Tsunami 'hacker' conviction worries experts

Colin Barker and Rupert Goodwins ZDNet UK

Published: 07 Oct 2005 15:40 BST

The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee's fundraising Web site has left security experts leafing through the magistrate's decision to try and understand the full implication of the verdict.

On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year's Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year's tsunami.

During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access.

The defence also pointed out that Cuthbert had not attempted to defraud the site. Security expert Peter Sommer is concerned by the conviction.

"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted,” said Sommer, senior research fellow at the London School of Economics’ Information Systems Integrity Group.

Under Section 1 of the Computer Misuse Act, 1990, any unauthorised access to a computer site can be considered a crime, if the person accessing the system knows that he is not authorised to access the site.

As the Act says, "a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case."

In making his decision, district judge Mr Q. Purdy said that the court would have to take into account Cuthbert’s previous conduct when deciding whether he was guilty.

"This is not an infallible guide," Judge Purdy said. "If it was, there would be no first time offenders." But he indicated that as Cuthbert had no previous convictions and an "unblemished" record he would be inclined to find him not guilty.

This is thought to be the first time that a judge had indicated that — despite the letter of the act — knowingly accessing a system when unauthorised to do so is not necessarily a crime.

Instead, Judge Purdy found Cuthbert guilty, because he had initially lied to the police about what he had done; Cuthbert originally told the police one story and later changed it.

Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

The fact that Cuthbert had changed his story on how and why he had originally accessed the site was the crucial factor in reaching a conviction, the judge said.

Sommer backed up this point.

"The major problem was that he gave them an overly complex explanation which turned out not to be true, and involved them in a lot more work. That's probably why the judge didn't give him a conditional discharge, which was open to him," Sommer told ZDNet UK.

Sommer is now digesting the implications of the judge’s ruling.

"There are a number of long term issues," said Sommer. "We've now got a very strict interpretation on how Section 1 works and how it might be interpreted in terms of an attempt. Some of the tests you might instinctively want to run to see if a site is valid may fall foul of a strict interpretation."

Sommer added that there are also public policy implications. "Once someone's charged, there's almost no defence. Is it in the public interests to prosecute people who haven't done anything very serious if you know they'll lose their profession as a result?"

"I've run into a lot of people in the penetration test community over the past few months, and they're all sympathetic to Dan. Their view was that he merited a ticking off, not losing his job. The police need the help of penetration testers and this won't help," Sommer said.

A computer consultant has been convicted of gaining unauthorised access to a Web site collecting donations for victims of last year's tsunami, even though the judge hearing the case accepted that he meant to cause no harm. 

Daniel Cuthbert of Whitechapel in London was found guilty on Thursday afternoon of breaching Section One of the Computer Misuse Act, 1990, on the afternoon of New Year's Eve, 2004.

Cuthbert, who at the time of his arrest had been employed by ABN Amro to carry out security testing, had pleaded not guilty to the charge. He was fined £400 plus £600 costs.

District judge Mr Q. Purdy, who heard the case, told Cuthbert it was "with deep regret that he was finding him guilty" given his record of unblemished good behaviour. But Judge Purdy also said that Cuthbert had changed his defence, between being interviewed by police at the beginning of the year and his appearance in court this week.

Judge Purdy said that Cuthbert was "deliberately trying to throw the police off the trail", by saying one thing and then another.

Earlier this year it was reported that Cuthbert had donated money to the Tsunami appeal using the text-only Lynx browser, which can appear to behave differently to other browsers from the server's point of view.

But in court on Wednesday, Cuthbert said he had made a £30 donation to the site, after clicking on a banner advert. When he received no final thank-you or confirmation page he suspected he might have fallen victim to a phishing scam, so he carried out two tests to check the security of the site.

Cuthbert's defence team had argued that he had merely 'knocked on the door' of the site, pointing out that he had the skills to break into it if he wanted.

Section one of the CMA says that it is an offence to make "unauthorised access to computer material". There is no burden on the prosecution to prove that the accused had intended to cause any damage.