§ 7.37 p.m.
Viscount Colville of CulrossMy Lords, I beg to move that this Bill be now read a second time.
This is a Private Member's Bill. It has passed through another place in the hands of my honourable friend the Member for Romsey and Waterside. He has acquired considerable acclaim for the way in which he has handled it and, having read the Official Report, I can see why.
I do not pretend that the text of the Bill is easy, but that is because the subject matter with which it deals is in itself complicated. It deals with the mischief which is caused by those who are rather too dextrous on a computer keyboard —those who go in for what is called hacking; those who exceed their authority as employees when they already have 231 access to a computer; and those who use computers as a way in to more serious crimes or attempted crimes—and with the general area of what are commonly called viruses, to which I shall return later.
The Bill is complicated for four reasons. Because many of the processes —indeed all of them except the initial stages—are electronic, they are instantaneous and hard to detect. The most malicious misusers of computers have sinister motives in that they pave the way for other serious offences such as blackmail or fraud, even though those may not in the end occur. The Bill must therefore fit in with the criminal law on the difficult subjects of attempts, conspiracies and incitement. Computers work at high speed across international boundaries, not least the jurisdictional boundaries within the United Kingdom, where there are three such boundaries—between England and Wales, Scotland and Northern Ireland. All you need is a home computer and a telephone connection called a modem. Then, through the ever-expanding international telephone network, you can try to gain access into computers worldwide, including mainframe computers. I may say that it is usually done at somebody else's expense.
The Law Commissions both in England and Wales and, before them, in Scotland, have consulted widely. Their reports are the basis of this Bill. Indeed, it is the beginning of the Explanatory Memorandum which your Lordships will see on the front page. The Scottish report came out in 1987 and the English one as recently as October of last year. So no time has been wasted in implementing what the Law Commissions have suggested to us.
The Law Commissions have continued to assist in the preparation of the Bill and in its passage through another place. As your Lordships will see, the drafting has been very carefully worked out so that it applies to all three domestic jurisdictions in the United Kingdom to which I have referred.
The Law Commissions found that the misuse of computers is increasing and at an alarming rate. There are in fact no reliable statistics, but anecdotal evidence from computer users and from the police points to a serious problem which is increasing. Indeed, the police stated in the press last week that the number of cases coming to their attention rose sharply last year. One of the reasons why it is difficult to gauge the measure of the problem is because some of the users are too embarrassed to report the fact that their computers have, as it were, been broken into.
One of the troubles is that there is a sub-culture which sees no harm in invading other people's computer systems. It merely demonstrates (so these people think) the computer skills of the person who does it. It may even be the basis for an application for a job. However, as I said a little while ago, there are also much more sinister motives.
The Bill addresses the protection of the trustworthiness and integrity of computer systems as such and not the protection of the information which is in them. The protection of the information contained in them is a different and a more 232 controversial matter and it is not part of the scheme of this Bill.
The integrity of the system itself is plainly necessary because there are all kinds of confidences including commercial and industrial matters and the world of personnel, quite apart from matters such as defence secrets and other data affecting national security which are nowadays held on computers.
At the other end of the scale there is material like forthcoming exam papers which some students might be only too anxious to know about in advance. Expensive technology has been installed to try to protect these computers. If that protection is breached it is extremely expensive to put matters right again and meanwhile the whole system is suspect.
The Bill contains three elements. The first three clauses contain three new criminal offences. After that, Clauses 4 to 9 contain new rules governing the jurisdiction of the courts to try computer misuse cases. That arises from the international element in this matter. The last clauses in the Bill, Clauses 10 to 18, are largely consequential and technical, including definitions. The exception is Clause 14, which provides powers of entry, search and seizure for the police in the case of an offence under Clause 1. I shall return to that in a moment because it has attracted considerable interest.
The three new criminal offences are these: Clause 1 creates a new offence which is triable summarily in the magistrates' court in England and Wales and Northern Ireland and in the sheriff court in Scotland. It is the offence of unauthorised access to programs and data held in computers, for which the maximum penalty is six months or a fine or £2,000. The terminology in this Bill may not appeal to the English purists among your Lordships but it is the current way in which computers are described and in which all their processes arc normally referred to. It seems sensible, therefore, to use the terms that arc familiar to the users of computers.
The objective of Clause 1 is to deter deliberate, unauthorised access or attempts to gain access to computers. To some extent that is hacking but it may also include those insiders who arc authorised to use some parts of the computer system but who go beyond their remit. That is only if the conduct is intentional. The essence of this offence is that it should be intentional and not merely the result of being inattentive, careless or improperly informed; those who go beyond their remit by mistake are excluded.
Clause 2 creates a more serious offence. It is triable both ways—that is to say, either summarily or on indictment. It relates to unauthorised access with intent to commit or facilitate the commission of a further, more serious, offence. I referred to these earlier as fraud, blackmail or something of that kind. There are substantially more serious penalties which carry a maximum of five years' imprisonment on indictment and an unlimited fine. It makes an offence under Clause 2 an arrestable offence under the Police and Criminal Evidence Act.
In fact it is still a preliminary offence in that it will bite at the stage before the further offence of 233 blackmail, fraud or whatever is actually committed. If the person concerned looks into a computer to get information for the purpose of blackmail or fraud, that of itself would be an offence under Clause 2 even before a further offence has been committed.
Clause 3 creates another offence which is equally triable both ways. It deals with the unauthorised modification of data or programs held in computers. The intention here is to remove a current uncertainty which exists under the law concerning damage to intangible property such as data. It is not intended to cover physical damage to the computer or to the software because that would remain within the existing, criminal law of criminal damage. The criminal law has had to be stretched. It is not certain how far it will go. Therefore, it seems better to create a new, specifically designed offence to deal with this matter.
The offence is intended to deal with matters like erasure of information or the putting into circulation of disks which are infected by some malicious code designed to impair the performance of the computer or to make it work so hard that it runs out of room altogether. I said that I would refer to viruses again, but it is not just a question of viruses. Apparently, the technology includes functions like Trojan horses, logic-bombs, viruses themselves, worms, bacteria and rabbits. I know what some of them mean, though not in detail what they all mean.
Nevertheless, they do an enormous amount of damage. I suggest to your Lordships that a deterrent, as set out in Clause 3, is necessary. There are reservations about the necessity for bringing in new criminal offences. There always are reservations. In this case they really concern the duties on the owners of computers themselves. They should take sufficient trouble to protect their machines from interference from outside. They do because they take a great deal of trouble. However, the difficulty is that the ingenuity of those who try to gain access, whether as a matter of hobby or for more malicious purposes, is such that very frequently these protective processes are overcome.
The analogy must be with the household and the burglar. We do not wish to suggest to the householder that he must take precautions to make his house absolutely impregnable to a burglar, because we all know that that is impossible. We also have the crime of burglary and aggravated burglary, which makes criminal the other side of this equation. So, I suggest to your Lordships, should we have in the world of computers, although perhaps my noble friend Lord Trefgarne will comment on the way in which the Government are encouraging computer users to protect their property.
I said that Clauses 4 to 9 cover jurisdiction within the United Kingdom and internationally. That drew on another work by the Law Commission. In April of last year it published a report on Jurisdiction over Offences of Fraud and Dishonesty with a Foreign Element. That is a fascinating document and deals with an extremely abstruse area of criminal law, none of which is the same in England, Wales and Northern Ireland as it is in Scotland. That is the case with a great deal of criminal law.
234 At present the rules provide that English and Welsh courts—perhaps also Northern Irish courts, but I hesitate to speak about Scotland—have jurisdiction only if the offence is regarded as having taken place in the United Kingdom. That implies that the last event necessary to the completion of the offence took place here. The Law Commission looked at the rules and the case law. It came to the conclusion that the rules are unnecessarily restrictive and that they are inadequate to deal with computer misuse across national boundaries. It sets out its reasoning most clearly in its report. As regards the jurisdictional provisions, the intention is to make it possible to prosecute for computer misuse offences if the accused or any affected computer was in the part of the United Kingdom jurisdiction in question at the time that the offence occurred.
Other complicated provisions in this part of the Bill adapt the criminal law on attempt, conspiracy and incitement, which, as I said at the beginning, are complicated concepts in the criminal law. That is achieved by amending the existing legislation in respect of at least two.
The last part of the Bill, Clauses 10 to 18, deal with consequential provisions and some important definitions. That is with the exception of Clause 14. There was a considerable amount of debate about the clause in another place and it was introduced in the Standing Committee. I have looked at the matter carefully because it concerns the Police and Criminal Evidence Act. It adds a new power which is not in existence at present.
I suggest that, although the provision may be controversial, it is probably better that we do not attempt to meddle with it because it was the subject of a great deal of discussion in another place. Eventually a certain degree of unanimity was reached although it was not total. The trouble is that Clause 1 of the Bill introduces a new offence which is summary only. The police powers of entry, search and arrest under the Police and Criminal Evidence Act relate to arrestable offences —those which carry a five-year sentence or more—or to serious arrestable offences, for which there is an even more complicated definition in the Police and Criminal Evidence Act. It was decided—I suggest, rightly —that there should also be a power of entry and search for the police in relation to the summary offence under Clause 1. That provision is contained in Clause 14.
I have talked to members of the police force about the matter and read what they stated in The Times last week. They would like to have more substantial powers to investigate the house or the room where the computer access is being gained to see whether they can discover more about it. They would also like more sophisticated powers to deal with the communications in the course of their transit through the telephone system. There are endless complications in that respect and we enter the realms of other legislation such as that relating to the interception of communications. Unless noble Lords wish me to do so, I shall leave out that matter.
I suggest that we have achieved a balance. We have given a new power of entry and search while at the same time protecting the civil liberties which 235 were so carefully balanced in the Police and Criminal Evidence Act. For that reason I suggest that we now have a provision in the Bill which is properly balanced.
At the end of the Bill's passage through another place my honoruable friend for Romsey and Waterside said that he thought the Bill was well balanced and now well-drafted and defined. I venture to agree with that assessment. The Bill deals with specific mischiefs which have been clearly established and properly investigated by the Law Commissions. It introduces deterrents into the system to try to stop the pre-emotive provisions. They ought to be extremely useful in deterring those who wish to partake in such activities and should do so before the scale of the problem gets out of hand. For that reason I suggest that this is a timely moment to consider the Bill. I commend it to your Lordships and hope that it will have as safe a passage through this House as it had through another place. I commend the Bill to the House.
§ Moved, That the Bill be now read a second time—(Viscount Colville of Culross.)
§ 7.57 p.m.
§ Lord AveburyMy Lords, I must preface my remarks by declaring an interest. I am a director of a company which markets computer hardware and software and which is sometimes called on to advise clients about excluding viruses from their systems or improving their existing protection against viruses.
We are extremely grateful to the noble Viscount, Lord Colville, for his lucid explanation of a complex piece of legislation. It was demanded by the computer industry and has been endorsed by all the principal companies in the British Computer Society. However, I find myself being slightly heretical because, for reasons that I shall attempt to explain, I cannot express the same unqualified enthusiasm for the Bill as was displayed by another place. It attempts to deal with two menaces facing computer users and undoubtedly they are serious. The first is the unauthorised accessing of confidential information simply in order to break confidentiality or in order to commit some other more serious offence. The second menace is the unauthorised alteration of programmes or data.
As I see it, the problem is one of the detection and conviction of the criminals rather than the multiplication of offences which may be difficult to prove in the courts. In moving the Second Reading of the Bill, the honourable gentleman the Member for Romsey and Waterside said that he had consulted the police who stated that they had the powers and the expertise to implement it. However, that was without qualification. It was not explained how that was to be done. I am afraid that even though the honourable gentleman pre-empted that remark, users may be lured into a false sense of security and some may not take the greater and more thorough precautions necessary to counter the increasing risks which the noble Viscount mentioned and protect themselves against loss or damage caused by the kinds of misuse dealt with under the Bill.
The noble Viscount, Lord Colville, said that there were no statistics. However, one statistic was 236 mentioned by the honourable gentleman in another place; that is, that over the past five years the Department of Trade and Industry has verified 270 cases of computer misuse within the meaning of this Bill and that only six have been brought to trial and only three were successfully prosecuted for fraud. I should be interested to know from the Minister when he replies how many of those were Clause 3 offences, which are intrinsically far more difficult to nail down, and how many were Clauses 1 and 2 offences. In fact, a more comprehensive analysis of those 270 offences would be extremely useful when we deal with the Bill in Committee.
The noble Viscount mentioned the anecdotal evidence which comes from the police and from some users. He quite rightly pointed out that some are reluctant to expose themselves to ridicule by admitting that offences have been committed against them, and thereby rendering themselves liable to the criticism that they did not take the proper precautions. Perhaps the Minister would ask police forces in all three jurisdictions to report any offences which come to their attention to some central point so that over a period of time there would be better information because I think we are legislating slightly in the dark. Even though that could not be achieved in time for the deliberations this Bill, I imagine that this will not be the last occasion on which Parliament attempts to deal with the growing menace of computer misuse.
I turn to the problem of viruses which can originate from anywhere in the world. They may get into the system without any person having a malicious intent because disks are exchanged routinely between users. Therefore, when a particular user has been infected by a virus, he may pass it on completely unwittingly to an associate or colleague. One virus which has been encountered quite frequently is the so-called Jerusalem virus. It is given that name because it is said to have originated in the Hebrew University of Jerusalem. That is invisible to the user, lurks in the system tracks of the machine and manifests itself by adding a few k to the length of. exe or. com files on the hard disk so as to slow up the operation of the system and make the hard disk completely unusable after a fairly short period of time.
The victim who is infected by the virus which is inadvertently passed on to him by a colleague or friend, has no redress against the author who produced the virus. Even if that person could be identified, he could not be prosecuted in England or Scotland under Clause 3 because he is not within the jurisdiction. Even if identified, he is not himself passing on the virus. It has now reached the 120th or 190th party. The passage of the virus from one user to another is not within the control of the person who originally wrote it in the Hebrew University of Jerusalem.
The honourable Member who promoted the Bill in another place also mentioned the AIDS disk which was sent to many people in Britain apparently from an address in W. 1. The person who mailed the disks was alleged to be a Dr. Lewis Popp. He has now been arrested in Ohio where he is being charged with demanding money with menaces. That is because when the disk is put into the machine it displays a 237 message saying that unless a large sum of money is sent to an address in Panama after so many accesses of the machine the hard disk will be wiped clean.
It is very interesting that no special legislation was needed in the United States because Dr. Popp was charged with demanding money with menaces and not with any specific computer-related offence. Presumably he could have been charged with an offence of that kind in this country had he been in our jursidiction. However, what would have happened had he mailed the disks to people in the United Kingdom from France or the United States? As the noble Viscount, Lord Colville, explained, an offence would have been committed because the effect of mailing the disk is to alter the contents of a computer in this country. But how would it be possible to catch him and try him in our courts?
I wish to ask the Minister three questions. First, will it be possible for us to extradite people who commit these offences? If anyone wishes to charge Dr. Popp with an offence in this country, can he be brought here from Ohio to stand trial?
Secondly, are we certain that a person who maliciously distributes a virus could not be successfully prosecuted under the existing legislation for malicious damage? I shall return to that matter if a few moments because that is something which the noble Viscount, Lord Colville, mentioned. Thirdly, to repeat my earlier question, can we be told how many of the 270 cases known to the DTI concerned viruses?
I fully endorse what the noble Viscount said about taking adequate precautions, although I am not so certain that users already carry out their obligations in that regard although many do. However, there are common sense precautions which can be taken against unauthorised access generally. First, obviously people should not leave machines unattended in a room to which outsiders may have access. Secondly, there should be password protection for sensitive information. Certainly disks should not be used which have been received from unfamiliar sources like the AIDS disk which I have mentioned. Data should be backed up regularly. Finally, virus detection software should be used so that if viruses enter the system they can be detected and eradicated before they do a great deal of damage.
I turn to the unauthorised accessing of computers where the intent is to acquire confidential information either for its own sake as in Clause 1 or with a view to the commission of another offence as in Clause 2. The Law Commission found that hacking, as unauthorised or attempted access is called,
is sufficiently widespread to be a matter of major and legitimate concern to system users".Even though sensitive applications like air traffic control are relatively less vulnerable because of the emphasis by its users on security, the Law Commission considered that it would be unwise to wait until somebody succeeded in penetrating those defences before protecting them by law. It pointed out that there was already evidence of interference in more open systems where there are intrinsically greater difficulties in stopping the hacker because 238 the greater the degree of protection, the less convenient the system will be for the ordinary user. Therefore for example the public electronic mail services are relatively vulnerable.The criminalisation of hacking may not result in many prosecutions; but the Law Commission felt that it would alter the perception of it, and the noble Viscount referred to the climate in which hacking is considered to be harmless amusement. What was an amusing diversion for computer enthusiasts in the past is now considered to be a crime. One hopes that that will be enough to deter the amateur. The journalist, for example, who pried into the electronic mailbox of His Royal Highness the Duke of Edinburgh could find himself becoming the guest of Her Majesty the Queen for six months if he did that again.
The amateur hacker likes to enter computer systems purely as a game, challenging the defences put up by software designers, and he is dealt with under Clause 1. Those who intend to cause damage to the systems, three examples of which are given in paragraph 1. 16 of the Law Commission's report, would be dealt with under Clause 3. I return to the Criminal Damage Act 1971 as being a possible way of dealing with those crimes. Would it have been so difficult to extend the definition of property to cover whatever kinds of storage media are likely to be used on computers? In the leading case of Cox v. Riley, the information was stored on a plastic card, so presumably hard disks, floppy disks, optical disks or tape streamers are covered, by analogy, under existing legislation.
An offence already existed when data attached to tangible property was altered or destroyed, and under this Bill we are reducing the penalties provided for in the 1971 Act as if we saw the damage caused to computers as less important than other kinds of damage. As the noble Viscount is aware, these penalties are less than those provided for under the Criminal Damage Act 1971.
The problem is that the Criminal Damage Act has given rise to a false distinction —if I may say so as a non-lawyer—between modes of trial according to the value of the property damaged. It is the value of the consequential losses that is important. Alteration of drug dosages is given as a hypothetical example by the Law Commission. The program which calculates the drug dosages may be worth only tens or hundreds of pounds, but the consequences of altering the program could be lethal. We have therefore paid too much attention to the value of the property damaged and less to the possible consequences of that damage in making the distinction between the modes of trial.
I turn now to Clause 2 offences, where the unauthorised access is preparatory to the commission of some further offence. Noble Lords will correct me if I am wrong, but I do not think that that includes fraud, where the Law Commission found that theft or attempted theft were the right charges against a person who uses a computer dishonestly to obtain money or other property. But if the person has not yet committed a further offence it may be difficult to sustain a prosecution for attempt. The Law Commission gives the example of the person who obtains access to a banking system 239 and tries out passwords of depositors with a view to committing some financial offence. I agree with the noble Viscount, Lord Colville, that in many respects the Law Commission document is an admirable and lucid one, but in this regard I found it difficult to understand why such a person could not be charged with attempted theft. He would have committed the offence of obtaining unauthorised access to a computer with intent to steal under Clause 2.
The Law Commission goes on to give another example—of a person who intends to use, the information that he gains from unauthorised access to blackmail someone. He would not be guilty of an offence of an attempt to blackmail because his conduct was merely preparatory but he would be guilty of unauthorised access with intent to blackmail. From these examples I conclude that Parliament could have amended the law of attempt to create an additional offence of doing any act preparatory to the commission of an offence with intent to commit that offence. It seems to me to be wrong in principle to single out preparatory acts of one kind and make those into offences, while ignoring all others as the Bill has done.
The noble Viscount mentioned Clause 14 of the Bill, where he said that the police were asking for even more extensive powers of access than have already been granted. In fact there was a tacit agreement that in introducing the Bill the movers would not ask for greater powers of access, and there is no intention of doing so now. However, I would say to the noble Viscount, and through him to the police, that if they seek these powers they must make out a very good case for them and they will have to do that before Parliament would be willing to incorporate those powers in legislation.
The Law Commission's report was published in October 1989 and this legislation follows hard on its heels. The importance of protecting computer users and the public in general from criminal misuse is obvious. As customers of the banking system, as patients of the National Health Service, as airline passengers, shoppers, employees or electors, we all depend on the reliable working of computers, and any interference with them harms us as well as their operators. I hope that this Bill provides an effective deterrent to hackers and the perverted individuals who write and disseminate viruses. I fear that it does nothing of the kind, but merely creates an illusion of security which means that we fail to take every step possible for our own defence.
§ 8.17 p.m.
§ Lord MilneMy Lords, I agree with the noble Lord, Lord Avebury, that the House should be grateful to the noble Viscount for introducing this Bill, which he ably explained, as he is so well qualified to do.
The influence of Scotland on our law was remarked upon in another place, for the need for such legislation was first recognised there. There must be some concern that a measure so clearly important to the business community and to computer users world wide should owe its origin to pure chance; I refer to the ballot for the Bill in another place. Whether it has suffered thereby is a 240 matter of opinion. Besides the benefit of being taken up by the noble Viscount, it has obviously gained parliamentary time, since as a Public Bill we are led to understand that it would not have seen the light of day until the next Session at the earliest. However, time in this case is important because we are behind many countries in this respect.
Against that, although founded, as we heard, on the recommendations of the Law Commission report, the time factor prevented the addition of the usual model clauses—a matter which this House is probably well qualified to rectify. Whether a Public Bill or a Private Member's Bill, it seems to me that it was bound to be tentative, extending as it does the criminal law and police powers into new areas. It will surely be the forerunner of many such enactments in the future as technology and needs develop.
The need to strike a balance between the liberty of the subject and the rights of computer users was referred to by the noble Viscount. Computer users have the right to some protection. That came out clearly in the Committee discussions and I feel that the resulting Bill has been successful. Noble Lords who read the record of the stages in another place will be aware that the Bill has been extensively and expertly discussed; little has been left unresolved. I mention but two points.
First, I refer to the absence in the Bill of a definition of a computer. The need for that was strongly advanced in Committee but the definitions put forward proved faulty on technical grounds and it was thought better on the whole to leave it to the court. As regards the legal aspect, I cannot comment, but my more literate computer friends tell me that on technical grounds it is probably the right decision.
Finally, the question arose of whether computer users have a duty to protect the security of their equipment. Legally that is to some extent covered elsewhere—by the Data Protection Act for personal information and by the Companies Act for computerised accounts and so on. It is thought that the latter provisions may also cover the former. Certainly an unprotected computer on public lines is a menace both to the user and to others. To determined hackers it is simply an open door.
I agree that by now all users are aware of the risk they run and most act accordingly, as we have heard, but for those with outside connections the risks may be horrific. Absolute security is almost unattainable. Each user must balance the cost and the inconvenience against a realistic evaluation of the information contained therein. Held against that background, some deterrent and the powers of enforcement in this Bill seem not unreasonable even for Clause 1 offences.
With those remarks, I welcome the Bill and congratulate all those associated with it.
§ 8.21 p.m.
§ Lord Williams of ElvelMy Lords, I do not propose to detain your Lordships for long because we have had some lengthy interventions on the Bill and it has been debated at considerable length in another place. The House is certainly grateful to the noble 241 Viscount, Lord Colville, for sponsoring the Bill which started as a Private Member's Bill in another place, introduced by Mr. Michael Colvin.
I echo the views of the noble Lord, Lord Milne, that anyone who has read the debates in another place will recognise that the Bill was scrutinised with great care and expertise by a number of Members on all sides. Therefore, it is a rare pleasure from this Dispatch Box to welcome the Bill. I speak in my personal capacity because this is a Private Member's Bill and, as is the custom, I do not speak for my party. It is rare for me to be able to welcome a Bill that is so well drafted and, though complex, seems to put in place all the necessary measures that the authors of the Bill desired.
Looking through the Bill —1 have considered many Bills which have come before this House—I find that I cannot fault the drafting, and I congratulate the noble Viscount, Lord Colville, on that. I am not sure who his advisers were but I am sure that they should also be congratulated. As the noble Viscount said, there are problems which have grown up as a result of the use or misuse of computers. I echo the view expressed by the noble Lords, Lord Avebury and Lord Milne, that we need legislation on this subject.
Three doubts were expressed in another place which I echo rather than put forward as serious reservations. The first was addressed by the noble Lord, Lord Milne; it concerns the definition of a computer It is always difficult to decide whether to try to define in legislation the nature of the object about which we are legislating or whether to allow the courts to make that definition for Parliament. I believe that the Bill has probably got it right. I agree with the noble Lord, Lord Milne, that it is better to leave the definition to the courts. They can widen definitions that are left vague whereas Parliament, if it makes precise definitions, has enormous difficulty widening them because that requires amending legislation.
The second doubt aired in another place, which I must repeat, is the balance between civil liberties and proper regard to legality in the use or misuse of computers. I believe that, again, the Bill has got it about right. I have no serious complaints about the balance that has been struck.
The third doubt, to take up a remark of the noble Viscount, Lord Colville, in his introduction, is about enforcement. The noble Viscount rightly said that the Clause 14 arrangements introduce the notion of a circuit judge giving powers to search—not a justice of the peace as advocated in another place. I believe that that is about right. However one must recognise if one is to be fair that the whole question of enforcement has given rise to many comments and problems. No doubt in Committee in this place there will be further comment.
I do not wish to hold up the Scottish business which is to follow, but I have two problems, rather than doubts, in regard to the Bill. First, why was this not a government Bill? I join with the noble Lord, Lord Milne, in finding it odd that a matter studied at length by the Law Commission and which has 242 been the subject of considerable consultation was not adopted by the Government and put forward as government business. My only consolation is that if it had been a government Bill it would have been introduced by the noble Lord, Lord Tregarne, and, on the evidence of the Landlord and Tenant (Licensed Premises) Bill, he is given to making commitments to this House which he is unable to fulfil. We might have had an endless series of discussions on why government commitments had not been fulfilled. Perhaps it is much better that the noble Viscount has introduced this as a Private Member's Bill because that denies the noble Lord, Lord Trefgarne, the opportunity of introducing all sorts of extraneous red herrings into the debates.
My second doubt on which I join with the noble Lord, Lord Avebury, is that technology is fast-moving. We are, so to speak, taking a photograph of this point in time and legislating now. I suspect that in one or two years' time there will be quite different developments of existing technologies which will require legislation to do what the noble Viscount proposes in the Bill. Although it is much against my normal judgment in these matters—if this were a government Bill I would certainly not accede to such a request —I wonder whether there is not sense in writing into the Bill a provision that under some secondary legislation, on some procedure which the House would determine, certain amendments might be made to the Bill without primary legislation having to come before the House. I believe that this is a case where technology is so fast moving that to bring forward primary legislation in the parliamentary time available might be extremely difficult. I take the point made by the noble Lord, Lord Avebury. There are many aspects which, in the light of experience, might well be reflected in the Bill but which at the moment we cannot foresee.
I put forward that proposal very tentatively to the noble Viscount. Normally I am a great defender—as I am bound to be from this Dispatch Box—of the rights of your Lordships' House to determine what legislation Parliament should or should not pass. However, here we have a example of a Bill which is fine at the moment but which may well need adjustment before future primary legislation can be brought forward.
Having said all that, I congratulate the noble Viscount for bringing forward the Bill and faithfully representing the opinions of his honourable friend Mr. Colvin who, in another place, performed with great expertise. I am sure the House is grateful to him. From this Dispatch Box I echo the words of my honourable friend Dr. Lewis Moonie in another place. It is time for legislation and we are glad to recommend it.
§ 8.30 p.m.
§ Lord TrefgarneMy Lords, It may be helpful to your Lordships if I now briefly outline the government position on the Bill. The Government welcome and support this measure. I confirm the assessment of my noble friend Lord Colville of the serious threat represented by computer misuse. It is indeed a growing problem. The Government 243 recognise that a legal framework must be put in place to deter such misuse sooner rather than later. We are pleased that an opportunity has arisen which allows for such a Bill to come before Parliament.
Perhaps at this point I may answer one of the questions raised by the noble Lord, Lord Williams, as to why it is not a government Bill. The fact is that the Law Commission reported only in October last year. As the noble Lord will know, it would not have been possible at that moment to have a Bill drafted and ready to be announced at the time of the opening of the new parliamentary session. That is why we were very happy that it was possible to bring this Bill forward.
§ Lord Williams of ElvelMy Lords, I am sorry to intervene. Not all Bills produced by the Government in this Session were adumbrated in the gracious Speech. It is perfectly possible for the Government to bring forward Bills that were not adumbrated in the gracious Speech.
§ Lord TrefgarneMy Lords, I was not claiming that it was necessary to bring it forward in the gracious Speech. However, given the timetable to which I have referred, it would have been difficult to have it properly drafted and into the government programme.
I am pleased to note that the Bill is based upon the recommendations of the Law Commission in its report published in October of last year. These recommendations received widespread support. They were also welcomed by the Secretary of State for Trade when in October last year he said that legislation should be brought forward when a suitable opportunity arose. That clearly was not going to be immediately. That is why this Bill is such a welcome opportunity.
I should like to pay tribute to the work of the Scottish Law Commission, which two years earlier than its English colleagues conducted a study into the need to introduce computer misuse legislation for Scotland. Its work has played a valuable part in the consideration of the relevant issues, and the greater part of this Bill applies to Scotland.
There are some examples of computer misuse which can be prosecuted under the existing law. The AIDS diskette which was circulated recently and referred to by the noble Lord, Lord Avebury, and my noble friend appears to be a case of blackmail. I understand that the police have charged someone in connection with this. However, the simple circulation of the infected disk would probably not have been prosecutable under any UK law had there not been an attempt to extort money. In other cases we have seen attempts to stretch the existing criminal law to cover mischiefs that it was never intended to address. That process is undesirable in principle and often unsuccessful in practice. The Bill will remove the necessity for it.
We agree with the Law Commission that there are three key areas where the criminal law is deficient or could usefully be strengthened. They have been ably described by my noble friend. We also agree with the Law Commission's conclusion that the 244 inadequacies in the scope of the criminal and civil law require new legislation in the form proposed in this Bill. We therefore fully support its objectives.
The Bill also seeks to introduce new rules governing the jurisdiction of the United Kingdom courts. I should like to explain the Government's view on this.
We naturally look very carefully at any proposals to change the rules governing the authority of the courts. However, we consider that due to the particular nature of computer misuse, the Bill could not function effectively without this. Computer misuse knows no national boundaries. As my noble friend Lord Colville has explained, it can be carried out via the international communications network right across the world. These clauses are therefore an essential ingredient in the Bill and we support them too.
Laws against computer misuse are not sufficient on their own to deter this menace, in the same way as laws against burglary do not obviate the need for the wise householder to buy strong locks to protect his home. The Government recognise this and have developed a policy on other fronts which will complement this proposed law. That was a point raised by the noble Lord, Lord Avebury.
First, there is a responsibility on users to protect their systems adequately against intrusions. There is no doubt that users are now more aware of the threat of unauthorised access. Look at the support for this Bill. But this is not enough.
To raise awareness of the importance of computer security my department has launched a three-year awareness programme which is managed by the National Computing Centre. Aimed primarily at small and medium sized companies, the programme will highlight practical ways to protect the storage, transmission and display of information and will also emphasise the importance of technical standards. We would expect these measures to complement the introduction of this Bill and we will of course aim to explain the implications of the legislation.
Secondly, my department is active in the development of common technical standards for both products and systems. We have sponsored the development of criteria for the security evaluation of IT products. Together with other departments and partners in other counries we have also produced a set of European harmonised criteria which will be published for consultation shortly. We hope eventually to have full international harmonisation, supported by evaluation and certification. This will help users to meet their security needs with reliably tested products. We are also supporting a large amount of other standards work with broadly similar aims.
On the question of jurisdiction and extradition raised by the noble Lord, Lord Avebury, the jurisdiction provisions of the Bill would enable the gentleman who is alleged to have circulated the AIDS diskette to be tried in the United Kingdom for unauthorised modification. Clause 15 of the Bill makes the Clauses 2 and 3 offences extraditable, permitting extradition where appropriate treaties exist.
245 The noble Lord also asked for an analysis of the computer misuse cases that have been referred to by the DTI. Of the six cases brought to prosecution all were within the realms of the Clause 3 offence; that is to say they were associated to some extent with criminal damage. However, the survey carried out by the DTI is not a statistically representative sample and we make no claim of that kind in respect of it.
As for asking police forces to report cases of computer misuse, I fear that this would likewise not produce valid figures. Where misuse is not a crime many cases will not be reported.
I believe that I have answered the first point raised by the noble Lord, Lord Williams, about why the Bill is not a government Bill. On his second point about the possibility of providing for changes of the Bill to cover future changes in technology by, for example, secondary legislation, I find it strange to hear such a proposition coming from the noble Lord. As he said, he did not think that he would make such a proposition with regard to any government legislation. I am not certain why he proposes such a course in connection with this Bill. He apparently wanted it to be a government Bill, I understand from an earlier intervention that he made. I dare say that he will wish to explore that point further at a subsequent stage.
Lord Williams of Elvel: My Lords, will the noble Lord recognise that there is a serious point here, frivolity apart? Technology advances. This industry and primary legislation passed through this House become out of date very quickly. I am trying to offer what I regard as an unsatisfactory formula. But it is a serious point.
§ Lord TrefgarneMy Lords, I recognise the point that the noble Lord makes. Of course technology advances in this area by leaps and bounds. But I am not sure that I favour the solution to the problem that he proposes.
The problem of computer misuse will not go away. This Bill's enactment, together with the efforts of computer users and continuing work on computer security awareness and standards, will provide a positive contribution to deterring computer misuse.
The Bill has successfully completed its passage in another place and received all-party support there. It has been debated and considered by right honourable and honourable Members in great depth and detail. The Government are content both with the objectives of the Bill and the way that they are achieved. I hope that noble Lords appreciate the need for such legislation and will facilitate its passage through this House.
§ 8.38 p.m.
Viscount Colville of CulrossMy Lords, we must not hold up the Scottish business very much longer. I do not very much mind whether it is a government Bill or a Private Member's Bill in view of the welcome that it has received from your Lordships this evening. That is the most important matter. I agree with the noble Lord, Lord Milne, that time was important in relation to the Law Commission's reports and we are seizing the opportunity to put the Bill on the statute book.
246 The noble Lord, Lord Avebury, asked a number of very technical questions, in particular in relation to computer viruses originating from overseas. We are doing our best within the powers that we possess in the jurisdiction of all three parts of the United Kingdom. My noble friend Lord Trefgarne has already explained that Clause 15 deals with extradition. Of course extradition has recently been greatly brought up to date by the extradition legislation last year. The noble Lord may care to look at the double criminality test in Clause 8, which is also relevant in this respect.
We would be able to deal with these offences if they had advanced far enough to become, for instance, demanding money with menaces. The gap that the Bill is filling is the stage immediately before that. The noble Lord suggested that we might have another look at the possibility of dealing with the matter under the Criminal Damage Act. I looked at Cox V. Riley. It seemed to me that the courts were straining to bring what had happened there within the realm of that legislation. Once the courts start to strain, particularly if technology improves, we shall find very rapidly that prosecutions fail.
§ Lord AveburyMy Lords, does the noble Viscount happen to know whether other cases following Cox V. Riley have dealt with media more commonly in use such as floppy or hard disks? The case of Cox v. Riley was in 1986. One would have thought that, on the basis of damage having been caused to a plastic card, most of the more commonly used media might have been covered by existing legislation.
Viscount Colville of CulrossMy Lords, I do not know offhand. I shall certainly find out and tell the noble Lord the result of my researches. That appears to be the limit reached by the courts under the Criminal Damage Act.
As for the Criminal Attempts Act and the possibility of making this a much broader issue in criminal law whereby preparatory acts in themselves would become attempts, the noble Lord is leading us into dangerous paths. It was precisely because they are only preparatory acts and not attempts that the Bill takes the form that it does. If we departed from long-standing arrangements and definitions of attempts so as for the first time to include preparatory acts, we should be bringing into the criminal law a large range of activities which at the moment stand outside it. Considering that the penalties for an attempt are the same as for the substantive offence, that is a major step to take and certainly not one that I would wish to embark upon simply in relation to computers and without a great deal more thought. The noble Lord may find that in the end it is better to deal with this in the specific way set out in Clause 2.
The noble Lord may also like to look, in terms of the way in which we are dealing with the introduction of overseas viruses, at the definition in Clause 17 (7) of causing a modification. He will see that we have arranged to take the exercise quite a long way down the stream of successive introductions of viruses. The noble Lord may care to study that.
247 The noble Lords, Lord Milne and Lord Williams of Elvel, referred to technology and in particular to the definition of a computer. It is precisely because technology marches on so fast that it has been thought better not to include a definition of computer. That being the case, one needs to turn to the second point of the noble Lord, Lord Williams, which was dealt with to some extent by my noble friend Lord Trefgarne. The noble Lord asked whether we ought to take powers to keep ourselves up to date. I suggest that the drafting of this Bill and the formulation of these new criminal offences have been done broadly in a way which ought to take account of the technology as it progresses. I agree with my noble friend Lord Trefgarne that if one is dealing with serious criminal offences —the offences in Clauses 2 and 3 carry maximum sentences of five years in prison and an unlimited fine—it would be doubtful whether the wisdom of Parliament would allow this to be done by way of extending these criminal offences through secondary legislation Parliament likes to look at criminal offences of that seriousness before they go on to the statute book as primary legislation.
§ Lord Williams of ElvelMy Lords, I agree with the noble Viscount on that point. My problem is related to the definition. There are times when Parliament can rely on secondary legislation to extend definitions although the criminal procedure is enshrined in primary legislation.
Viscount Colville of CulrossMy Lords, we can return to that in Committee. The provision in Clause 17 is a pretty cunning piece of work. I suspect that it will stand the test of time for a while at least. Of course if there are any further suggestions to improve it I shall be delighted to hear of them and to consider them most seriously.
It looks as though we shall have something to discuss in Committee. However, for the moment I am grateful for the welcome the Bill has received today. I commend it to the House.
§ On Question, Bill read a second time, and committed to a Committee of the Whole House.