not be accessible via the public network. I believe that we can be assured by a great deal of the work that is being carried out in that area.
§ Mr. ColvinAs one with an interest in civil aviation, I have investigated this issue and have been assured that the air traffic control system in the United Kingdom is on a closed circuit and that it is therefore virtually impossible for a hacker to gain access. That is vital, because otherwise one might start a lot of alarmist reporting that would give people the feeling that they were in danger in the air. I am assured that our ATC system is safe.
§ Mr. WallerI am grateful to my hon. Friend. Whatever the secure system, it is absolutely right that it should be backed by the law. It should be clear that there are severe penalties—such as those provided in my hon. Friend's Bill—to show that society regards such activities as absolutely indefensible.
My hon. Friend and others have already dealt with the question of the intention to cause harm and the beliefs of some people about those who indulge in hacking only as a hobby, without any wish to cause harm. It could be argued that drunken drivers have no intention of causing harm, but that would not be regarded as an excuse. Indeed, my hon. Friend the Member for Corby (Mr. Powell) has said that he has never used the defence in court that a burglar had burgled a house for the public good.
That brings me to my next point, about security. It has been suggested that if the security is not very good, that in some way mitigates the offence. It is interesting that in West Germany, where similar legislative provisions exist, the degree of security is taken into account. It would therefore be possible for a computer hacker or somebody who penetrated a system there to argue that its security was inadequate. However, if my hon. Friend the Member for Corby were presenting a case, I do not think that he would suggest that it was a defence that the house had an inadequate lock. Everybody should be encouraged to apply the maximum security, but the fact that such security does not exist to a sufficient extent is no defence for somebody who might be accused under the Bill.
Reference has been made to the arrival of the single European market in 1992. Much work is being done in the computer sector to prepare for that. Open-systems interconnection work is moving along fast. It is a set of internationally accepted technical standards which enable the computer system to operate across national boundaries with almost any other computer system, irrespective of the national or commercial origin of the hardware or software. That makes it even more urgent not only to press ahead with legislation in this country, but to discuss with our partners within the Community and 1163 indeed, outside it, the need for measures in other countries. It must be generally accepted throughout the Community and internationally—to the extent that that is possible—that computer misuse is a criminal act for which appropriate sanctions must exist.
When discussing the damage that can be done, it is worth pointing out that even the police national computer has not been free from penetration. Someone successfully interchanged several criminal records on its database. When he was caught he argued that he had not destroyed, stolen or, indeed, falsified the information, which was still intact. He had simply moved it around. In that case, the person involved was successfully prosecuted for falsifying evidence put before a court. One wonders whether there are other instances where information was not obtained and put before a court because such action was carried out successfully. Here again, we come to the tip of the iceberg syndrome and the need for action to be taken. It is another reason why the Bill is welcome.
I pay tribute to the work of David Frost, who is a partner in the data security group of Price Waterhouse, a company which already has considerable experience in this matter. Mr. Frost has done a great deal of research into the position in other countries. It is interesting that the number of countries with legislative provisions against computer misuse is growing all the time. It includes Australia, Canada, Japan, Holland, the United States of America and West Germany.
Two incidents have arisen recently in north America. In one, four college students were arrested for making $20,000 worth of long-distance telephone calls by using a program that dialled toll-free numbers. The program then took control of the company's electronic switch so that the calls could be re-routed to any part of the world. In another case, a university professor was suspended after making improper use of the university's computer facilities for his own purpose.
A wide range of people are prepared to take advantage of loopholes in the law. My hon Friend the Member for Romsey and Waterside is plugging an important loophole with his Bill. By doing so, he is doing a service not only to the House but to the nation.
§ Mr. Harry Cohen (Leyton)I congratulate the hon. Member for Romsey and Waterside (Mr. Colvin) on winning a high position in the ballot, but he could have chosen a better Bill. I have serious doubts about it, and not because I approve of hackers or believe that those who misuse or gain unauthorised access to a computer are doing something harmless.
The Bill is ill defined. We have heard aleady that it does not define what a computer is. It is lopsided and does not tackle the most important aspects of computer misuse, its implications have not been well thought out. For example, it contains unnecessary criminalisation, and in years to come will affect areas which the sponsor does not envisage.
I wish to make a few comments about the parliamentary process surrounding the Bill and the involvement of the Government and the Law Commission. The Law Commission was harassed by the hon. Member for Torridge and Devon, West (Miss Nicholson) into producing quickly a report on computer 1164 misuse. It is one of the few Law Commission reports that I have seen that has been published without accompanying draft legislation. That haste means that we have no means of comparing the intricate details of the legislative proposals in the Bill with those that would have been produced by the Law Commission.
One difference between the Bill and the Law Commission recommendations that I have noticed is that the sentence has been increased from three months to six months imprisonment. I assume that that is to do with the rate of inflation. Perhaps the sponsor will reply to that point. Is that the only way in which the Bill differs from the Law Commission's proposals? For example, the first sentence of the explanatory memorandum of the Bill says:
This Bill gives effect, with modifications, to recommendations made by the Law Commission in its Report on Computer Misuse.That sentence is unhelpful. If we do not know how the Commission's proposals have been modified, how can we properly discuss the Bill? The sponsor should furnish a complete list of the modifications when the Bill goes into Committee.
§ The Minister for Industry (Mr. Douglas Hogg)The hon. Gentleman asks what the Law Commission would have recommended by way of legislation. If he cares to look at page 35 of the commission's report, he will see a concise and useful summary of the main recommendations. With slight and few exceptions, the Bill reflects those recommendations.
§ Mr. CohenOf course I shall do that. However, the usual process was not employed. Normally the Law Commission produces its own draft legislation which can be compared with the Bill. I take the Minister's point. It testifies to the haste with which the Bill has been brought forward.
On 10 October last year Mr. Peter Casey, the director of computer security at the Department of Trade and Industry, sent out a letter asking for comments on the Law Commission's report by the end of October. He allowed only three weeks for people to respond. The letter said that its purpose was to ask for supporting evidence that would help establish a case for or against legislation. It said that the Government aimed to legislate in the current Session. Clearly he assumed in October that the legislation would be in Government time.
In early November something happened. We had smoke signals from the old fag end himself, the Secretary of State for Trade and Industry. They suggested that, because of the pressure of legislation in the Queen's speech, Government time would not be found for the Bill. In true Marie-Antoinette fashion, he was quoted in the press as saying something like, "Let them find a private Member to promote the Bill."
Private Members' time is precious. It should not be taken over by the Government. The Government may rewrite and help with the Bill, but they should not use a private Member to promote their Bill. We are dealing with a 19-clause Government Bill promoted by a private Member. That is an encroachment on our time by the Government.
§ Mr. ColvinThe hon. Gentleman should direct his remarks at me rather than at my hon. Friend the Minister. If he had been in the Chamber earlier, he would have heard me say that I believe that there is decided merit in the Bill 1165 being introduced by a Back Bencher. If the Bill was introduced by the Government, they might be persuaded to exceed the recommendations of the Law Commission's report, especially with regard to police powers. Perhaps my hon. and learned Friend the Minister will comment on that. My Bill has stuck closely to the Law Commission's recommendations, which have been debated at great length, just as the working paper No. 110 on which the Law Commission based its recommendations has been the subject of debate for some time. Many people gave evidence and many have written in support of those recommendations.
The hon. Gentleman is a strong supporter of the rights and privileges of Back Benchers to introduce legislation. I am sure he would be the first to agree that, as a Back Bencher is promoting this Bill, any temptation to add to police powers—about which we must all think carefully—could be resisted.
§ Mr. CohenI accept that point, and I agree that any Back Bencher may introduce any Bill that he likes, but the signs suggest that this is a Government Bill. It is a big Bill and I agree with my hon. Friend the Member for Kirkcaldy (Dr. Moonie) that there would have been advantages in the Government presenting it. It then would have been subject to scrutiny and the Government would have been obliged to defend its proposals, whether or not they went beyond the Law Commission's recommendations. A barrage of civil servants would also be available to provide information. When the Bill goes to Committee, the hon. Member for Romsey and Waterside and his colleagues may not have all the detailed facts available. The Government, however, could present such details about the change in the law.
It is worth noting the contents of early-day motion 412, which condemns:
the unprecedented taking of Back Benchers' rare prime debating time by a Front Bench Member"—referring to my hon. Friend the Member for Livingston (Mr. Cook), who introduced a ten-minute Bill on the ambulance dispute in an attempt to get it settled—thereby usurping a Back Bencher's customary prerogative.The Government, however, are using Back Benchers' time to introduce this Bill. The hon. Member for Romsey and Waterside and the hon. Members for Torridge and Devon, West (Miss Nicholson) and for Coventry, South West (Mr. Butcher), who are sponsors of the Bill, signed the EDM about Back Benchers' time being usurped, yet here they are supporting a Bill that does just that.The Bill criminalises the act of unauthorised access to a computer, irrespective of the circumstances in which that is done. A person might access a computer to read something that he could obtain in a library—for example, a Shakespearean sonnet. Such an act will become a criminal offence subject to six-months' imprisonment. By contrast, an unauthorised person who reads the most sensitive manual files can get away with it, but such action is far more offensive.
We would be misleading ourselves if we believed that the Bill is anodyne or uncontroversial. The heated argument that occurred when the British Computer Society had a meeting on 27 November in a Committee Room of the House demonstrated that. That argument was between Professor Brian Niblett, a Home Office adviser and an eminent specialist in computer law, and the hon. Member for Torridge and Devon, West. My researcher, together with about 130 computer specialists 1166 and barristers, was present. At the end of the debate the vote was close, 3:2 in favour of the Law Commission' proposals, which demonstrates the depth of division about the Bill.
That division was highlighted by the press release from the Data Protection Registrar, whose job is to achieve a balance between the users of personal data and the individuals affected. The headline ran:
Some Hacking Should Be A Crime"—not all—But exclude younsters for simply misbehaving".The Bill is all about hacking and the press release stated:In response to the Law Commission, the Data Protection Registrar has given his views on 'hacking' into computer files. The CBI recently commented on these views. The Registrar, Mr. Eric Howe, supports the criminalisation of some cases of hacking, but emphasises the duty of computer users to protect their own systems and data adequately. 'This is not a simple issue', Mr. Howe said.The promoter of the Bill is treating it as such because he is treating all hacking as illegal. Mr. Howe continued:I take the view that, rather than creating a single blanket offence, a selective approach is more appropriate.One offence should be related to an intent on the part of the 'hacker' to gain some advantage for himself or another, or to damage another person's interests. A second category could arise when actual damage is caused to data or software, whether inadvertently or not. And finally an offence barrier should be established for some particular kinds of systems which affect the health or safety of individuals and with which any attempt to interfere might endanger life. These could include, for example, air traffic control and medical systems.Mere misbehaviour, for example by youngsters, is not a matter which we normally would seek to criminalise unless it has some significant effect. To criminalise all unauthorised access or attempts at accesss regardless of whether there is damage or risk of damage would be to take a serious step which I find hard to justify as a matter of principle.I believe that it would be wrong to criminalise those who have no criminal intent and create no hazard. This is analogous to a case of trespass where no damage is caused. There may be a case, however, for dealing with persistent unauthorised access.We should not lose sight of the fact that computer users ought to protect their own systems and, as regards personal data, this is a duty clearly established in the Data Protection Principles. You've only yourself to blame if your neighbour's cattle get into your unfenced field.That press release presents a much more sophisticated case for what is criminalised or not than does the Bill, under which all hacking will be illegal.Some barristers are also against the proposals. In The Times of 21 April 1989 Alistair Kelman, a barrister specialising in computer law, said:
The only gap in the law is when a hacker gains access to a computer and just has a look around."—that is the key phrase.But the existing laws of fraud, theft and criminal damage cover cases where financial loss or intentional damage occurs.He queried why those who access a computer just to have a look around should be guilty of an offence. If a hacker breaks into a medical database and uses the information to blackmail someone, he would be caught by the law on blackmail. The hacker who broke into a defence computer and sold its secrets would be prosecuted under the Official Secrets Act 1989. As a result of the Bill, someone who accesses a computer just to have a look round will be guilty of a section 1 offence. The Bill's net is being cast far too wide, and it will lead to many people, some vulnerable, committing a crime where none now exists.The word "computer" is not defined in the Bill. On 13 March 1989 there was a debate in the House at 3 am to 1167 which the hon. Member for Beverley (Mr. Cran) and my hon. Friend the Member for Huddersfield (Mr. Sheerman) contributed. Given its timing, some hon. Members may be unaware of it. The debate was about the lack of legislation covering electronic surveillance devices. Those hon. Gentlemen were rightly trying to pressurise the Government into controlling surreptitious electronic surveillance devices which can be bought cheaply and which are being used increasingly to infringe privacy. The then Minister of State, Home Office, now the Government Chief Whip, said that when controlling such devices there was a major problem about their definition. He said:
The Government are not persuaded that it is practicable or necessary to extend the criminal law to cover electronic or other surveillance or eavesdropping, objectionable though such activities can undoubtedly be. A criminal offence must be clearly defined, well understood and capable of effective enforcement. It would be difficult to define an offence in this area without making it so narrow that it was easily evaded or soon overtaken by new technology, or so wide that it was unreasonable and unenforceable in practice."—[Official Report 13 March 1989; Vol. 149, c. 187.]The Government gave that as a reason why they could not legislate, and yet the Bill legislates without a definition. That approach is inconsistent.If the Bill attempted to define a computer, I appreciate that there would be a problem because it might not cover the next generation of computers. It would have to be continually updated to stay the course. However, it would be better to have a definition than none at all because otherwise the Bill could bring the law into disrepute by making too many actions criminal.
§ Mr. Douglas HoggThe hon. Gentleman has argued the case for defining the word "computer". I am sure that he will keep well in mind the fact that in paragraph 3.39 of the Law Commission's report precisely that point was considered, and the Commission recommended against defining that word.
§ Mr. CohenI appreciate that, but how can the Minister make that point and justify the former Minister of State, Home Office, saying on 13 March that the Government could not legislate against electronic surveillance machines because they could not produce a definition. That is inconsistent. If they could not legislate for such machines because they could not define the word "computer" they should not legislate for hacking. If they can legislate against hacking because they do not need a definition, they should legislate against electronic surveillance. The Government cannot have it both ways.
By omitting the definition, the Bill will not only apply to mainframe and personal computers and other computer technology, but will extend to a range of consumer electronics that currently have, or will have, programmable or computer-type functions. I am sure that the sponsor did not think that that was the case, but it could happen. In years to come, the Bill could apply to a washing machine, controlled by a chip, electronic car locks or programmable compact disc players, light switches, pocket calculators and watches. That is nonsense.
Let us suppose that an hon. Member finds an electronic personal organiser in the street and presses a button to find out whose it is so that he or she can hand it back. He or she would fiddle with the on-off switch, and, under clause 1 of the Bill, could be imprisoned for six months. Let us 1168 suppose that someone gets a brand new Rolls-Royce, parks it in the street and a young, east end lad who is dead keen on cars—there are plenty in my area—goes out, touches it and sets off the computer. He will be committing an offence under the Bill.
§ Mr. ColvinEarlier the hon. Gentleman made great play about the question of intent. The intent must be there. The access may be unauthorised, but unless the hacker intends to get access to a computer system he or she will not be committing an offence.
§ Mr. CohenI take that point. However, the hon. Member for Torridge and Devon, West earlier spoke about how judges will interpret the provision. I would not like to think how Judge Pickles would interpret a lad touching a lock. He might not do it in an attempt to open the car and gain entry, but he might touch off the computer and that could be interpreted as intentional.
London travel cards contain conditions to the effect that they can be used only
by the person shown in the accompanying Photocard".Those cards cost a lost of money and, if the carrier of the card goes through computer ticket machines he or she will have to carry his photocard at all times. We are on to the ID debate. The House has never accepted that everybody must be immediately identifiable, but this Bill does so, by the back door, for people with travel cards. If carriers do not have their photocards with their season tickets, it could lead to six months in the nick for them. The Bill can apply to every-day facilities. Surely that was not the intention of the hon. Member for Romsey and Waterside.Even defining unauthorised access provides further problems. The Bill tries to do this in clause 18(5), which brings into play the employer-employee relationship. At present, someone might use an office typewriter to do a bit of personal typing, such as wedding invitations or matters relating to the local chess club tournament, and an employer would turn a blind eye to it. However, if it is done on a computer and the employee does not have authorised access, under the Bill he or she can be prosecuted and can get six months' imprisonment. That interferes with employer-employee relationships. It would be bad for the employer because the advice to employees would be to use the computer only if they had received specific authority from their employer.
These may seem extreme examples, but that is not necessarily true. A fly-on-the-wall programme in the late 1970s followed the Thames Valley police in their work. At one stage, a constable said to the desk sergeant, "Sergeant, I cannot find anything in the book to charge him with." The sergeant answered, "Go and look in the bigger book." He meant the constable to find an offence to fit the facts. The Bill, drawn as wide as it is, could easily give a policeman who wants to arrest someone the chance to do that when a computer is involved. That is wrong. An offence under clause 1 would have almost universal application whenever any electronic system was switched on.
The Bill is one-sided because it deals with private hackers, but computer misuse is much wider than that. The Government are one of the biggest, perhaps the biggest, computer misuser, yet they are not even touched on in the Bill. I tabled early-day motion 416 about the electoral register. The Government replied that they had no plans to let voters decide for themselves whether they wished their names and addresses to be sold, inform voters 1169 that this had been done, provide guidance on privacy issues to electoral registration officers about the disclosure of information on individuals or protect those at risk should their names and addresses be sold or disclosed—for example, women who had suffered violence from their male partners. That is one example of Government abuse not touched on by the Bill. Why should the Government be allowed to get away with this without let or hindrance and pick on a few private hackers? Why should the owners get away with it without having a duty of care with regard to privacy?
The argument behind the Bill and the Law Commission's report is that we need special crimes concerning access to computers because computers are special and unauthorised access can cause damage. If computers are special, the owners of them should have special responsibilities. We have legislated to the effect that the owners of guns have to keep them in lockable, custom-built storage cupboards, yet computer misuse can also cause death and there is no duty on computer owners to maintain security.
The Bill does nothing to enhance security. First and foremost, it should encourage all computer users to improve all aspects of computer security. The hon. Member for Romsey and Waterside would have done better to pick up the recommendations of the Younger committee in 1972 to criminalise electric surveillance and eavesdropping and to tighten up the Data Protection Act 1984 which is now regarded as one of the weakest of such measures in Europe.
The Bill should not be restricted to hacking. There are three other basic ways in which computer misuse can be prevented. First, the basic security of data should be guaranteed; secondly, the procedures used should ensure that the reliability and integrity of computer operations remain intact and are properly tested; and, thirdly, privacy should be protected. Those three elements are absolutely crucial and are not addressed in the Bill.
§ Mr. Ian BruceI know that the hon. Gentleman has listened carefully to virtually all the debate, but unfortunately he was not here when my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) was introducing the Bill. He will find that many of the points he is raising were adequately covered by my hon. Friend. Perhaps he should read Hansard. I am sure that we would welcome him in the Committee if he wished to pursue those matters.
§ Mr. CohenI did not miss all of the speech of the hon. Member for Romsey and Waterside. I apologise for missing the initial part of his speech, but I was here for the last part of it, and I heard much of what he had to say.
The hon. Gentleman's intervention does not deflect from the argument that private hacking is only a small element of computer misuse. The Government data network is not even considered in the Bill. The Government have recently answered questions from me saying that they are extending their data network into other sectors. How can we discuss unauthorised access to data as defined under clause 18(5) of the Bill when the Government refuse to define their own internal authorisation procedures? Someone might break into the Government computer network and get done under the Bill, yet the Government refuse to define what is authorised and what is unauthorised.
1170 Probably the best and most well-known hackers are the security services. The Bill does not touch them. They have the freedom to hack at will and cause whatever damage results from that hacking. I have raised the matter on a number of occasions. I asked for a code of practice, and the Government refused. I suggested there should be independent oversight of the security services, such as the Data Protection Registrar. He is in place already. The Government should give him independent oversight over the security services if they start hacking and causing damage. But the Government will not do it. The security services represent much more hacking than a few private individuals, yet they are not recognised in the slightest in the Bill.
§ Mr. Harry Barnes (Derbyshire, North-East)Perhaps such measures are being introduced simply because there is concern about commercial practices as computer use has become overdeveloped in certain commercial sectors, instead of concern about the matters that my hon. Friend mentioned. One example was the Government's insistence on trying to develop the football ID card system which they still have in cold storage. Under such a system there would have been a computer terminal in the shed at Halifax Town and it would have been very tempting for some people to interfere with that, given the problems regarding football spectators. Therefore, the Government have to introduce increasingly draconian measures in an attempt to protect their position as they have done in regard to the poll tax legislation.
§ Mr. CohenMy hon. Friend is alsolutely right. The Bill has been drawn very narrowly, confining computer misuse to one group of misusers, and left out all the other groups. The duty of care has been left out altogether.
The best way forward would have been to introduce legislation to enhance the three crucial elements that I mentioned: basic security, integrity and reliability of computer procedures, and privacy, which never gets a look in. There should be duties upon owners of computers. Damages and compensation could be awarded to people affected by computer misuse by the owners of computers or by the Government. A duty of care would require owners of computers and producers of software to produce software that had been tested because if they were taken to court and could prove that the system had been properly tested they would get off, but if it was discovered that it had not been tested and damage had occurred they would be fined, and therefore the available software would improve.
Section 23 of the Data Protection Act should be extended to relate to all data, not just personal data, so that owners who did not take care to maintain the security of their data would have to pay compensation for any damage that occurred. The point made by the Data Protection Registrar about cattle in an unfenced field is right. In fact, it is more serious than that. Let us suppose, for example, that some hacker breaks into an aircraft control system and causes the aircraft to crash. The hacker would go to prison. But if those in charge of the aircraft control system had not taken care they should also be penalised for their slack procedures and should have to pay damages. That is not covered by the Bill.
In summary, the Bill fails to address the three aspects of computer security that most concerns the public: basic security, reliability and privacy. The Bill should provide 1171 that computers will have a special part to play in our future. Computer owners who expect a profit must take special care to ensure that all three aspects of computer security are addressed. The Bill is myopic in looking at only one aspect.
§ Mr. Edward Leigh (Gainsborough and Horncastle)In a way I am relieved that the hon. Member for Kirkcaldy, (Dr. Moonie) is not in his place. To have one's arguments tested by a psychiatrist is bad enough but to have them tested by a computer-literate psychiatrist would give even the most robust Member the kind of nightmares that not even Freud could dream of.
My hon. Friend the Member for Romsey and Waterside (Mr. Colvin) said that in the six weeks that he has been studying these matters closely, things have moved on. However, it seems that some things do not move on, because according to the hon. Member for Kirkcaldy, most hacking is due to sexual inadequacy.
I welcome the Bill as a step forward. However, it is important that the arguments advanced by my hon. Friend the Member for Romsey and Waterside are tested, and that is what I shall seek to do by asking some questions. Friday debates are often dominated by enthusiasts. Although I did not agree with everything that the hon. Member for Leyton (Mr. Cohen) said, he asked many worthwhile questions that need to be answered by my hon. Friend the Minister for Industry.
The Bill is similar to two Bills that we have discussed on Fridays in this Session. They were worthy Bills, but there were problems about enforceability and about whether in some aspects current common law and statute law is not sufficient to deal with the problem.
In terms of clause 1 we seek an assurance from the Minister that the innocent hacker—if one can describe any hacker as innocent—will not be put in an invidious and impossible position.
On clause 2 we want to be assured that existing law is not adequate to deal with the problem. I shall go through those problems and take up some points made in the press by commentators on these issues. The first comment is by Terence Wright who is a computer conferencing specialist. He makes a worthwhile comment when he says:
There is a wide cultural gulf between those who learned computing in 1961 and those who learned in childhood more recently.Is my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson) able to distinguish hitting keys 1980 style from hacking? Can the courts? Will they convict the innocent because they did not do what the manuals said they should do?My hon. Friend the Member for Romsey and Waterside assures us that under clause 1 hacking must be deliberate, but we need reassurances from the Minister about that. Mr. Wright also says:
The great Prestel 'hack', which is so often cited, was a case of a wide-open door, and not of security being broken. There was no security and there should have been.I hope that the Bill will become an Act, but no one would want it to absolve people in the computer industry from being responsible for closing doors. That is their responsibility.1172 We heard much in the debate about bulletin boards. Terence Wright said at some length that we do not want to ban bulletin boards in the same way as in the past people wanted to ban books. Hon. Members have reassured us about that, but perhaps the Minister may also wish to speak about it.
The substantial questions about the Bill relate to clause 2 and whether what it seeks to ban is not already covered by statute law. A person who steals money by using a computer can surely be charged under the Theft Acts of 1968 and 1978. In the case of a person who has access to a database for which charges are made the same Acts can apply. Anyone who maliciously or recklessly deletes or contaminates computer files should fall foul of the Criminal Damage Act 1971.
§ Mr. Douglas HoggNo.
§ Mr. LeighMy hon. Friend the Minister says no, but perhaps he will deal with the matter more fully when he makes his speech because the matter has been raised in the press and should be answered by the Minister.
Anyone who manufactures a magnetic strip card or a password-bearing disk to access a computer could be charged under the Forgery and Counterfeiting Act 1981. Perhaps the Minister will also deal with that. There has been much sensational publicity about access to secrets. Will the Minister assure us that if there is such access the Official Secrets Acts are not sufficient to deal with the problem?
I hope that the Minister will deal with the problem of enforcement. We are reminded that out of 150,000 police officers in England and Wales only five are mainly concerned with computer crime. We have not gone into that in detail. Fewer than 100 have received even the minimum four weeks basic training and the Serious Fraud Office has one computer-knowledgeable official. I read that in an article in The Guardian written by Hugo Cornwall but I do not know whether it is correct. If it is, it is alarming and must throw doubt on whether the provisions of the Bill will be enforceable.
§ Mr. ColvinMy hon. Friend raises an important issue. I have spoken to the police and I have been assured that the courses at Bramshill police college and at Hendon police school include specific courses on computerisation and the issues that are addressed in the Bill. There is also provision for the police to call in expert guidance and assistance, notably from British Telecom which provides the means for networks to be established. My hon. Friend mentioned Hugo Cornwall. Mr. Cornwall has done the country a service by drawing attention to the whole ethos of hacking. He has produced a new edition of "The Hacker's Handbook". If the Bill becomes law he will have to produce yet another edition to take on board the issues addressed in the Bill, or he might find himself straying perilously near to incitement.
§ Mr. LeighI am grateful to my hon. Friend. It is important that we tease out these issues. The Minister for Industry is a former Home Office Minister. I see that he is consulting his civil servants or, more likely, he is giving them instructions. [Interruption.] It appears that he is talking about his lunch. My hon. Friend the Member for Romsey and Waterside raises an important matter and we need to have some answers about what is going on in the 1173 police force. Does it have sufficient resources to deal with this serious problem? The hon. Member for Leyton quoted Alistair Kelman. The quote intrigued me. He said:
The only gap in the law is when a hacker gains access to a computer and just has a look around…But existing laws on fraud, theft and criminal damage cover cases where financial loss or international damage occurs.Was the hon. Member for Leyton suggesting that if someone intentionally has a look around he should not be liable for criminal prosecution? I see that the hon. Gentleman is nodding. "Having a look around" at a computer can cause immense damage and has done so. My hon. Friends the Members for Romsey and Waterside, for Torridge and Devon, West and for Keighley (Mr. Waller) all dealt with the damage that that is doing to industry.
§ Mr. CohenI share the view expressed in the press release issued by the Data Protection Registrar, that
if damage is caused inadvertently or not, then someone should be liable".But if no damage is caused by someone who just enters a system to just look around it, my view is that such action should not be criminalised.
§ Mr. LeighI am glad that the hon. Gentleman amplified his earlier comment, and perhaps my Friend the Minister will take up that point. It is a principle of English criminal law that action must be intentional. Whether an action that is found to be intentional but which causes no damage—though that may be difficult to quantify—can be deemed criminal is an interesting question of jurisprudence which I am sure that my hon. Friend the Minister will want to pursue. A more moderate and sensible comment was made by Chris Pounder, head of the Hoskyns information protection and management division, who agrees that unauthorised access to a computer should not automatically be a crime. He believes that a criminal law could be oppressive, because it would apply only to instances where no theft took place and no intentional damage was done. He says:
Are we really saying that members of staff who make unauthorised use of a firm's personal computer to produce their own CV or to every perpetrator of a childish prank that their misdemeanour is worthy of a criminal record they will keep for the rest of life?One may not agree with that view, but it is one worth consideration by my hon. Friend the Minister.
§ Mr. ArbuthnotThe answer to the question raised in the quote given my hon. Friend is clearly no. The Law Commission says that if one has authorised access to a computer but uses it for unauthorised purposes, one will not be caught by the Bill.
§ Mr LeighI am grateful to my hon. Friend, and I am sure that his point will be emphasised by the Minister.
All hon. Members surely agree that there has been far too much romanticising about hackers. Theirs is not a romantic activity. Tony Fainberg writes that hackers are often not very skilled operators and because that is so, they can cause much damage.
He refers to a particularly worrying case:
The person who put this program together appears to lack fundamental insight into some algorithms, data structures and network propagation. A true expert could have produced a far more virulent piece of electronic vandalism".Hacking damages industry, but we should also cut away some of the sensationalism that it has attracted. A headline on 14 May in The Observer read:Hackers 'teach KGB' to break data secrets'.1174 Although the problem of hacking is serious, the Bill can address it. Perhaps amendments may need to be made in Committee, but I congratulate my hon. Friend .11e Member for Romsey and Waterside on presenting it, and I wish the Bill speedy progress to the statute book.
§ Mr. Michael Grylls (Surrey, North-West)The debate has been very refreshing for two reasons. There has been almost total agreement among right hon. and hon. Members in all parts of the House about the seriousness of the problem of computer abuse, and the debate is concerned with the problems of a modern industry—an industry of the present and of the future. On so many occasions during my time in the House we have spent far too long debating industries of the past.
I must declare a personal interest as an adviser to the Digital Equipment Company for some time. Therefore, I am aware of the deep concern felt by that company and by the computer industry generally about the growing problem of computer abuse.
Information technology, which is most welcome, is used throughout the whole of British industry and commerce. Electronic mail and the other electronic devices used in today's paperless office, which I welcome, replace conventional paperwork by electronic communication. As that has grown, so, too, has the need for new regulations, to bring within the criminal law, and thus eliminate, practices that can damage industry.
Whole new industries depend on computers. My hon. Friend the Member for Torridge and Devon, West (Miss Nicholson) spoke of the damage that can be done by illicit access to health records. She made several good points about the harm that could be caused by people with mal-intent accessing health record systems. I greatly welcome the initiative of my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) in presenting his Bill.
We should nail once and for all all the criticism that is made about introducing such legislation in the form of a private Member's Bill rather than of a Government Bill. Private Members are fully entitled to legislate and I welcome the fact that my hon. Friend the Member for Romsey and Waterside has brought forward a Bill that is so badly needed. It is a waste of time to carp at the Government for not bringing in such a Bill. We would be better employed in congratulating my hon. Friend on the work that he has done and the care and attention to detail with which he has brought the Bill to the House. I am confident that under his guidance, if the House gives the Bill a Second Reading today, it will go through Committee stage healthily, and will become law very soon. I think that we will be grateful to him if that happens.
The proper functioning of the computerisation of personal records, whether medical, data information or whatever, in business and industry is crucial. There is a safety angle as well. Nowadays, many of our great industries, such as steel or the chemical industry and most manufacturing industries involve some computer control and programming. They have to do so to be able to compete in the world. It is a horrific thought that people might have illegal access or fool around with computers. I say, with great respect, to the hon. Member for Leyton (Mr. Cohen) that even if people fool around but do not have criminal or bad intent, they can cause damage and one has to be careful.
1175 It is crucial that the computer programs on which industries depend have proper integrity. As more and more electronics come into British industry, we have to be able to protect them, and to provide a law to do so. If we do not, we will damage competitiveness and could cause loss of life or injury to people working in industry if computer systems break down or go wrong.
Other hon. Members have mentioned the cost of illegal entry to computer systems, and that can be high, but we must also remember that there can be damage, and it can cause loss of life or injury.
I agree with my hon. Friend the Member for Gainsborough and Horncastle (Mr. Leigh) that industry has a prime responsibility to ensure that systems are secure. In exactly the same way as perimeter fences, doors and windows should be secure, it is crucial to ensure that computer systems are secure. However it is right that the Government should bring forward legislation, although a responsibility remains with owners and operators of computer systems to ensure proper security.
As anyone who has ever suffered from a burglary knows, however hard one tries to make something secure, occasionally people break in, and great damage can result. Therefore, it is necessary to introduce a law into this area, and if our industries are to prosper in the computer and electronic age it is right that they should have proper protection.
I hope that the House will give this well-thought-out Bill a Second Reading to enable it to go to Committee, and I wish it godspeed through the processes of the House. I hope that it will become law this year, and very soon.
§ Mr. Ian Bruce (Dorset, South)I agree wholeheartedly with my hon. Friend the Member for Surrey, North-West (Mr. Grylls) about the necessity for the Bill. Like many hon. Members on both sides of the House, particularly on the Conservative Benches, I do not like legislation for the sake of legislation. When I was first approached about the question of computer misuse and hacking, I thought that the law must surely be adequate. I believe that my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) was not an enthusiast for legislation on computers and hacking, but he was persuaded by the strength of the argument and the concern felt by many companies.
I help to represent the views of members of the Telecommunications Managers Association in this place, and they are extremely concerned to protect their companies from unauthorised outside access to telecommunications networks. That concern has been reflected in committees of the House—the parliamentary information technology committee and the parliamentary and scientific committee.
BP is a large employer in my constituency. When it invited me to lunch I thought that we would be talking about drilling at Wytch Farm but it turned out that the company was concerned about computer misuse and hacking and large international companies' problems in seeking to protect their business from such activities. Only last week I went around one of Sainsbury's hi-tech stores. All the refrigerators at that store are controlled by computer, and for purposes of out-of-hours maintenance, those computers are accessible to maintenance staff via a 1176 computer terminal. They were worried that someone dialling into the system and gaining unauthorised access could switch off all the refrigerators.
We must kick into touch the romantic view of hacking. The crucial difference between hacking and other types of damage is that the law does not cover the mechanism whereby access to the information is gained. If a doctor has a row of filing cabinets in his surgery, he can lock them, and although it is probably not an offence to look at the files, it is certainly an offence to break a window or a lock or to force entry to the premises or cabinet to look at the data. The Bill would provide that if one broke an electronic lock, one would be breaking the law as surely as one would by breaking a physical lock. I disagree with my hon. Friend the Member for Gainsborough and Horncastle (Mr. Leigh) and the hon. Member for Leyton (Mr. Cohen) who feel that the matter is already adequately covered and that we do not need additional legislation.
When I read the Law Commission's report, I was worried that someone who dialled the wrong number when trying to log on to another computer would be caught by the Bill. But clause 1(1)(c) makes it clear that to commit an offence one must intend to gain unauthorised access. The point is well covered in this extremely well-drafted Bill, which has my full support.
If one gets a crank telephone call or a hacking telephone call it is often very difficult to trace the caller. I understand from my hon. Friend the Member for Romsey and Waterside that it is already open to British Telecom and Mercury to give the information that is necessary to trace the perpetrators of such crimes. Perhaps we should consider BT making available special telephone numbers so that all those who dial the numbers can be logged. The relevant records are already there, because when one dials a number, BT or Mercury records the call and the charge. But the link between the caller's records, which are already held on computer, and the number itself is more difficult to establish. Such a system would help not only in solving the problem of computer hacking but in dealing with crank calls, threatening calls, and sexual nuisance calls.
I used to work for Sinclair, and I am well aware that companies such as Sinclair, Amstrad and IBM have brought down the prices of computers, giving people easy access to them. Those who believe that it is their God-given right to have access to other people's computers do not need to be put out of business altogether. All that groups of hackers need to do is to set up tests for each other on their computers and say, "You are authorised to try to break into my system." They could create puzzles for each other, similar to crossword puzzles. That would be a harmless enough hobby.
We spent three months getting all the data into the first computer that the recruitment company for which I worked obtained. We did not have access to outside telephone lines, but a computer misfunction caused the data to crash. To find, after three months of hard labour, working long hours and getting everyone involved, that it is impossible to get access to computer data because of a virus can lead to an almost suicidal frame of mind.
The effect of the Bill will be similar to what happened after the law on seat belts was introduced. Few people have been prosecuted under that legislation. The vast majority of people are law abiding; they have observed that law. I believe, therefore, that the hackers, and others, 1177 will decide to play fair by the law and desist from what they are doing. It is a timely and sensible measure which I fully support.
§ Mr. James Arbuthnot (Wanstead and Woodford)An overriding concern has already been mentioned to you, Madam Deputy Speaker—the Minister's lunch. I shall therefore be as brief as possible.
I congratulate my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) on his good fortune in doing so well in the ballot and on choosing to introduce this Bill. One should not believe everything that one reads in the newspapers, but I have read an article which suggests that at first my hon. Friend was disinclined to concentrate on this Bill but that he changed his mind when the AIDS diskette was disseminated throughout the country.
§ Mr. ColvinAnother issue tipped the balance in favour of the Bill. A staggering amount of damage is being caused by computer misuse to UK Limited. I mentioned that it amounts to probably £400 million a year, but perhaps as much as £2 billion a year of damage is being caused to our computer systems. I did not believe that the nation could wait for another year before a Government Bill was introduced; action was needed straight away.
§ Mr. ArbuthnotI agree entirely with my hon. Friend. He is quite right.
My hon. Friend said that he believed that the Bill would make the sending of the AIDS diskette a criminal offence. As a matter of purely technical detail, I doubt whether the Bill would cover the sending of that diskette. I am not sure under which clause it would be caught. If my hon. Friend suggests that it would be caught under clause 4, I refer him to its wording, which is that a person is guilty of an offence if
he does any act which causes an unauthorised modification of the contents of any computer's memory".The writing of a computer program does not cause modification of the contents of a computer's memory. The sending of a diskette through the post to anyone does not cause modification of a computer's memory. What causes the modification is the user of the computer putting the diskette into the computer, switching it on and trying to access that diskette. The wording of the clause ought to be examined to ensure that it catches the kind of virus that was produced by the AIDS diskette.The hon. Member for Kirkcaldy (Dr. Moonie) referred to the sexual inadequacies of hackers. I have seen an article in DEC News that refers, interestingly, to the personality profile of hackers. It says that hackers
may well he unemployed because they spend all night hacking, and lose their job because of poor performance or bad time-keeping, or they may have been sacked for hacking whilst at work. So despite being very intelligent, they find it difficult to hold down a job, and consequently the are often poor. The next stage in the downward spiral is that they find it difficult to reconcile being poor with the fact that they have a tremendous amount of knowledge about computing. This contradiction is usually rationalised in one of two ways. They either go in for fraud, or become 'security consultants' who sell their ability to safeguard your computer system from other hackers, usually after breaking into it, which is little short of extortion.That is an interesting and almost certainly accurate profile of the convinced hacker rather than the juvenile.Various arguments have been raised against the Bill. One of them, which was not ventilated at length today, 1178 relates to trespass. While hacking may be trespass, trespass on to land is not regarded in this country as criminal per se. The argument runs that if that is so, why should entry into a computer be considered criminal?
We have already heard some of the answers to that question. Innocent hackers can cause amazing damage because they might not know what they are doing. In In that sense, an innocent hacker may be like a bull in a china shop. However, there is a more general problem. If a company is aware that its computers have been attacked, it suffers a loss of confidentiality. The company cannot be sure that its computer processes will work in future and that its transactions will produce the intended results. Therefore, the company will have to reorganise all its computer data bases and that will mean that the computers will not be available to the company. If a company's activities are time-sensitive, they may be marginalised and the company might be forced out of business. The latter is an exceptionally serious result of the apparently harmless activity of hacking.
A leader in The Times recently stated:
The Commission's proposals will make it plain that hacking is always serious, even if the intention is mere mischief—that the silly game is finally over.The issue is whether criminal law should be available for trespass into computer systems. We must remember that trespass is criminal in certain circumstances either where statute makes it so or where there is wilful and malicious damage. For example, statute law makes trespass criminal where trespass occurs on certain property and in particular on British Rail property for which fines are rightly imposed. Similarly, it is a crime to trespass on certain property if no damage is done, but firearms are being carried or if someone trespasses in pursuit of gain. Therefore, there are precedents for trespass being criminal and it is simply a matter of statute making such trespass criminal. I believe that computers should be the kind of property on which to trespass would be criminal, because of the damage that such trespass can cause.It has been suggested that if we clean the hackers off the computing networks, we will simply allow computer companies to sell insecure systems. To a certain extent that is true. If we solve the problem of burglars, we might allow people to leave their doors unlocked at night. That might be beneficial for this country. I share the astonishment expressed by my hon. Friend the Member for Corby (Mr. Powell) at the argument that hackers should be thanked for exposing security weaknesses. My hon. Friend expanded that to burglary and I will expand it to mugging. Perhaps we should thank muggers for exposing our physical weaknesses in being unable to stand up to them. That is an extraordinary idea which we should reject completely.
It is true that some forms of computer security should be improved and a great deal can be done. A study of 20 European companies carried out by Coopers and Lybrand showed that 19 had inadequate standards of security which were a real threat to the economic development of those companies. The report said:
The catastrophic effects of poor security are likely to discourage organisations from becoming any more dependent on their network systems.That suggests that there may be a level of complexity in our society beyond which, because of safety interests, we may be frightened to go. If hacking increases our fears, 1179 there will be damage to the cohesion and organisation of our society. That is a perfectly good and sufficient justification for the Bill.
§ 1.4 pm
§ The Minister of Industry (Mr. Douglas Hogg)This has been an unusually interesting debate, not least because it appears to have attracted almost unanimous support for the Bill. It may help the House if I outline the Government's position on the Bill.
I begin, as have other hon. Members, by paying tribute to my hon. Friend the Member for Romsey and Waterside (Mr. Colvin) for having brought forward this Bill and, perhaps more to the point, for having mastered the complexities of the subject and for the persuasive and lucid way in which he explained the Bill and responded to a range of specific questions. In short, the House is indebted to my hon. Friend.
The House is indebted also to my hon. Friend the Member for Torridge and Devon, West (Miss Nicholson). She was kind enough to mention to me that, unfortunately, she has a pressing constituency engagement. She has done more than any other hon. Member to draw attention to the problem of computer misuse. Last April she brought forward a Bill that was later withdrawn, and she has been extremely active in drawing Ministers' attention to the relevant problems. It is right that the Law Commission report should have paid special tribute to my hon. Friend for her special work.
My hon. Friend the Member for Romsey and Waterside instanced the wide range of uses to which computers are put. For example, he said that his name appears on 102 computers. He modestly suggested that the same was true of other hon. Members, but I rather hope that it was particular to him.
Perhaps it is desirable to remind hon. Members that computers are not only a sophisticated way of collating and storing information. Even more important, they have operational purposes, and they are fully defined in the Law Commission's report. Good examples can be found at paragraph 1.15, where hon. Members who are interested in the subject will see a range of operational purposes. They include
world-wide inter-bank fund transfer systems…air traffic control systems, and hospital systems for calculating drug dosagesand many others. We are not discussing exclusively the storage and collation of information; we are also discussing the use of computers as an operational tool. That emphasises why computer misuse can be serious.My hon. Friend the Member for Romsey and Waterside said that, once a system is entered, the owner must spend substantial sums of money and utilise much manpower in putting the system back into good order. However, other consequences can flow. Those who have access to or try to achieve access to air traffic control systems could be putting lives at risk. Those who achieve access to hospital computer records which provide for the delivery of drug dosages could have the same effect.
Hon. Members may have noted the specific case referred to at paragraph 1.16 of the Law Commission report. A factory worker was nearly killed because somebody had misprogramed the program that caused robotic machines to operate and, in this case, to 1180 malfunction. The consequences of computer misuse are therefore capable of being serious and are not limited only to financial issues; they can, in certain circumstances, threaten lives and property.
The Bill closely reflects the contents of the Law Commission's report that was published in October 1989, differing from its recommendations in only minor respects. The hon. Member for Leyton (Mr. Cohen) complained that the Law Commission had not annexed the draft Bill to the report and went on to say that we do not know its intentions. I do not agree with that conclusion. Anybody who reads the Law Commission's report, and who carefully studies the contents of page 35, will have the clearest possible view of what the Law Commission had in mind and in detail.
The Law Commission considered the vital question whether there are important gaps in the existing law in the context of computer crime. My hon. Friend the Member for Gainsborough and Horncastle (Mr. Leigh) touched on that, and I shall refer to his points later. In broad substance, the Law Commission concluded that there are three specific gaps, and they are addressed by the Bill. However, it also stated that most of the crimes involving computer misuse are covered by the existing law. To make an obvious point, the use of a computer to steal is, in most circumstances, covered by the law of theft. Computer misuse resulting in death or injury is, of course, covered by existing criminal law if those consequences were intended or the actions were done recklessly and the results were a consequence of that intention or recklessness. Therefore, in most respects—although not in all—the existing law covers the mischief to which the Bill is directed. It does not cover the entirety of the mischief, which is why the Bill is so important.
It might be helpful to the House if I turned now to the detail of the Bill and to some of the purposes that it is designed to achieve. Clause 1, with which I can deal briefly because my hon. Friend the Member for Romsey and Waterside has explained it so very well already, provides for the offence of unauthorised access to a computer. Standing alone, that offence is not covered by the existing law. If the House will forgive me, I shall identify the prohibited act or the actus reus and the intent of the mens rea, as lawyers say. The prohibited act is that of accessing a computer to perform a function without authority. To establish an offence, there must be the act of causing a computer to function and that activity must be unauthorised. The prosecution must establish both elements before a conviction can be obtained.
On the issue of mental intent, it is necessary to establish both the intention of securing access and the knowledge that the authority for that act is not possessed. My hon. Friend the Member for Gainsborough and Horncastle expressed the anxiety that innocent folk might be caught. I do not believe that they would. A specific intent is required—the intent to secure unauthorised access. If the prosecution cannot establish that mental intent, it will fail.
A broader question was raised by the hon. Member for Leyton. It was answered in an eloquent intervention by my hon. Friend the Member for Wanstead and Woodford (Mr. Arbuthnot). It is the question of the justificaton and intellectual underpinning of the clause 1 offence. My hon. Friend the Member for Romsey and Waterside said—and I agree—that we are not dealing primarily with the protection of confidential information. That may be a perfectly legitimate purpose, but it is not the prime 1181 justification for the Bill. The prime justification for clause 1 is to reassure people who have computers about the integrity of their system. I believe that that is of fundamental importance.
As I have already said, computers are used for a multiplicity of purposes both operational and for the collating and storing of information. That purpose will continue. People will expand the range of computers and their functions. The integrity of systems needs protection to the extent that the law can provide.
The hon. Member for Leyton characterised the clause 1 offence as directed at those who simply have a look around. In many circumstances, the fact that someone has a look around places on the owner the requirement to remedy any defects caused, put in place new software, check out the system and spend large sums of money. Once someone has had a look around the system, it has been broken into and its integrity put at risk. That activity is not right and the computer owner has every reason to complain. The clause is directed against such a threat.
My hon. Friend the Member for Wanstead and Woodford drew a distinction between the law of trespass and the law of trespass with grave effect which was apt.
Trepass is not a criminal offence because usually it does not give rise to damage. However, trespass in the case of computers gives rise to damage because the owner of the system is put under an obligation to carry out remedial works. There is a distinction in principle, and I find what my hon. Friend said entirely persuasive.
Clauses 2 and 3 are interrelated. Clause 2 deals with the offence of unauthorised access with intent to commit a serious crime. There is not so much a gap in the law as a need to strengthen it. Clauses 2 and 3 reflect the particular nature of computer misuse and the speed with which crimes involving computers can be carried out. The final act in a fraud carried out using computers may take only the time necessary to make a telephone call. However, it is likely that a good deal of preparatory work has been carried out prior to that event—for example, searching for passwords or exploring the security arrangements of a bank's computer.
The offence created will enable the police to catch offenders at the preparatory stage rather than when they have carried out the fraud and spirited away the profits into a foreign bank account. It would also catch offenders who committed unauthorised access to prepare for a crime—for example, blackmail, or even murder. My hon. Friend for Gainsborough and Horncastle asked an important question about whether that is covered by existing law. That question represents one of considerable difficulty, but my opinion coincides with what appears in the Law Commission's report. In substance, many of the acts covered in clauses 2 and 3 constitute attempts in law, because we are dealing with preparatory acts. The problem is that to constitute the offence of an attempt in law the acts complained of must be sufficiently proximate to the commission of the offence.
In the case I instanced of, for example, gaining access to a bank account, a range of safeguards—passwords and security systems—will be present. The question is whether the computer hacker, who is trying out those passwords to get access, is committing the offence of attempt or committing some other criminal offence. The Law Commission examined this point and came to the conclusion that the process of trying out the passwords would not constitute the offence of attempt because it was 1182 not sufficiently proximate to the ultimate offence. I share that view. But, the Law Commission also concluded that those particular acts should constitute an offence because the length of time between those preparatory acts and the final offence can be extremely brief, having regard to the nature of computer use. I hope that my hon. Friend the Member for Gainsborough and Horncastle will appreciate that there is a need for the type of offences that are encapsulated in clauses 2 and 3.
My hon. Friend the Member for Gainsborough and Horncastle also pressed me closely about clause 4, which is designed to close the gap the Law Commission identified in matters relating to damage done to intangible property. Thus, if I may give a crude example, I may be prosecuted for smashing an axe through a computer since I have caused damage to physical property. It is by no means certain, however, that I could be prosecuted for introducing a virus into a machine that destroyed many thousands of hours of work stored on data in that machine. That is because it is by no means certain that damage of a non-physical kind is damage for the purposes of the Criminal Damage Act 1971. That is a lacuna because damage to data and damage to the software is not of itself necessarily damage within the malicious damage legislation. For that reason, the Law Commission thought it necessary to recommend the change now contained in the Bill. I agree with that recommendation.
My hon. Friend the Member for Wanstead and Woodford also raised an extremely interesting and nice point relating to the AIDS diskette. He asked whether a person who sends a diskette, received by another and put by that other into a machine, is causing damage for the purposes of clause 4. The answer is yes. The Law Commission intended that effect, and I am glad that my hon. Friend the Member for Romney and Waterside has achieved it in the Bill. If my hon. Friend the Member for Wanstead and Woodford would care to look at clause 18(6), he will find that my hon. Frined the Member for Romsey and Waterside has provided that any act
which contributes towards causing…a modification shall he regarded as causing it.The truth is that there are a number of causes, the sending of the diskette being one and the act of the person feeding it into a machine being another. Any one of those causes is a cause for the purposes of clause 4.My hon. Friend the Member for Romsey and Waterside has gone into considerable detail about extending jurisdiction to acts committed outside the normal jurisdiction of the courts of England, Wales and Scotland. His approach to the matter is entirely right.
I intend to sit down at about 1.30 pm. Therefore, I shall concentrate only on one or two other criticisms that have been raised.
Considerable concern has been expressed by a number of hon. Members, most notably by my hon. Friends the Members for Corby (Mr. Powell) and for Torridge and Devon, West about the enforceability of the legislation. They focus on two issues. The first is whether the police require enhanced powers of search to enforce the law, particularly under clause 1.
The second, and quite different, issue is whether the provisions of section 69(1), of PACE—to use the jargon—will exclude statements produced by a computer that are relevant, credible and probative. That point was considered in detail by the Law Commission. I refer hon. Members to paragraphs 4.8 and 4.9 of its report. The Law 1183 Commission concluded that the provisions of PACE did not have the effect I have just described. It concluded that, in most respects, the provisions of section 69(1) would not prevent the admissibility of relevant and probative evidence.
However, the argument goes a little further. The PACE provisions are of general application and have not as yet been fully tested. I urge the House to be slow about changing provisions that have not been fully tested and may well not have the effect suggested by those who are concerned about them. There will be other opportunities in subsequent Sessions, perhaps in a Criminal Justice Bill, to fill any gaps that may subsequently appear. I do not think that there is a weakness, but if there is we can put it right when it becomes apparent.
Whether we should extend police powers is a slightly different matter. In broad terms I have some sympathy with the hon. Member for Leyton, who is reluctant for police powers to be extended, as am I. The Law Commission considered this matter quite carefully in its report, and its arguments are concisely summarised in paragraphs 2.20 and 2.21.
The House will appreciate that we are concerned only with clause 1 because clause 2 gives rise to arrestable offences within the definition of PACE and, therefore, the ordinary principles applied by PACE apply to clause 2 offences. The House will note that there are already considerable investigative powers available to the police that touch on clause 1 offences. They are summarised in the two paragraphs to which I referred.
Hon. Members must consider two issues, one of principle and one of tactics. I hope that the House will forgive me for saying that private Members' legislation is a fragile vessel, and if we start taking action that many people find unacceptable we could lose the Bill. There is no doubt that if we were to extend the police powers to search in the context of clause 1 we could arouse much antagonism to the Bill that would not otherwise be aroused. I would be sorry if that happened.
On the issue of principle, I would not wish to extend police powers unless I was persuaded that it was wholly necessary to do so. The Law Commission took that view, and I agree with it. I would not wish the law to be extended unless there was compelling evidence of need.
I shall make two final points. My hon. Friend the Member for Corby raised a most interesting point regarding international co-operation. To some extent, the matter will be addressed by the Criminal Justice (International Co-operation) Bill, which is wending its way through the other place and is relevant to precisely the 1184 issue that my hon. Friend has raised. So too are the provisions in the Bill regarding jurisdiction in respect of offences committed outside what is normally the jurisdiction of the courts.
The hon. Member for Leyton argued at some length that we should define the word "computer" in the Bill. To repeat what I said in my intervention in his speech, that point was carefully considered by the Law Commission in pragraph 3.39 of its report. The considered view of the Law Commission, backed, as I understand it, by the majority of consultees on the matter, is that it would be an error to define "computer". I am entirely persuaded by what my hon. Friend the Member for Romsey and Waterside said on the matter.
I know that the House wishes to proceed to another measure, so I shall conclude my remarks. I hope that the Bill will receive a Second Reading and that subsequently it will be enacted.
§ Mr. ColvinWith the permission of the House, I shall detain it for just another 60 seconds to congratulate hon. Members on the constructive way in which they participated in the debate. I am aware that the hon. Member for Moray (Mrs. Ewing) is about to bring forward her measure to abolish warrant sales in Scotland, so I shall be brief.
The manner in which hon. Members have given way to me during this four-hour debate has enabled most questions to be answered and my hon. Friend the Minister of State has answered most of those that remained.
I have been checking my notes, and two specific questions asked by the hon. Member for Kirkcaldy (Dr. Moonie) during the debate still require answers. The first, on clause 11, related to Scottish citizenship. My answer is simply that if the Scottish court has the jurisdiction to try a case under the legislation, under Scottish law the nationality of the accused person is immaterial, and therefore there is no need to cover that explicitly in the Bill. He also raised a question under clause 12 about controls over access to computer systems by the police in the exercise of their duties. Clause 4 is intended only to protect existing statutory or common law rights. There is no intention of giving the police or anyone else a general licence to hack. If the police seize a computer under a search warrant, they must be allowed to access it in order to read the files.
I thought that the House should know the answer to those questions as it might save time in Committee.
§ Question put and agreed to.
§ Bill accordingly read a Second time, and committed to a Standing Committee pursuant to Standing Order No. 61 (Committal of Bills).