Cyberlaw and Denial of Service

Transcription

1 Spyridon Rekkas Supervised by Dr. Richard Overill

2 Spyridon Rekkas ii

3 Acknowledgements I would like first of all to thank my supervisor Dr. Richard Overill for his support and inspiration. I am also grateful to my personal tutor, Dr. Andrew Jones, for assisting me during this year. Thanks must also go to Dr. Richard Clayton for the inspiring conversation we had. I would also like to thank my friends, both in England and Greece, for their constant support and interest. Finally, but most importantly, a special thank you to my parents and my brother who have always encouraged me in whatever I want to do. Without their support, both financial and psychological, I would not be able to accomplish this dissertation and this is why I would like to dedicate it to them. Spyridon Rekkas iii

4 GLOSSARY...VI ABSTRACT... VII 1. INTRODUCTION REASONS OF ATTACKING POTENTIAL COSTS WHY IS DOS FEASIBLE? DEFENCES LEGISLATION IDENTIFY LEGAL WAYS OF LAUNCHING A DOS ATTACK PRESENT A SCENARIO THAT CRIMINALISES LEGITIMATE SECURITY PRACTICES PURPOSE OF THE STUDY TECHNICAL BACKGROUND INTRODUCTION METHODS OF ATTACK Logic Attacks Flooding attacks Distributed Denial of Service - DDoS METHODS OF DEFENCE Preparation phase Detection of the attack Mitigation of the attack Holistic Approach TRENDS ON DENIAL OF SERVICE Sophisticated Attacks Attacks against wireless networks COST ON BUSINESSES DEFINITION LEGISLATION ENGLAND AND WALES LAW Statutes Case Law OTHER COUNTRIES LEGISLATION The European Union The United States of America Australia, New Zealand and South Africa DISCUSSION INTRODUCTION DOS ATTACKS AND LEGISLATION...19 Spyridon Rekkas iv

5 4.2.1 Logic attacks and Legislation Flooding attacks DDoS and legislation LATEST DOS ATTACKS AND LEGISLATION Sophisticated Attacks and Legislation Attacks against wireless networks and Legislation OUTCOME OF THE ANALYSIS SCENARIO OF CRIMINALISING LEGITIMATE TOOLS Introduction Scenario Possibility of the scenario Legal analysis Conclusion CONCLUSION REFERENCES BIBLIOGRAPHY APPENDIX 1 UK STATUTES A COMPUTER MISUSE ACT B POLICE AND JUSTICE ACT C MALICIOUS COMMUNICATIONS ACT D PROTECTION OF HARASSMENT ACT E COMMUNICATIONS ACT 2003 SECTION F WIRELESS TELEGRAPHY ACT 1949 SECTION APPENDIX 2 OTHER COUNTRIES LEGISLATION A EU - COUNCIL FRAMEWORK DECISION 2005/222/JHA B EU - CONVENTION ON CYBERCRIME C USA FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS D USA PATRIOT ACT 2001 SECTIONS 202 AND E AUSTRALIA CYBERCRIME ACT 2001 DIVISIONS 476, F NEW ZEALAND CRIMES ACT 1961 SECTIONS 248, G SOUTH AFRICA - ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, CHAPTER Spyridon Rekkas v

6 Glossary Bot Software application that runs automated tasks over the internet Botnet Collection of bots CMA Computer Misuse Act CSMA/CA Carrier Sense Multiple Access with Collision Avoidance DDoS Distributed Denial of Service DNS Domain Name System DoS Denial of Service edos Energy based Denial of Service GSM spectrum The radio spectrum used for mobile communications Honeypot A network decoy ICMP packet Internet Control Message Protocol packet IDS Intrusion Detection System IRC Internet Relay Chat ISM spectrum Industrial, Scientific and Medical spectrum ISP Internet Service Provider MAC layer Medium Access Control layer P2P network Peer to Peer network patch Update for an application PJA Police and Justice Act TCP/IP Transmission Control Protocol / Internet Protocol Trojan horse Application that installs malicious software pretending performing another operation UDP User Datagram Protocol virus Program that copies itself worm A self replicating computer program Zero day exploit Exploitation of a vulnerability exactly after its announcement Zombie computer Computer commanded by another user Spyridon Rekkas vi

7 Abstract In this dissertation Denial of Service (DoS) attacks will be examined in combination with the UK legislation. Denial of Service is an attack against an organisation s service that aims to prevent legitimate users from accessing it. This cybercrime presents a growth over the last years and the English legislature made an effort to address it in The technical background of DoS attacks will be analysed including the methods of attack, the defences and the recent trends. Moreover, I am going to calculate the cost for an attacked organisation. In addition, the relevant legislation of the UK and other developed countries will be presented. The technical background will be examined in combination with the legislation in order to identify a way of attacking legally. The outcome of this study will be that at the moment there is not a way of performing a DoS attack legally under the UK law. Moreover, I will present a scenario depicting that the existing legislation could criminalise the common practice of network administrators to create and share attacking tools in order to ameliorate internet security. Keywords: Denial of Service, Network Security, Cyberlaw Spyridon Rekkas vii

8 1. Introduction The evolution of the internet and of the electronic commerce over the last years, in combination with the transformation of economy, being based on the services sector with a great amount of them offered electronically, have led to a complete dependency on the networks and the services offered via them. Both the public and the private sector use computer networks in order to operate and do business. It is clear that the disruption of a service can cause great damages to an organisation and, if a general internet function is disrupted, to economy and every day life. Denial of Service (DoS) attacks have this particular objective, to make an electronic service unavailable to its intended users. [Gex07] The internet is not an ideal virtual world; there are several factors that render online communications insecure and unreliable. It has a lot of security vulnerabilities and there are several reasons to exploit them and many persons willing to do it. It is a fact that the evolution of technology and economy moves in parallel with the evolution of crime. Following this rule, many crimes have migrated to the cyberspace and new ones have appeared. Malware, such as viruses, worms, and trojan horses, threat the computers connected to the internet and pose serious issues on their users and on network communications. Fraud has shifted into the electronic context targeting the continuously augmenting electronic commerce. Moreover, terrorists have found a new, and in general, safer way to attack. The list of internet crimes is huge. Among them, there are Denial of Service attacks (DoS) that have, generally speaking, as their aim to disrupt a service based on the internet and prevent legitimate users from accessing it. DoS attacks are a common threat of the internet and a lot of effort is done to prevent them and avoid their effects on businesses and communications in general. It is well known that the three key elements of Computer Security are: confidentiality, integrity and availability. While a lot of practices exist that target the confidentiality and the integrity of network communications, DoS is the cybercrime that jeopardizes the availability of networks and the services offered via them and this is why it is really important to analyse it. 1.1 Reasons of attacking It could be said that denying service to the users of an organisation does not provide any profit to the cracker, in comparison to electronic fraud for example, but there are several reasons explaining these attacks. First of all, it is a matter of reputation. There is a battle among internet hackers on who is the cleverest and can cause the greater damage to a reputable service or company. Launching a successful denial of service attack against a famous website or against a secured target gives credit to the attacker. It could be the case that the major attacks launched on February 2000 against famous websites, such as yahoo.com and e-bay.com, were organised only for reputation purposes. Related to this reason, is also the issue of technical challenge. Several internet and programming experts seek for new challenges either to demonstrate their knowledge or to simply test their abilities. Major Denial of Service attacks require technical knowledge and a degree of preparation. This renders the launch of a DoS attack a serious and challenging issue. [ICANN07], [MDDR05] Besides the recognition purposes, denial of service has also some deeper reasons. It is used by persons aiming for money, by companies attacking their competitors and by terrorists. Small and medium businesses are often victims of extortion. Companies that are based on the internet in order to provide their services or those that rely on networks in order to perform their operations can be possible targets. Criminals extort these organisations by asking money in order not to launch a DoS attack against them. It is clear that not being able to offer services can have a major cost impact. Extortion using DoS attacks is becoming a usual practice. For example, in 2004, a group of criminals was threatening online gambling websites. [Ing05] It was also reported that the reason of some attacks is competition. Rival companies that do business in the same sector, attack each other in order to attract more customers. Especially in some areas, where a Spyridon Rekkas 1

9 lot of businesses exist offering the same service with approximately the same quality, denying the service of another company can easily make its customers switch to another website. In 2004, the CEO of an online satellite TV retailer hired some computer experts in order to attack three rival online stores [SF04], [MDDR05], [CCPI]. Moreover, some Denial of Service attacks appear to be launched for political reasons. This was proposed to be the case of a major attack against Estonian websites on April of A list of Estonia-based websites, including the prime minister's website and police's websites were hit by a massive DoS attack and became unavailable. This attack occurred after a controversial decision of the Estonian government to remove a Soviet-era statue from the centre of Talin. Some sources claimed that this attack was the work of Russian users being opposite to this decision [AT07], [NW07], [NYT07]. Furthermore, an attack against the USA White House website, was reported to be launched by Chinese users after an issue with the Chinese embassy in Kosovo bombarded by USA air planes during the war [CNN99]. The above observations, leads us to believe that Denial of Service can be also used by cyber terrorists. 1.2 Potential costs An analysis of the reasons of attacking leads to the conclusion that a DoS attack has certain important pitfalls for economy and life in general. Having its service disrupted can be really costly for a company, such as not being able to perform transactions, having to restore its system and losing its clients' trust. Being unable to offer its service even for a small time period is a really crucial damage for an organisation based on the internet to do business, such as online betting websites. The cost becomes greater as, in extortion issues, the criminals chose the right time to launch their attack. Some UK betting websites, for instance, were hit in 2004 just before the European Cup of football when many bets were expected. [SIL04] Moreover, businesses have to pay some costs that are not totally related on the lost transactions. The cost of restoring an internet system can include many aspects, such as reconfiguring the server or replacing damaged infrastructure. In addition, an attacked company wanting to prosecute its attackers has to cover considerable forensic and litigation costs. Finally, reports show that several users trying to access a website under attack never chose to do business again with the particular organisation because they lose their confidence in it or they discover a better, rival website during the attack and switch [AG05]. 1.3 Why is DoS feasible? Considering the dependency of communications on the internet and the efforts made to secure internet systems, it is logical to examine why launching a DoS attack is feasible and also the ways of performing an attack. In general, there are several ways of performing a DoS attack. Since the main aim is to deny a service on legitimate users, every vulnerability of the online transaction can be exploited. Nevertheless, the main point of attack is usually the server that hosts the desirable service. The first method of attacking is to consume certain resources that are vital for the communication between the client and the server such as bandwidth, memory or CPU time. This is usually achieved by flooding the company's network with IP packets. Moreover, an option is to alter the configuration of the server. This attack is usually performed by the so called logic attacks that try to exploit a vulnerability of the server's operating system or its applications. Finally, damaging physically the infrastructure of the targeted organisation can also lead to a denial of service situation even though this practice is not commonly used. As the internet is built on limited resources, it is logical that there is not much to be done against a flooding attack. This is the main idea behind the internet, being based on networks and on best effort communications not ensuring quality of service. As a result, the best way for a company to avoid DoS, except for some more sophisticated methods, is to obtain unlimited resources; a costly and virtually impossible option. [HW01] The second reason that makes DoS feasible is the fact that internet security is interconnected. This, in relation to the fact that flooding attacks, the most common way of DoS, use thousands of zombie Spyridon Rekkas 2

10 computers, leads us to conclude that it is not possible to totally secure a company's network. Attackers prepare the attack, called a Distributed Denial of Service (DDoS), by trying to possess unsecured computers, transform them into zombie agents, create botnets and command them to flood the targeted service in order to consume a vital resource. This amount of traffic either crashes the server or prevents legitimate users from accessing it. It is impossible for a company to control the security of all internet connected computers. As long as unsecured machines which can be exploited by potential criminals exist, the launch of a Distributed Denial of Service attack will be feasible. Finally, the third reason explaining the growth of denial of service attacks is that the attackers seem to be more organised and predictive than network administrators and businesses. It is the attacker that makes the first step and, as a result, he has an advantage. Furthermore, some DoS tools can be downloaded free from the internet so that everyone in the hacker s community can use them [IW], [Angel]. This mere fact demonstrates that the hackers are well organised with regard to their collaboration. On the other hand, there is a lack of tools and standards allowing to defend an attack. Moreover, as the main concern of an attacked business is to start delivering service again, there is not much effort done to collect and analyse data of the attacks. As a result, while the hackers analyse the internet systems and prepare their attacks, businesses usually do not gather information about them. [Usen00] 1.4 Defences It is essential for an organisation to be able to defend a Denial of Service attack as a potential disruption of its services can have a major impact. Even though the security of the internet is interconnected and, hence, can not be assured, companies can perform some actions in order to secure their infrastructure. An organisation has, firstly, to get prepared to confront a DoS attack, has to be able to determine when it is being under attack and, finally, must perform certain actions in order to mitigate its effects. First of all, the company has to get prepared in both organisational and technical level. The management has to create a response plan and also has to give the security analysts the potential to strengthen the company s infrastructure. Moreover, the network administrators have to be able to identify possible attacks as it is important for the continuation of the service that a DoS attack is identified on time. Finally, it is also crucial that they have the expertise to act immediately and to protect the network s resources. After the mitigation of the attack, the company has to be able to provide to computer forensics experts the possibility to examine the issue as to help the security community to gather information and prevent future attacks of this kind 1.5 Legislation The governments, having realised the economy s dependency on the networks and the seriousness of the problem, are trying to address this issue by updating their legislation or by drafting new laws. The problem with Denial of Service attacks is that they are a slightly harder subject to criminalise as they do not always involve an unlawful action. For example, if an attacker succeeds to pose a million bets in a betting company s website and, as a result, deny service on other users could not be necessarily considered as unlawful as the place of one bet is completely legal and, at the end of the day, this is the purpose of the company s server. This is the main issue that the legislature had to address and a lot of attention has been paid on it. In the UK, the main anti-hacking law is the Computer Misuse Act of 1990 (CMA). Even though it was enacted in 1990 when many cybercrimes had not even appeared, it copes well with the majority of them. There was a debate if the CMA covers all the types of Denial of Service attacks and, as a result, it was amended by the Police and Justice Act of Other Acts can also be used to criminalise certain types of DoS attacks and I am going to present them as well. Different countries have established different laws to combat cybercrime and there is an issue of cooperation and harmonisation of laws. In order to examine this issue, I am going to present the relevant legislation of the EU, the USA, of Australia, of New Zealand and of South Africa. These countries and unions are the most developed technologically, have a large number of hackers and, as a result, have developed their legislation respectively. Spyridon Rekkas 3

11 1.6 Identify legal ways of launching a DoS attack The next step of this dissertation will be to combine the knowledge acquired from the technical part and the legal part. I am going to examine every type of attack in order to identify if there is one that can be launched legally under the UK law. This study is important as technology evolves continuously and I will study from a computer scientist s perspective if every type of DoS attack, older or state of the art, is covered by the existing legislation. 1.7 Present a scenario that criminalises legitimate security practices Finally, I am going to present a case study that proves that some legitimate practices used by network administrators can be criminalised under the amended CMA. I am going to examine the case of a network administrator creating a DoS attack tool in order to test his network and, afterwards, sharing it with other administrators. This is a common practice among the security experts as they tend to exchange tools and knowledge in order to help each other and promote internet s security in general. I am going to show that this practice can be an offence under the revised CMA. 1.8 Purpose of the study To summarise, this dissertation is divided into two equal parts. In the first part, I am going to examine the background of Denial of Service attacks. I will analyse the ways of performing an attack, the methods of defence and the potential costs for a business. In the end of this section I am going to present a definition of DoS attacks. The next part is the presentation of the relevant legislation. Furthermore, I will discuss to what extent some DoS attacks can be launched legally bearing in mind the technical and the legal knowledge acquired from the two parts. This study is important as there is not a relevant analysis in the bibliography especially after the amendment of the CMA. Finally, I am going to present a scenario that shows that a usual practice of security experts can be criminalised under the revised UK computer crime legislation. This is also a novel study as despite the debate around this issue there is not a relevant analysis from a computer scientist s point of view. 2. Technical Background 2.1 Introduction In this section I am going to examine the technical background of Denial of Service attacks. I am going to analyse the methods of attack, the ways of defending, the potential costs and finally, I am going to present a definition of Denial of Service attacks. 2.2 Methods of attack We can distinguish two main types of Denial of Service attacks. Those that try to take advantage of the server's or the connection's vulnerabilities, called logic attacks, and those that, using brute force, aim to overload the connection or crash the server. Both types try to consume some of the service's vital resources, such as connection bandwidth, CPU time, memory, data structures, file descriptors or disc space, or try to alter the server's configuration. All the types of attack aim to crash or slow the server or flood the network in order to prevent legitimate users from using the service offered Logic Attacks In a logic attack, the cracker explores the server's operating system, its applications or the network structure in order to identify certain vulnerabilities and exploit them. The success of these attacks is based on the knowledge and the experience of the attacker and do not need sophisticated computers or networks in order to be performed. Taking into consideration the computational power of a server in Spyridon Rekkas 4

12 comparison with a single computer, these attacks are also called asymmetric attacks [CERT99]. Even though software companies keep examining their products for bugs and vulnerabilities and updating them, there are always some clever ways to find a security gap and crash a server and deny service on normal users. Even if the administrator of system tries to keep it up to date, zero day exploits can be really effective. A zero day exploit occurs when a cracker takes advantage of a program s vulnerability when the software vendor announces it and before its users install the relevant patch. [SES07] These vulnerabilities can range from very small to really important. For example, a gap on the Windows Graphics Device Interface could cause internet explorer to restart continuously. A more serious issue could cause a web server to crash. A fragmented ICMP packet, for example, could have this effect. [USC07], [MIC99] I am going to describe briefly certain DoS logic attacks, such as the teardrop, the land, the ping of death, christmas tree packets and the Naptha in order to illustrate how this type of attack works. [HMPW01] The teardrop attack exploits a vulnerability of TCP/IP implementation that causes the code that reassembles the fragmented packets to handle them improperly [UniH]. Another example of logic attack is the land attack that exploits a bug of Windows 95. Sending an altered IP packet that contains the same source and destination addresses causes the machine to crash [INS97]. The ping of death attack is based on the incapability of certain operating systems to handle IP packets larger than 65,535 bytes [About] that is the maximum size of a packet [CIE]. To continue, another logic attack is based on the use of christmas tree packets. These are IP packets that have all their header flags set to 1. As more time is required in order to process them, a sequence of christmas tree packets can force a server to use its resources in dealing with useless traffic [KL01]. Finally, a Naptha is a set of vulnerabilities identified by the BindView's RAZOR Security Team that leads a machine to a resource starvation situation [CERT00]. Another major category of logic Denial of Service attacks are those that try to alter the configuration of a machine in order to render it useless or unable to offer its intended service. A usual attack is to alter or destroy the routing information of a server. If the attacker succeeds to change or erase the routing table of a server, it will be unable to communicate properly and, hence, incapable of serving the requests [CERT99]. Moreover, changing any critical configuration file of a machine can cause damage that possibly affects the service provided. Modifying, for example, the registry files of a Windows NT machine can render some services unavailable Flooding attacks Logic attacks have been a useful weapon in the hands of the attackers but the more recent trend is to use flooding attacks in order to launch a denial of service attack. The basic idea of a flooding attack is to send a vast amount of packets in order to use the entire server's bandwidth or to send a large amount of data in order to consume certain resources. In both situations, legitimate users are unable to use the service either because the server cannot handle the attack and crashes or because the server uses its resources to deal with the attacking data and not with normal traffic. This type of attack is easier to launch as it just uses brute force against the server. It does not prerequisites expertise or knowledge from the side of the attacker as logic attacks do. The main issue while performing a flooding attack is to produce a large amount of data and quickly enough so that a server cannot handle it. It is a fact that a simple computer, no matter what power it has, cannot produce this stream of packets. A server will always be able to handle them. The solution of this issue from the side of the hacker is a Distributed Denial of Service attack (DDoS) that uses many cooperating computers in order to attack. I am going to examine DDoS in the next chapter. Some of the most known types of flooding attacks are the Tribe Flood Network (TFN) tool and its TFN2K evolution, Trin00, Stacheldraht attacks that is a combination of the two first, the SYN attack, and smurf attacks. Trin00 was the first Distributed Denial of Service tool to be known [KMSW01]; it was released on December of 1999 [Sym99]. It created a flood of UDP (User Datagram Protocol) packets attacking one Spyridon Rekkas 5

13 or more targets [CERT99b]. UDP attacks take advantage of the fact that UDP is a connectionless protocol. When a server receives a UDP packet in one of its ports, tries to identify which application is attached to this port. If no application seems to be using the specific port, it generates an ICMP packet to the sender. The attack sends UDP packets to random ports of the target from spoofed addresses. As a result, if a sufficient amount of packets is sent, the server will crash. [NWD] The next highly used tool was Tribe Flood Network, or TFN, which except from launching UDP packet attacks, allowed for TCP/SYN flood and ICMP directed broadcast attacks, the same type that smurf attacks use. TFN's evolution was TFN2K that ameliorated the communication between participant machines and also included a new way of attack using malformed IP packets. These packets, having invalid values for fragmentation, flags, offset or other header fields, can have a major impact on a server as they are able to make it crash. [KMSW01]. Sending malformed IP packets to a server, also known as the Targa3 attack, causes the server to allocate resources to handle them and, eventually, crash [CIAC00]. To continue, Stacheldraht is a tool used for DDoS that combines the strong points of Trin00 and TFN tools. It uses, as modes of attack, ICMP, UDP and TCP/SYN attacks. I am going to examine the organisation and the distributed aspect of these attacks in the next chapter. The TCP SYN flood attack tries to tie up a critical resource of the server, the data structures dedicated to establishing connections. These data structures are created on the memory of a server and are a limited resource. In order to achieve the attack, connections with the server are initiated and left unaccomplished. A connection in the TCP/IP protocol is established with a process called the three way handshake. The client sends a SYN packet to the server, this is an IP packet with the ACK header field set to 1, and it responds with a SYN/ACKnowledgment packet. The last step of the handshake is an ACKnowledgment packet from the side of the client. Then, the two sides are ready to start communicating. The SYN flood attack initiates connections, involving the first two steps, but the client does not respond with an acknowledgement. As a result, the relevant data structure of the server is in use until the time-out that indicates that the client will not respond. Sending many requests and tying up the data structures of the server's memory prevents the legitimate users from sending requests to the server or even exhausts the server's memory and makes it crash. [CERT96], [SuS05], [CK06] In order to cover themselves and, mainly, to produce these fake requests, attackers usually use IP spoofing. This is a technique where the hacker steals and uses someone else's IP address [CERT96], [SF03]. It is logical that a SYN attack, as the other flooding attacks, can be launched more efficiently by using many machines, in a DDoS scheme. In the next figure, we observe a SYN/ACK attack. Figure 1: A SYN/ACK attack ( Besides UDP and SYN/ACK attacks, the third flooding method that is highly used by DDoS tools is ICMP broadcasting, or ICMP attack. The idea behind an ICMP attack is relatively simple. The attacker spoofs the IP address of the victim machine and sends an ICMP echo packet to a network's broadcasting address. As a result, the network will reply to the echo packet by performing a ping to the target Spyridon Rekkas 6

14 machine. This sequence of packets will, eventually, cause the target machine to crash. A schematic representation of an ICMP attack is illustrated in the following figure. Figure 2: An ICMP attack (ftp://ftp.hp.com/pub/networking/software/ _ch06.pdf) Distributed Denial of Service - DDoS A Distributed Denial of Service attack is a flooding attack launched by several attacking computers. The basic idea behind this type DoS is that many weak machines attack a stronger one [JI]. The most often case is when an attacker searches for unsecured computers, takes control of them and coordinates them to launch a Denial of Service attack [BT00], [MmD04]. Despite the fact that DDoS tools are available to download free from the internet [IW], this type of attack requires a higher degree of preparation and commitment from the side of the attacker. A DDoS attack can be divided, in general, into three stages. The first stage is to identify and recruit the computers that will participate in the attack. Then, the attacker has to create communication channels with these agent computers. The third, and last, stage is to actually launch the attack. [MDDR05] Recruiting the computers that are going to participate in the attack is the first move of the attacker. The number of zombie agents, the computers handled by the attacker in order to launch the distributed denial of service attack, varies depending on the type of the attack, the power of the targeted service and the will of the attacker. It is logical that the attacker will try to compromise the computers that will be more useful during the attack. This means that she is searching for high computational power, high-speed internet connections and low-level of security. During the last years, with the establishment of broadband connections in the majority of houses and businesses, the number of potential agents has increased [MDDR05]. The first stage of recruiting zombie machines is to scan for vulnerable computers connected on the internet. In the early days, scanning was made manually by the attacker but some scanning methods and software have been developed over the last few years. Firstly, she can use some scanning packages, like nmap [SL04], that search within a list of given addresses and return information about the machines connected to these addresses. Moreover, the cracker can use IRC bots, programs running on the background and examining IRC communications, to perform the scanning in spite of her. Another option is to use internet worms, programs that are made in order to replicate themselves and expand over the internet, to search for vulnerable machines and inform the attacker. After having scanned the internet for vulnerable machines, the attacker has to take control of them in order to coordinate them and launch the attack. In order to own the system, the attacker has to exploit the specific vulnerability and gain control of the system. In the majority of the vulnerabilities discovered, he gains administrative rights to the computer [MDDR05]. It is clear that software vendors fix security gaps Spyridon Rekkas 7

15 discovered in their systems and the attacker has to act quickly, often perform a zero-day attack [SES07]. After a vulnerability has been exploited by a cracker, he circulates this information between the hackers community and it becomes available for other potential crackers too until the next security update of the company is released and installed by its customers. These systems that are, now, owned by the attacker are called zombies or agents. The second phase of a Distributed Denial of Service attack is the establishment of communication channels between the agents and the attacker. This communication has two specific purposes. The first reason is to coordinate the agents and organise the attack and, secondly, to collect data about the attack. The communication can take place via handler/agent networks or IRC channels [MDDR05]. The first DDoS tools were using the handler/agent approach in order to provide communication channels between the attacker and the zombie computers. The attacker, also called the client, selects a few zombie computers to be its handlers, or masters. Then, every master is assigned several compromised computers, which are called agents in this scheme. Therefore, the attacker sends commands to the handlers and they transfer them to the agents. This communication is achieved by the normal internet mechanisms, such as TCP/IP, UDP or ICMP packets. Specific ports are used for this communication, for example the Stacheldraht tool uses the port for communication between the attacker and the handlers [SL04], [Dit99]. The handler/agent approach is illustrated in the next figure: Figure 3: A handler/agent approach for DDoS ( The second technique that appeared considering the communication between the attacker and the zombie computers is the use of IRC channels. The tool Trinity was the first to be discovered using this type of communication [EM00]. The attacker as well as the compromised machines log in the same IRC channel and communicate via it [IWAR00]. This scheme has several advantages. Firstly, the attacker is not required to run a server in order to perform the classical handler/agent communication; he can use the IRC server. This also offers anonymity and makes the forensics process more difficult. Moreover, as all the machines participating in the attack use the same channel, it is easier and quicker to handle the agents [EM00]. The third, and last, phase of a Distributed Denial of Service attack is the actual launch of the attack. There are several decisions to be made considering this phase. The attacker has to determine the target or targets of the attack and its duration. The time of this decision relies on the tool used. Some tools allow Spyridon Rekkas 8

16 for commanding the start of the attack and others for preordained date and target. Moreover, it is upon the attacker to decide whether to watch the attack or disconnect from the zombie machines in order to be safer from being detected [MDDR05] Methods of Defence Defending a Denial of Service attack can involve avoiding the attack, minimising its effect or gathering data about the attack. It is obvious that the optimum is to avoid the attack but keeping its effects to the minimum has the same positive result of continuing your service. Moreover, even if an attack is successful, gathering data about it is really helpful for defending future attacks [ISS]. Three phases can be distinguished in the process of defending a Denial of Service attack. Firstly, it is the preparation phase when the organisation tries to prepare its infrastructure and its personnel for possible DoS attacks. The second phase is the detection phase when the company must detect an ongoing attack as soon as possible in order to give the administrators enough time to react before the service is disrupted. Thirdly, the administrators have to confirm that the traffic observed is indeed an attack and try to mitigate it Preparation phase It is important for an organisation to be aware of the risks of a Denial of Service attack and, hence, prepare its network and its employees for a possible attack. Some organisations do not have the relevant knowledge and information about DoS attacks. Moreover, they do not consider this as a potential risk and the management believes that securing the company s infrastructure against a Denial of Service attack does not worth the investment. In section 2.5 I will analyse the costs of a business under attack and show that this approach is not right as the financial effects of an attack can be substantially larger than the cost of ensuring the company s service. This preparation has to be performed in two levels, operational and technical. In an operational level, the management of the organisation has to establish a security policy and make every employee aware of it. Moreover, they have to create an incident response plan so that the network administrators know exactly what they have to do when the system is under attack. Finally, it is desirable that the company establishes some communication channels with its Internet Service Provider and with several computer security organisations, such as CERT teams, in order to achieve cooperation and receive help in the incident of an attack. [JM05] The technical level of the preparation phase involves the installation of defence packages, including software and hardware solutions. The network administrators can configure the servers in a way that they accept traffic only from trusted IP addresses, even though this is not always possible. For example, some CISCO routers can be configured in order to prevent SYN/ACK attacks and IP spoofing [JMa]. On the other hand, DNS servers can not be configured in order to block IP addresses as it is their nature to offer universal service. In addition, the company can buy hardware so effective that can handle a significantly larger amount of traffic than expected. As a result, having powerful servers and high bandwidth connections even DDoS attacks will be served without causing problems [MDDR05]. Moreover, the normal network traffic has to be recorded and analysed in order to be in position to distinguish legitimate traffic from abnormal, which might constitute an attack [JM05]. The above measures, both in operational and technical level aim to protect an organisation in the case it is the victim of a Denial of Service attack or even to avoid this situation. In the next two chapters I am going to examine techniques for detecting and mitigating attacks when they actually happen Detection of the attack The second phase of the Denial of Service attacks defence scheme is the detection of an attack when it actually happens. It is important to detect an attack against a system as soon as possible. If the administrators get alerted on time that a DoS attack is taking place, they can act in order to mitigate the attack and minimise its effects or even avoid them. In order to detect an intrusion, Intrusion Detection Systems (IDS) are used. IDS are systems that operate Spyridon Rekkas 9

17 on a host or a network in order to detect malicious activity [DL]. There are a lot of commercial solutions for Intrusion Detection Systems, such as Management Intrusion Detection and Smart Defence [INS06] or some open source implementations like Snort and OSSEC HIDS [ISP07]. IDS systems can be categorised into two types; the knowledge base IDS, or misuse detection systems, and the behaviour based IDS, or anomaly detection systems. Misuse Detection Intrusion Detection Systems search for known patterns that indicate the possible existence of an attack in the network traffic or the log files of a specific host. They can search, for example, for a certain sequence of bits indicating a buffer overflow attack in IP packets or for specific types of SYN packets that indicate a SYN/ACK flood attack. All commercial packages have implemented this type of IDS. Their knowledge base consists of known signatures of common attacks, of published vulnerabilities of operating systems and software and of given security policies. Their main disadvantage is that they have to be maintained regularly in order to be effective and that they are not able of detecting new types of attack if they occur. The second type of Intrusion Detection Systems is behavioural based or anomaly detection systems. The idea of these systems is to use statistical techniques in order to detect ongoing attacks. Firstly, their operator monitors and analyses the normal network traffic and the usual behaviour of systems and sets the thresholds of the IDS as to distinguish whether the traffic of the network or the behaviour of the hosts is normal or not. The main advantage of anomaly detection is that new types of attack can be identified as such and, therefore, alarm the administrators. Their major disadvantage is that, as they are based on statistical outcomes from certain observations, they could produce false positive or negative alarms. [TUHH] Mitigation of the attack When an ongoing attack has been recognised, the administrators of the targeted network have two aims. The first is to act in order to minimise the effects of this attack and, if possible, to continue providing service to legitimate users. The second, equally important aim is to gather a sufficient amount of data about the attack in order to prepare for future attacks and provide the organisation with the relevant basis to identify and prosecute their attackers. The process of mitigating a Denial of Service attack is basically manual from the side of the network administrators, most preferably with the cooperation of the company s Internet Service Provider. They have to identify the type of the attack, the servers that handle this illegitimate traffic and the IP addresses that send the attacking packets. The next step is to filter the IP packets originating from these addresses or pose some rate-limiting rules to the participating servers [JM05]. The main concern about this procedure is that the packets that are filtered have to be carefully selected in order to allow legitimate users to continue accessing the server. A method of defending Denial of Service attacks that accomplishes both our objectives, to mitigate its effects and gather information, is the use of honeypots. According to Nathalie Weiler, the installation of a honeypot in a company s network can limit the effects of a DoS attack, when it is detected, and gather data about the attack that can be used for further investigation. A honeypot is a computer system that is designed to attract attacks in order to mislead the hackers that their attack was successful. Honeypots do not have a specific function concerning security; they can be used to distract the attackers, to detect breaches in security and to gather information [HP07]. [NW02] After the detection of the attack, the administrators can forward the illegitimate packets to the honeypot that responds exactly the way the attacker expects. By this way, the attacker is misled that the attack is successful while the actual network of the organisation is not affected. Moreover, the honeypot collects information about the attack; its type, the packets used and the IP addresses of the attacking machines. This information is helpful for the administrators to identify vulnerabilities of their system and, possibly, track the attacker s machine. Spyridon Rekkas 10

18 2.3.4 Holistic Approach To become more realistic, the measures to confront a Denial of Service attack do not provide absolute security to an organisation. The techniques I discussed provide a certain level of security but it is the attacker who makes the first move and there is always the possibility for a totally new way of attack to occur or for an extremely large number of machines to cooperate in a distributed attack. In this case, it is very difficult for the company to defend itself. Even in this scenario, though, the implementation of these measures can mitigate the effects of the attack and provide useful information for further use. As we saw in chapter 2.2.3, in a Distributed Denial of Service attack the hacker compromises several vulnerable machines of the internet and uses them to launch an attack. We observe that the most critical point regarding DDoS is the protection of these vulnerable computers. Unfortunately, the level of security of every internet connected computer does not depend on any organisation but only on its owner. As a result, the capability of a company in defending a DDoS attack relies on the security level of the computers connected to the internet. We conclude that the responsibility of defending an attack is not the matter of a company s network administrators but of all internet users. Even though it is impossible to secure every machine in order to protect our own network there are some simple steps that every computer user can perform in order to dramatically increase the internet s level of security. It is essential, not only for the treatment of Denial of Service attacks but of cybercrime in general, that all internet users keep their software updated and that they have installed an effective firewall and an antivirus that is always kept updated. Concerning DDoS attacks particularly, some tools that explore a computer in order to identify if it is compromised to be the handler or an agent of a DDoS attack group exist. For example, a tool written by David Dittrich, called ddos_scan, can scan a computer and find if it is a Trin00 agent, a TFN agent, or a Stacheldraht agent [PJC00]. These tools are really useful for an organisation that wants to ensure that its computers are not part of the problem but it seems impossible that every internet user will use them to check his computer. 2.4 Trends on Denial of Service It is the case that as defence mechanisms evolve and get better, attackers create more sophisticated and powerful tools. In this chapter I am going to examine the recent trends in Denial of Service attacks. It seems that DoS attacks have evolved into two directions. Firstly, the tools became more sophisticated in terms of causing more damage and of protecting the anonymity of the attacker using P2P networks or amplification techniques using DNS recursion. The second direction is the migration from wired to wireless networks that provide more ways of launching an attack. The main evolution of DoS attacks are energy consumption Denial of Service attacks (e-dos) that target mobile devices and aim to exhaust their most valuable resource; battery life Sophisticated Attacks Concerning the first direction, a recent trend on Denial of Service attacks is the use of unstructured Peer to Peer (P2P) networks in order to launch an attack. Mr. Athanasopoulos and Mr. Markatos from the Foundation of Research and Technology Hellas have performed a research on this attack in This type of attack is based on the fact that P2P networks are decentralised and unstructured. The attacker can set his machine to reply positively to any query posed by other nodes of the network and redirect them to the targeted server. The result of this configuration is many nodes of the P2P network trying to access the designated web server in order to download the demanded file. This great amount of requests will overload the targeted server and eventually deny service to its legitimate users. There are two advantages concerning this type of attack. Firstly, because of the decentralised nature of P2P networks, it is really hard to discover the attacker. When responding to a query, he can simply pretend to have found the information from one of his neighbouring nodes and, hence, deny liability. Moreover, this type of attack is hard to stop. It seems that P2P networks, for example Gnutella on which an experiment was performed, have a kind of memory. This means that the nodes remember the address of a node claiming to have a requested file. As a result, the users that searched for a file and, responding Spyridon Rekkas 11

19 to the false response from the attacker node, tried to download unsuccessfully from the targeted server will try again for a certain period of time. This characteristic of the network multiplies the time of the attack. [AM06] Another type of attack that is highly used by hackers recently, even though it exists since 1999, is the use of recursive DNS servers in order to amplify the effect of the attack. This attack is based, firstly, on the fact that DNS servers respond to every address query as they have a universal function and, secondly, that the response message is bigger than the query message. Moreover, the majority of DNS servers, 80% of them according to the CERT Coordination Centre, allow recursion. This means that if they do not know the requested IP address they transfer the request to the upper level producing more traffic. Attackers use these two facts in order to launch a Denial of Service attack. They send a large amount of fake DNS requests to a DNS server, preferably to one with a high-bandwidth connection, having as resource address the spoofed IP address of the victim machine. As a result, the DNS server responds to this address for all the queries. The fact that the response packets are bigger than the queries amplifies the traffic and, eventually, when the targeted machine receives all the responses is not able to handle them. [CIAC99], [USC06b] Attacks against wireless networks According to US-CERT, a threat to computer security is attacks against mobile devices, such as laptops, PDAs and mobile phones [USC06]. This tendency of cybercriminals seems logical bearing in mind the tension of authorities and businesses to create a ubiquitous information society. This means that we are moving towards a society where we will always be connected to the internet. This involves every electronic device we might own, such as PDAs and mobile phones, not only computers. The ubiquitous information society, demands that the wireless networks are developed in parallel with the capability of almost every electronic device to connect with the network. This rapid development, in several sectors without the relevant attention to security, draws the attention of the attackers to wireless networks. As a result, many cybercrimes, including Denial of Service attacks, try to exploit the vulnerabilities that exist. In addition, wireless networks offer new resources to be exploited and targeted such as mobility and battery life [GKF02]. As expected, the traditional ways of launching a DoS attacks, logic and flooding, exist for wireless networks. In this chapter I am going to present and analyse the attacks that exist particularly because of the nature of wireless networks. An attack which could only be launched to a wireless network is the use of a very powerful radio signal in order to disrupt the network. This attack can be really effective but it involves a risk for the attacker. In order to produce a signal so powerful to create electromagnetic noise and disrupt a wireless network, a big, energy consuming radio antenna needs to be placed near the network. This allows the administrators of the network to locate the attacker easily [JG03]. The effects of this attack can be also produced unintentionally as the WLANs operate in the area of 2.4GHz in which a lot of devices operate too. As a result, cordless phones and microwaves can cause a denial of service to a network unintentionally. [JG03], [HDL05] A more sophisticated attack against a wireless network, that only demands the use of a small device with a wireless access card configured properly, is the one that targets the Medium Access Control (MAC) layer of a wireless network. The MAC layer, in order to minimise the risk of two connected devices transmitting simultaneously, uses a technique called Collision Sense Multiple Access with Collision Avoidance (CSMA/CA). This technique works basically as a competence scheme for the free airwave channel. The wireless nodes that want to transmit start transmitting and, in parallel, listening to the channel. If a collision is detected, the wireless router notifies the nodes and, after a random period of time they retransmit their message. This scheme favours the nodes that have more packets to transmit. As a result, an attacking node can transmit in such a way that always keeps the channel occupied. This will have as effect a denial of service situation to the other nodes of the wireless network. [GKF02], [AusC04] A recent trend on Denial of Service attacks that is highly related to the mobility of computing is Energy based Denial of Service (edos). Battery s energy is the most important resource of a mobile device and, Spyridon Rekkas 12

20 instead of the advancement of every aspect of information systems over the last years, there has not been considerable development of batteries life time [WA07]. Despite the fact that edos attacks have not been reported, the scenario of confronting with this type of attack often in the future is highly possible. The idea of edos attacks is to force the targeted machine to perform certain energy consuming tasks in order to quickly drain its battery. Exhausting a machines battery life definitely leads to a denial of service situation as its user is not able to perform any task. This is the difference with the other methods of attack where the hacker has to continue attacking in order to keep denying service. In edos, she can stop the attack after she has accomplished her aim and continue with other machines if desirable [MHHK04]. According to [MHHK04] three types of attack exist. Firstly, those which ask for a particular, energy consuming service from the targeted computer. The second type is to force the machine to execute a legitimate but demanding process. The third option is to alter an executable file in order to consume more resources, and as an effect more energy, than the normal one. All the researchers agree that the most important part of edos is to not allow the target machine to get into energy saving sleep mode. Battery saving software watches the behaviour of the system and when it decides that it is appropriate, puts the system into an energy saving mode that allows for prolonging the battery s lifetime. In order to achieve this, in a Denial of Service scenario, the attacker has to force the target computer to be active continuously. This can be done either by requesting communication constantly with this machine or by forcing it to execute some really energy consuming application. In wireless devices, this can be succeeded by constantly sending legitimate requests to other nodes, such as to initiate a connection. Wireless connection cards have a significant energy consumption that with the use of the hard disc and of the display can lead to battery exhaustion quickly. [JA99], [MHHK04], [WA07] Finally, concerning mobile communications using GSM networks, it is proposed that Denial of Service attacks can target the time slots assigned to each GSM base station, with every station being able to provide service in a restricted area of the radio spectrum. The idea behind the attack is almost the same with a SYN/ACK flood attack. Malicious mobile phones can request channels for communication and, after the allocation of the channel, not perform any operation; they can simply keep the channel allocated to them until the base station decides that the communication process will not be completed. This action will have as effect the allocation of several time slots and, hence, legitimate users will not be able to receive service from the base station as there will be no free channels. This attack can be performed due to the protocol that GSM communications use. The vulnerability of this protocol is that the allocation of a channel to a mobile station precedes the authentication of the user [BC04]. An attack against GSM networks was also proposed and analysed by William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta of The Pennsylvania State University. According to their research, a GSM network can be saturated by sending SMS messages via an internet connected computer to mobile phone users of a certain company in a certain area. According to their analysis, an internet connection with upload bandwidth of approximately 3Mbps, that is common nowadays, can suffice to saturate a mobile network as large as Washington D.C. s. [ETMP05] 2.5. Cost on businesses The main reason that Denial of service attacks are evolved continuously is that they seem to have a great impact on organisations. It was reported that they were the second more costly network security incident in Moreover, in 2001, 40% of companies with presence on the internet had been the victims of DoS attacks with a cost of hundreds of millions of dollars [NewM02], [CISCO05]. These facts raise the issue that the costs of an attacked organisation are not limited on the lost transactions' profit during an attack. Examining more broadly the cost of a DoS attack to an organisation, we observe that there are other important financial or intangible issues also caused. Taking into account only the loss caused by the interruption of sales or the decrease of productivity inside an organisation during an attack, we observe that it is a substantial amount. It was calculated that a company with annual revenues of $100,000 loses $ every day being under attack. This amount Spyridon Rekkas 13

21 reaches greater values for larger companies. For example, an organisation with an annual revenue of $1,000,000 loses every day almost $2,750. [GIGE] Moreover, the collateral financial issues that an organisation has to confront during and after a DoS attack might be greater than a simple loss of transactions and the cost of the refunds needed to be paid to unsatisfied customers for the given period of time that its service is unavailable. First of all, the internet economy is based on online collaboration and the company attacked can also be found liable for the loses of other organisations. Moreover, the company's expenses are raised as the procedure of bringing the service back online can be costly and time consuming as some aspects of the system have to be reconfigured. Also, productivity is reduced during the recovering phase as the employees either cannot work without the service working or they consume their time on their effort to recover the system. In addition, the organisation has to search for the attackers by examining its logging files and by contacting its ISP and the police. Litigation costs are also a serious expense. At least, it has to secure its infrastructure against future denial of service attacks. To summarize, it was reported that an online company loses $100,000 every day with a total cost of over $1,000,000 while being under attack, calculating the lost revenue, and recovering costs. [AusC00], [TISN06]. Even if a company is not the target of a Denial of Service attack, it still needs to spend some money in order to avoid being in this situation. First of all, due to the rising number of DoS cases and the greater dependency on the internet, it has to protect its infrastructure by investing on a DoS attack detection and mitigation package and, sometimes, on especially trained personnel. These defensive products usually cost thousands of pounds. [MA02] Another unexpected cost appears when a company is the victim of extortion that is one of the main reasons of performing a Denial of Service attack. A criminal, using the threat of launching a DoS attack, can ask for large amounts of money from a company in order not to attack its servers and also protect it from other criminals. This threat is well known and usual for some businesses. Especially small and medium businesses often become victims of extortion as they are more vulnerable. For example, during 2004, the majority of betting websites in the UK had been extorted. With the European Football Cup approaching, some attackers sent mails to betting companies asking for money in order not to launch an attack against their websites. It is clear that, during this period, having your betting site not functioning would lead potential clients to bet on other websites and, hence, to a great loss of money. At the moment, it is the betting and gaming companies that are suffering most as, due to the large number of options offered, a user can easily switch to another provider [Gua04]. Targeted businesses have two options facing this threat, either to pay the attackers or to secure their system against DoS attacks. It is a fact that dealing with these criminals does not solve the company's problem as they will probably return with a new extortion. It is the case that the 50% of UK businesses that were attacked from 2002 to 2004 reported to have received more than one attacks. On the other hand, securing your business's infrastructure can be really costly. An online betting company that decided to further secure its website in order to defend the attack, reported to have spent $100,000 on infrastructure and contracts with security providers. [AusC00] Denial of Service attacks do not only produce direct and collateral financial losses for the targeted businesses. They also have effects that can cause future and, sometimes, greater damages to organisations and the internet in general. A DoS attack against a public service, for example against the NHS network, can cause uncontrollable situations in English hospitals and, in extreme situations, even put peoples' lives in danger. Moreover, the whole internet infrastructure seems to be in danger. Massive DDoS attacks have been launched against several DNS servers around the world. The biggest attack on internet infrastructure occurred on October of 2002 when all thirteen top level DNS servers were targeted by a DDoS attack and in a more recent attack, on 6 th of February 2007, 6 root servers were affected. [CW06] [ICANN07]. Causing a DNS server to crash, or slowing it down, has a major impact on the internet as all the websites whose domain names are hold on the attacked server become inaccessible. Another way of attacking the internet as a whole is to try to disable one of the Internet's back bone routers or transoceanic lines. Both targets are essential for the internet and disabling them can have a serious impact on communications. [Man01]. In the case of businesses, an attack interrupting its service is also able to seriously damage its reputation and decrease the confidence of its workers and its customers [TISN06], [AusC00]. To become more Spyridon Rekkas 14

22 specific, due to the large amount of options and to the insecurity that some users feel while transacting on the internet, a DoS attack can cause a company to lose some of its customers. When users, even the most faithful ones, try to access a service but it is unavailable, they search for alternative companies offering this service. A customer, either because he found a better website or because he lost faith in the security and the quality of service that his favourite site offers, will easily switch and start using another company's services [AG05]. 2.6 Definition A Denial of Service attack is a cybercrime which aims to prevent an online resource s legitimate users from accessing it. The attacker, using one, or several compromised machines in a Distributed Denial of Service attack, targets the service s infrastructure by exploiting some of the internet protocols or applications vulnerabilities or by exhausting its resources. The effect of the attack is either that a point of the infrastructure becomes unusable or that the service is slowed done in such an extent that normal communications can not be performed. 3. Legislation Bearing in mind that Denial of Service attacks are not just a hackers game but a computer crime involving great risks, I am going to examine the relevant legislation of the UK and present the cases that have been to court concerning this cybercrime. Then, I am going to present the relevant legislation of the EU, of the USA, of Australia, of New Zealand and of South Africa. It is important to also examine the foreign legislation as DoS, like every cybercrime, has an international aspect. Moreover, these countries seem to be the most advanced on these issues and to have developed their laws respectively. For example, a large number of worms have been written and disseminated in Australia and the legislature has taken the expected measures to confront this fact. [GS98]. 3.1 England and Wales Law Statutes In the UK, the piece of legislation related to computer crimes is the Computer Misuse Act 1990 (CMA) [Appendix 1a]. The relevant article for Denial of Service attacks is article 3 about the Unauthorised modification of computer material. According to article 3.1(a) "A person is guilty of an offence if he does any act which causes an unauthorised modification of the contents of any computer. Moreover, article 3.2 defines as unauthorised modification of data the act intending (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; or (c) to impair the operation of any such program or the reliability of any such data. In addition, in the case of a Distributed Denial of Service attack, when as we have mentioned the attacker owns several compromised zombie machines, article 1 is also relevant. As we examined in section 2.2.3, a Distributed Denial of Service attack includes a preparation phase. In this stage, the attacker tries to compromise some network connected computers in order to use them in her attack. Performing this action can render the attacker liable under some offences of article 3.1 which states that: A person is guilty of an offence if (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case. Even though the CMA seems to be adequate for dealing with the majority of computer related crimes, despite being adopted in 1990 when many cybercrimes had not been appeared, a great debate had arisen regarding the capability of CMA in dealing with all the types of Denial of Service attacks. In April of 2005, Derek Wyatt MP, chairman of the All Party Parliamentary Internet Group (APIG) asked the Spyridon Rekkas 15

23 Parliament to create a specific offence for DoS attacks [OL05b]. The main concern about the capability of the CMA to deal with DoS attacks was based on its wording referring to unauthorised access and unauthorised modification. It was suggested that this is a grey zone [TE05] of the legislation as a web server is aimed to receive requests. There is no question that a request to a server constitutes access to the server, or triggers a modification of its memory but there is a debate about whether sending a vast number of packets is authorised or not. As a result, the flooding of a server could be considered as not being an offence. Following the APIG report [APIG05] the CMA was amended by the Police and Justice Act 2006 (PJA)[Appendix 1b]. To become more specific, in Part 5, section 36 of the Police and Justice Act 2006, is stated that Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. are considered an offence. Especially subsection 2 introduces the criminalisation of the acts (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; (c) to impair the operation of any such program or the reliability of any such data; or (d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done. This section was specifically inserted in the Police and Justice Act 2006 in order to clarify the ambiguities and criminalise every type of Denial of Service attacks. The PJA has not yet come into force; this is expected to happen until April of Except for the Computer Misuse Act 1990 and its amendment through the Police And Justice Act 2006, there are also other Acts that can be found relevant to Denial of Service cases. Firstly, the Malicious Communications Act 1988 [Appendix 1c] could be used to bring proceedings if the DoS attack consisted of s that are indecent, grossly offensive, a threat or information which is false or believed to be false by the sender according to Section 1, article 1, paragraph a. In a similar situation, the Protection of Harassment Act 1997 [Appendix 1d] could be used. According to the first Article of the Act: 1. - (1) A person must not pursue a course of conduct- (a) which amounts to harassment of another, and (b) which he knows or ought to know amounts to harassment of the other. A person sending s causing a Denial of Service and having harassing content, could be charged under this Act. Moreover, according to the Communications Act 2003 [Appendix 1e], section 127, article 2(c), A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he persistently makes use of a public electronic communications network. This section can be used in bringing proceedings for a Denial of Service attack, as the attacker uses the public electronic communications network, with the Internet based on it, in order to cause annoyance, inconvenience or needless anxiety to the owner of the service. Finally, in the case of a Denial of Service attack against a wireless network, the Wireless Telegraphy Act 1949 [Appendix 1f] is relevant. In section 13 about deliberate interference is mentioned that: (1) Any person who uses any apparatus for the purpose of interfering with any wireless telegraphy shall be guilty of an offence under this Act. (2) This section shall apply whether or not the apparatus in question is wireless telegraphy apparatus or apparatus to which any of the preceding provisions of this Part of this Act apply, and whether or not any notice under section eleven or section twelve of this Act has been given with respect to the apparatus, or, if given, has been varied or revoked. [RC06] Case Law The first case of Denial of Service that has been to English and Wales Courts was the case of David Lennon (Director of Public Prosecutions v David Lennon - [2006] EWHC 1201 (Admin)). Mr. Lennon, a former employee of a company called Domestic and General Group Plc. used the bombing application Avalanche in order to overwhelm the company s mail server and disrupt its operation. When the case was first brought before the Youth Court in Wimbledon, as the defendant was seventeen at the time, the Judge ruled that there was no case. The offence was based on section 3 of the CMA about causing unauthorised modification of the mail server s data. It is clear that every that was sent by Mr. Lennon caused modification to the server. The question was if this modification was authorised or not. The defence was based on the fact that a mail server s purpose is to receive s. As a result, the defendant claimed to have the consent of the server s owner, Domestic and General Group Plc. The Spyridon Rekkas 16

24 Judge dismissed the case claiming that sending this vast amount of s produces an unwelcome rather than unauthorised modification. Moreover, he claimed that section 3 aims to criminalise viruses and malware in general, not normal s [KC06]. As this decision to dismiss the case, seemed to leave a gap in legislation for other Denial of Service attacks to be launched legally, the Director of Public Prosecutions appealed in the Divisional Court. Mr Justice Jack, proposed that the appeal should be allowed. He focused on the word unauthorised of section 3. He argued that the s sent by Mr. Lennon should not be considered in an individual basis but as a whole. Moreover, according to article 17, subsection 8b, he continued that in order the action to be authorised, the sender of the s needs to have the consent of the system s owner. Despite the fact that an server is configured to receive s, he suggested that there is not a consent of receiving annoying s. Mr Jack, illustrated this thought by saying that a mail box is placed to collect mails but its owner has by no means given his consent to have his mail box filled with rubbish. Lord Justice Keen agreed and the appeal was allowed. Another case that involved Denial of Service attacks was the case of R V Caffrey. Mr. Aaron Caffrey was accused of flooding the server of the port of Houston, Texas in the U.S.A. in September of The case was decided in the Southwark crown court and the jury decided that Mr. Caffrey was not guilty under the Computer Misuse Act. This decision was based on the fact that the defendant claimed that a hacker had installed a trojan horse in his computer and he, the hacker, actually launched the attack not the defendant. He also argued that the police was not able to find a trojan horse on his computer as they could not have been able to examine every file of his disc. Using this Trojan horse defence, or alien invaders defence, he was found innocent. [RA03], [BBC03], [MJLT06] Finally, in January of 2005 a man was brought before the Elgin s Sheriff Court in Scotland for extorting companies in the U.S.A. and Scotland under the fear of launching Denial of Service attacks against them. Mr. Matthew Anderson was accused under the Computer Misuse Act and after making no plea, Sheriff Ian Cameron continued the case for further investigation. [DR05], [JL05], [OL05] 3.2 Other countries legislation Bearing in mind the international aspect of cybercrime, I am going to present the relevant legislation of several other countries and unions. It is important to also examine these laws as the battle against cybercrime is often an international issue. The main obstacle, except for the international cooperation, is the different approach that different legislatures adopt against cybercrime The European Union The European Union as a major IT industrial player and as one of the biggest markets of the world also tries to combat cybercrime. The main effort is done by giving directions to the member states about the relevant legislation they should adopt and also by providing a framework for cooperation between them. Each member state has its own laws against cybercrime but all have to comply with certain directions given by the European Council. The first relevant framework was actually a Proposal for a Council Framework Decision on attacks against information systems presented by the European Commission in According to article 4 of this proposal, Illegal interference of Information Systems : This offence covers the intentional conduct, without right, of one of the following actions: (a) the serious hindering or interruption, without right, of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data computer data. The elements of inputting or transmitting computer data specifically address the problem of so-called "denial of service attacks" where there is a deliberate attempt to overwhelm an information system. The offence also covers the "interruption" of the functioning of an information system, which could be inferred from the phrase "hindering" but is included here explicitly for the sake of clarity We observe that the proposal clearly addresses the issue of Denial of Service attacks [EurLEX02]. The actual Council Framework Decision is decision number 2005/222/JHA of 24 February 2005 on attacks against information systems [Appendix 2a]. The relevant article is Article 3 about Illegal System Spyridon Rekkas 17

25 Interference stating that: Each Member State shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minor. This Article definitely addresses the issue of Denial of Service attacks and asks for the Member States to criminalise them. Moreover, the Convention on Cybercrime [Appendix 2b], approved in 17 November 2003 by the Council Decision 2003/840/EC and having as its purpose to develop a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation according to its preamble, deals with Denial of Service attacks. Article 5, about System Interference, requires that Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data The United States of America In the United States of America, the legislation that traditionally copes with computer crimes is the 18 U.S.C about Fraud and Related Activity in Connection with Computers [Appendix 2c] or Computer Fraud and Abuse Act of Article 5 of this legislation refers to causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer. The term protected computer means according to the Act: (2) (B) which is used in interstate or foreign commerce or communications, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This part is important as it also includes web servers and every computer connected to the internet [JP]. A man who created botnets and sold them to other hackers in order to launch DDoS attacks was sentenced under this Act [U.S. v. Ancheta (C.D. Cal.) May 8, 2006] [USDoJ06]. Moreover, the USA Patriot Act 2001 [Appendix 2d] also contains some sections that, mainly, facilitate the prosecution of hackers, and DoS attackers. The first section is section 202 that facilitates Internet Service Providers in receiving help from the U.S. government. The second relevant section is section 814 that increases the penalty for computer crimes, defines as protected computers computers that are outside the U.S.A. and, mainly, states that hacking and unauthorised transmissions can be prosecuted under the Computer Fraud and Abuse Act of 1996 if a "related course of conduct" causes $5,000 in loss [PHC01] Australia, New Zealand and South Africa In Australia, the relevant legislation is the Cybercrime Act 2001 [Appendix 2e]. It was drafted in order to criminalise all the types of cybercrime, including DoS attacks. Moreover, the aim of the Australian government was that the legislation is consistent with the European Convention on Cybercrime [PF]. The Division of the Act that makes Denial of Service attacks an offence is Division 477 that considers as an offence (iii) any unauthorised impairment of electronic communication to or from a computer. Moreover, according to Division 476, the definition of impairment of electronic communication to or from a computer includes: (a) the prevention of any such communication; or (b) the impairment of any such communication on an electronic link or network used by the computer; New Zealand has also criminalised Denial of Service attack in its Crimes Act of 1961 [Appendix 2f]. To be more specific, in Part 10, Crimes against rights of property, in Section 250, paragraph 2(c)(i) is mentioned causes any computer system to deny service to any authorised users. Whereas a computer system is defined in Section 248 as: (i)a computer; or (ii)2 or more interconnected computers; or Spyridon Rekkas 18

26 (iii)any communication links between computers or to remote terminals or another device; or (iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and (b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data. Finally, in South Africa, Denial of Service attacks are also clearly criminalised. In the Electronic Communications and Transactions Act of 2002 [Appendix 2g], in Chapter 13 (Cybercrime), section 86, paragraph 5 is mentioned as an offender: A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users. 4. Discussion 4.1 Introduction Having examined the technical background of Denial of Service attacks and the relevant legislation I am going to combine this knowledge in order to make a critical review of the current legislation from a computer scientist s point of view. I will focus on English Law and especially on the, amended through the Police and Justice Act, Computer Misuse Act. To become more specific, firstly I am going to examine if the current legislation covers all the possible ways of performing an attack, both older and state of the art. The idea is to examine if some DoS attacks can be launched legally and if this indeed happens, what part of the legislation we can take advantage of. This is a novel study as there is not any relevant publication in the bibliography that examines the possible ways of performing a DoS attack in comparison with the relevant UK legislation, especially after the amendment of the CMA, from a computer scientist s point of view. I am going to show that the CMA s amendment through the Police and Justice Act covers all the possible ways of launching a DoS attack and that, at the moment, there are not any legitimate ways of performing this cybercrime. This was one of the aims of drafting the Computer Misuse section, articles 35 to 37, of the Police and Justice Act. According to note 301 of the explanatory notes on the Police and Justice Act This amendment is designed to ensure that adequate provision is made to criminalise all forms of denial of service attacks in which the attacker denies the victim(s) access to a particular resource, typically by preventing legitimate users of a service accessing that service, for example by overloading an Internet Service Provider of a website with actions, such as s. In continuation, I am going to present a scenario showing that the new legislation can be proved too strict and cause unwelcome issues. I am going to prove that, in some cases, the ability of network administrators and security consultants to test and ameliorate computer networks regarding their strength against Denial of Service attacks can be restricted by section 3A of the CMA, introduced by the Police and Justice Act. This is also a novel research as, despite the debate about this issue, there is not a relevant study in the bibliography. 4.2 DoS attacks and legislation Logic attacks and Legislation As we examined in chapter 2.2.1, a logic attack tries to explore the vulnerabilities of the operating system of a server or of its applications, or tries to alter its configuration. Moreover, a logic attack can exploit some characteristics of the network protocols. Concerning the first type of logic attacks, that target software vulnerabilities, they are completely covered by article 3 of the Computer Misuse Act. To analyse this further, in an attack of this type subsection 3(1)(a) is satisfied. This is out of the question as an attacker is neither entitled to control access of the kind in question to the program or data nor does he have consent to access by him of the kind in question to the program or data from any person who is so entitled as the attacker does not own Spyridon Rekkas 19

27 the targeted system and the owner of a server does not consent that his system is attacked by buffer overflows, algorithm attacks or vulnerabilities exploitation. As a result, according to 17(8) of the CMA, the act is unauthorised. In addition, subsection 3(1)(b) is satisfied as the attacker knows that this act is unauthorised. Moreover, 3(1)(c) is satisfied through the satisfaction of 3(2)(a) about impairing the operation of a computer. Altering the configuration of a server, changing its routing table for example in order to deny service to its users, is also an offence under the revised CMA. Section 1, about unauthorised access to computer material completely covers this type of attack. Section 1(a) is satisfied as, according to 17(2)(a), a hacker that alters the configuration of a server secures access to data, and more specifically to the routing table. Sections 1(b) and 1(c) are satisfied as above with the same reasoning used for 3(1)(b) and 3(1)(c) respectively. The third category of logic attacks is the one including the attacks that exploit a protocol s vulnerabilities in order to impair the operation of a server. The amended CMA criminalises these attacks too in section 3. The main debate is whether these attacks constitute an unauthorised act as they use IP packets that seem to be allowed from the protocol to be used. Ping of death, for example, exploits the fact that some operating systems cannot handle packets larger than the normal size and christmas tree attack uses IP packets that have all their flags set to 1 and require more processing time. The defence of these attacks is that they use packets allowed by the protocol and a server that works with TCP/IP should be configured to work with this protocol. As a result, sending these packets is not unauthorised. In the case of the ping of death attack, the packets are larger than the normal but one could state that as he is allowed to create them and use them in the context of IP, it is normal traffic. The same idea can support the defence of christmas tree packets. In order to show that these attacks are indeed unauthorised acts, I am going to examine section 17(5) of the CMA. According to this section, an act is unauthorised if the actor (a) is not himself entitled to control access of the kind in question to the program or data and (b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled. It is definite that the attacker will no be entitled to control access to the server, so paragraph (a) is satisfied. The ambiguity is in paragraph (b) as one could say that as long as the company has its server connected to the internet, it is to be receiving IP packets of all kinds and, hence, the attacker has consent to send these altered IP packets. The answer is provided by the case of David Lennon. The rationale can be almost the same. A web server s owner consents that his machine receives IP packets but not packets that are to cause damage to his system. Considering this argument, we conclude that section 3(1)(a) is satisfied. Moreover, 3(1)(b) is satisfied and 3(1)(c) as well through 3(2)(a) Flooding attacks DDoS and legislation We saw that flooding attacks use brute force against a service s resources. They are based on generating a huge amount of traffic in order to consume the network s bandwidth or some of the server s resources. I am going to examine to what extent flooding attacks are covered by UK legislation. Their main difference with logic attacks is that they consist of normal IP packets and normal protocol s requests or messages while logic attacks use altered packets or programs targeting certain vulnerabilities. As a result, the difficulty in criminalising flooding attacks is to distinguish them from normal traffic and draw a line between them. The main issue caused by this fact is if section 3(1)(a) of the CMA is satisfied; if the act is unauthorised. The point risen is about why sending an message, for example, is legal and sending a large number of s, which result in a denial of service, is illegal. The defence can be based on the fact that in both cases we have the same act, the sending of s so what can distinguish the two cases? Moreover, if sending one is legal and many is illegal, what is the threshold that distinguishes the two categories? The answer to this ambiguity is given by the judgement of the appeal on the David Lennon case that I presented above. Mr. Lennon had bombarded his previous employer s server with s using spoofed IP addresses; action that concluded into a denial of service situation. The District Judge had Spyridon Rekkas 20

28 decided that there was no case as, bearing in mind section 17(8) of the CMA, the act was not unauthorised with the argument that an server is configured to receive s. The clarification about the word unauthorised and its definition came by Lord Justice Keene and Mr. Justice Jack while deciding the appeal of this case. According to Lord Keene: he [the server s owner] does not consent to receiving s sent in a quantity and at a speed which are likely to overwhelm the server. Such consent is not to be implied from the fact that the server has an open as opposed to a restricted configuration. According to this decision, the existence of an server does not mean that its owner consents to receiving a vast amount of s that are likely to impair its operation. This interpretation of section 17(8)(b) is highly believed to be given in a similar case of flooding attacks. As a result, in a SYN/ACK attack or an ICMP attack, the act will be considered as unauthorised and, hence, section 3(1)(a) of the CMA will be satisfied. Section 3(1)(b) will also be satisfied, with the attacker knowing that his action is unauthorised, as well as section 3(1)(c) through section 3(2). As mentioned in chapter 2.2.3, Distributed Denial of Service attacks are flooding attacks performed by several internet connected machines. They are a way of launching flooding attacks and, consequently, can be prosecuted under section 3 of the CMA as discussed above. The fact that differentiates DDoS from a simple flooding attack, except from being more popular and effective, is that the hacker has to compromise several computers in order to launch the distributed attack. This is achieved either by installing certain programs in vulnerable machines in order to compromise them or by not creating but purchasing an army of already compromised computers. These two alternatives, being essential for a distributed attack, are also covered by the amended CMA. In order to launch a DDoS attack, the hacker needs many compromised computers to coordinate them and create the distributed attack. We saw in that he has to install a program to these computers, for example a worm, in order to control them and direct them to attack. This action constitutes an offence nevertheless without launching the actual attack. Under section 1 of the CMA, 1. (1) A person is guilty of an offence if (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case The recruitment of zombie agents is an offence as the attacker causes the targeted computers to execute the worm file in order to gain access to them. Moreover, this act is unauthorised as the attacker is not the owner of these machines and certainly does not have the consent to install malware to them. Finally, it is also certain that he already knows that this action is unauthorised. In addition, section 2 of the CMA about unauthorized access with intent to commit or facilitate commission of further offences is also relevant. According to this section a person is guilty of an offence under this section if he commits an offence under section 1 with intent: a) to commit an offence to which this section appliers or; b) to facilitate the commission of such an offence (whether by himself or by another person); and the offence he intends to commit or facilitate is referred to below in this section as the further offence. Section 2.2.a states that this section applies to offences for which the sentence is fixed by law. In our case, the hacker attacks the vulnerable computers in order to use them and launch a flooding Denial of Service attack. As I previously examined, this type of attack is an offence under section 3 of the CMA and, furthermore, section 3.6 of the amended CMA fixes the sentence for this crime. As a result, the act of accessing these computers is done with the intention to commit an offence for which a sentence is fixed by law and, hence, section 2 is also relevant for criminalising DDoS attacks. The issue that arises is whether the owners of the compromised machines are liable for a distributed attack or not. There is a strong debate about whether a user who, by recklessness, has not secured his computer properly and participates in a DDoS attack should be also liable for this attack. The case law shows that a person whose computer is compromised should not be liable. This argument is based on the R v. Caffrey case decision. Mr Caffrey was found not guilty for the DoS attack against the port of Houston because he claimed that he was unaware of the act and that his computer was commanded by a trojan horse, which was not even found in his machine during the forensics investigation. This decision Spyridon Rekkas 21

29 was made in 2001, before the amendment of the CMA. For this reason, I am going to examine this issue under the amended CMA and especially bearing in mind article 3. Section of the act is satisfied in the case I am examining as the negligent user does an unauthorised act in relation to a computer. The act is that his computer sends packets to another computer in order to flood it and impair its operation. Moreover, at the time of doing the act the person knows that it is unauthorised. It is logical to believe that even a novice computer user knows that sending a massive amount of packets to a network will overload it. The important fact is that he does not actually know that he is performing this act. In addition, section 3.1.c is satisfied by the satisfaction of section 3.3. The person is indeed reckless, not directly about the act as he is unaware of it, but indirectly because he left his system unsecured and gave the attacker the possibility to use it in an attack. We see that a person whose computer is used in a DDoS attack because of his recklessness could be found liable under the revised CMA. To examine this further, in a situation like this there is the actus reus as the computer indeed participates in the distributed attack but there is the question if there is also the mens rea. It is a fact that this user does not intend to participate in the attack and that he was reckless by leaving his machine unsecured so that it can be used in a DDoS attack but the issue is more profound and complicated. The world of the internet is not completely regulated and there are not standards for every activity. A novice user might have installed a security package that by accident is not updated. Moreover, it is not the case that all the security applications confront successfully all the worms and viruses. As a result, it is rather impossible to ask from every user to be aware of all the possible risks and it is really difficult to draw a line between negligent and not negligent users concerning the security level of their machines. A parallel to this situation could be a person who drives a really old car that has not been regularly serviced and, because of the bad condition of the car, he loses control of it and injures another person. In this example, however, there are certain regulations and standards showing if the owner of the car is negligent about his car s condition. The police can examine, for example, if the car has a service history of it has passed a MOT test. In the DDoS situation, there are not standards that can differentiate a well secured computer from a negligently vulnerable one. This parallelism makes us conclude that it is impossible to predefine whether a computer user is negligent considering his machine s security and, hence, it is really hard to say if the owner of a zombie computer is liable for a DDoS attack or not before a case about this issue comes to Courts. At present, a solution is given by some ISPs and web hosting companies. In their terms and conditions mention the issue of a DoS attack using their infrastructure or targeting their clients. The solution that they provide is self regulating stating that their administrators have the right to delete any account found participating in an attack [ghtac], [CBSTaC]. During the last years it has been a common practice for hackers to compromise machines, create botnets and sell them to other hackers. This seems to be a profitable business for the creators of these zombie agent groups and also facilitates the work of other hackers that want to use them for a particular purpose, such as a DDoS attack. The Police and Justice Act succeeds to criminalise both the creator and the buyer of a botnet. The new section 3A of the CMA about Making, supplying or obtaining articles for use in offence under section 1 or 3 creates an offence about this incident. To become more specific, a hacker that creates a botnet and tries to sell it to other hackers can be prosecuted under 3A(1) and 3A(2). The detail that strengthens the power of the prosecutor and excludes possible defences about not intending to use the botnet for a crime is the phrase it is likely to be used in section 3A(2). In addition, the creator of a botnet aimed to participate in a DDoS attack can be also found liable in the future under the Serious Crime Bill, which is not yet enacted. According to section 42 of the Serious Crime Bill: A person commits an offence if (a) he does an act capable of encouraging or assisting the commission of an offence; and (b) he intends to encourage or assist its commission. Examining this hacking tools commerce from the side of the buyer, we can see that the hacker who obtains a group of compromised machines in order to launch a DDoS attack can be prosecuted under section 3A(3) of the amended CMA. Spyridon Rekkas 22

30 4.3 Latest DoS attacks and legislation In this section I am going to examine if the relevant legislation covers the most recent attacks. It is essential that the current attacks as well as the predictably future ones are also criminalised under the revised CMA. Technology and cybercrime trends move very fast and it is vital that the amended legislation copes well with the evolved forms of cybercrime Sophisticated Attacks and Legislation In chapter I presented two types of DDoS attack that are recent trends and constitute an evolution of the typical attacks. The first is the use of P2P networks in order to launch a distributed attack against a server and the second is the use of recursive DNS servers to amplify the effects of a DDoS attack. As we saw, the basic advantage of the P2P based attack is that the hacker uses the already existing network in order to launch her attack. She has to simply direct any queries to the targeted server. As a result, a big number of users will try to access the particular server in order to download the desirable file. This attack is really clever as it uses an already existing network that, being decentralised, makes it difficult for the attacker to be detected. This type of attack can be prosecuted be the CMA both under article 3 and 3A. Considering section 3(1)(a), we observe that in first place the attacker does nothing directly to the targeted computer. She does not communicate with it and the only thing that she has to know is its IP address that can be learned otherwise. Thus, there is a question if 3(1)(a) is satisfied but according to 3(5)(a): a reference to doing an act includes a reference to causing an act to be done. The attacker actually causes an act to be done as she directs all the queries to the targeted server. It is clear that this act is not authorised and that the attacker has to know it, hence sections 3(1)(a) and 3(1)(b) are satisfied. Section 3(1)(c) is satisfied by satisfying section 3(2) as the aim of the attacker is to impair the operation of a particular machine. Moreover, even thought this attack uses an existent network, it can be an offence under 3A too. According to 3A(1): A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.. The important wording in this case is the verb adapts. The P2P network exists but the attacker alters its structure by depicting that a certain resource exists in a particular computer with this fact being untrue. This adaptation of the network happens in order to commit the crime of impairing the operation of a computer and, hence, section 3A is satisfied. The second sophisticated attack that I examined in section is a DDoS attack using DNS servers. This attack is based on the fact that the DNS servers have to respond to every query they receive and that the response packet is bigger than the query one. The attacker spoofs the IP address of the victim computer and sends a large number of DNS queries. As a result, the DNS server responds to all the queries and overwhelms the victim s server. This attack is sophisticated in the viewpoint that it is difficult to be defended, as it is involves the DNS servers that are essential for the internet and cannot be shut down in order to stop the attack but, in the legal viewpoint, it is definitely an offence under section 3 of the CMA. The analysis is the same as before with the P2P networks being an offence under section 3. The hacker does not direct the attack to the victim server but she causes an act to be done by spoofing the server s IP address and forcing the DNS servers to flood its network with response packets. As a result, the act is unauthorised and the intention of denying service to the server s legitimate users is covered by section 3(2) Attacks against wireless networks and Legislation In this section I am going to examine if the attacks on wireless networks that I described in section are an offence under the UK law. It is important that the legislation copes well with these attacks as well because we are moving towards a ubiquitous information society using wireless networks and it is highly possible that cybercrime will target wireless networks in the near future. Spyridon Rekkas 23

31 The first attack that I analysed is the one that uses a very strong signal in order to disrupt the communications in a wireless network. This attack does not target a particular machine but the entire network that operates in the area of the antenna used by the attacker. Moreover, the frequency of 2.4 GHz that the wireless LANs use is a public frequency [BM07] called the ISM (Industrial, Scientific and Medical) Band. These two facts can lead one to think that this attack can be considered as legal with the attacker not actually targeting a specific machine and just producing a signal in an unregulated public frequency. The relevant legislation in this case can be not the Computer Misuse Act 1990 but the Wireless Telegraphy Act of According to section 13 of the Act about deliberate interference, any person who uses any apparatus for the purpose of interfering with any wireless telegraphy shall be guilty of an offence under this Act. Producing a high power signal in order to interfere with the normal traffic of a wireless network clearly falls into this section. Moreover, despite the fact that this area is Licence Excluded (LE) from Ofcom, meaning that one does not need a licence in order to operate a wireless station in this area of spectrum, it is regulated regarding the power of the signal that you can transmit [Ofcom06]. Bearing in mind this recommendation by Ofcom, we can expect that this attack is also criminalised under section 3 of the revised CMA. Section 3(1)(a) speaks about: any unauthorised act in relation to a computer. The act is unauthorised as the regulative authority of the spectrum does not allow the transmission of high power signals in this band. Moreover, the act is not directed to a specific computer but section 3(4) clarifies that it does not have to be directed to a particular computer, program or data. In addition, it is clear that the attacker knows that his action is unauthorised and that his intention is to impair the operation of the wireless network. As a result, this attack is an offence also under the CMA. The second attack that I analysed in this section is the attack against the MAC layer of a wireless network by taking advantage of the CSMA/CA protocol and keeping the channel busy continuously. This attack is similar to the SYN/ACK attack and is covered by section 3 of the CMA as well. The question could be again about section 3(1)(a) and why sending requests to use a wireless channel is an unauthorised act. As with the flooding attacks case, the decision in the Lennon case could be interpreted as follows: a network operator would not consent to the fact that a wireless device is requesting continuously access to his network by doing nothing after the access is granted. As a result, we conclude that 3(1)(a) is satisfied and 3(1)(b) as well. Section 3(1)(c) is also satisfied as it is clear that the intention of the attacker is covered by 3(2). We also saw that another trend of Denial of Service attacks are the energy based DoS attacks. Their aim is to consume the most important resource of mobile devices, their battery lifetime. The attacks that I presented can be categorised into three categories; the ones that ask from the targeted computer to provide an, energy consuming, service, the attacks that force the target to execute a demanding process and those that use altered executable files aiming to consume the computer s battery. The first type of edos looks similar to a flooding attack. The targeted machine offers the particular, battery draining, service and the attacker keeps asking this service in order to consume the machine s battery. This attack is an offence under section 3 of the CMA. The debate about why is this act unauthorised, as the computer is configured to offer this service, has the same answer based on the Lennon case. The owner of the machine consents that his portable device is used to offer a service to legitimate users, but does not consent that it is used extensively and with the intention to have its battery drained. As a result, this act is unauthorised according to 17(8). Moreover, the attacker knows that this act is unauthorised and his intention is covered by 3(2)(a) as he wants to impair the operation of the targeted computer. The second type falls under exactly the same analysis. Forcing a computer to execute a particular application, such as not allowing it to get into sleep mode, constitutes an unauthorised act. Moreover, sections 3(1)(b) and 3(1)(c) are satisfied for the same reasons mentioned above for the first type of edos attacks. The third type has to do equally with installing malware in a computer and denying service on this Spyridon Rekkas 24

32 computer s users. As a result, the attacker can be prosecuted both under section 1 and section 3 of the CMA. Executing a file in a computer without the permission of the owner is an offence under section 1. Section 1(1)(a) is satisfied through 17(2)(c) and 17(3)(a). Moreover, this action is unauthorised in our case and the attacker indeed knows that this is the case. Performing this act in order to make the targeted computer s battery drain is an offence under section 3 of the CMA as analysed above for the other two types of edos. The last type of attacks I described in section is the attacks against GSM networks. Despite their differences with the other attacks against wireless networks, they can be treated with approximately the same way. The first difference is that these attacks take place in a specific radio spectrum band that is well regulated and licensed to mobile operators while the previous attacks I examined occur in the ISM band that is license excluded. Moreover, they do not target a computer with the usual meaning of the word but a base station. These two different aspects can be easily mapped to the analysis I did for the other wireless attacks. The fact that they take place in the GSM band makes it easier to identify the owner of the radio channel and of the base station that is attacked. The fact that they do not target a computer but a base station does not make a difference either as according to section 17(6) of the CMA: References to any program or data held in a computer include references to any program or data held in any removable storage medium which is for the time being in the computer; and a computer is to be regarded as containing any program or data held in any such medium.. It is clear from this section that a computer is not a complete computer as we know it from the every day life but every device containing any program or data held in a storage medium. A mobile operator s base station is certainly a computer under this section as it keeps data and executes various programs. As a result, both GSM attacks, keeping the channel busy and sending a vast amount of SMS messages using computers, are offences following the analysis I used above. To be more specific, section 3(1)(a) is satisfied as no mobile operator would give consent to the fact that a base station is kept busy by counterfeit requests or by SMS messages aiming to disrupt its service. Moreover, 3(1)(b) is satisfied as the attacker knows that her action is unauthorised and 3(1)(c) is satisfied through section 3(2). 4.4 Outcome of the analysis In this chapter I combined the technical analysis of Denial of Service attacks with the relevant legislation in the UK. I find this study important especially after the amendment of the Computer Misuse Act as there is not any relevant complete study in the bibliography. My aim was to examine, from a computer scientist s point of view, if there are any ways of performing a DoS attack legally. One of the purposes of the Police And Justice Act is to criminalise Denial of Service attacks as there was a debate about to what extent they were covered by the CMA. As a result, I examined the existing attacks as well as the recent trends of the attacking technology in order to see if they are covered by the existing UK legislation. The two major issues that arose were about the use of the word unauthorised in the Police and Justice Act and about the recent trends of DoS attacks. I figured that all the types of attack are criminalised under UK statutes bearing also in mind the important decision of the appeal of the case of Director of Public Prosecutions v David Lennon. The outcome of this analysis is that there are not any ways of performing a DoS attack legally Scenario of criminalising legitimate tools Introduction In the previous sections of the discussion I tried to identify a way of performing a Denial of Service attack legally. My conclusions are that at the moment there is not a DoS attack that could be launched legally under the UK law. In this section I am going to present a, rather possible, scenario that proves a question that has been brought forward in the House of Lords, in the House of Commons and by some network administrators too. The issue is about if section 3A of the amended Computer Misuse Act could also criminalise some useful and common practices used by network administrators and security experts. Spyridon Rekkas 25

33 The analysis I am going to perform is novel as, instead of the concerns expressed, there is not a relevant study of this issue in bibliography especially from a computer scientist s point of view. I am going to present a detailed scenario of an administrator who creates an application in order to test her network for vulnerabilities against Denial of Service attacks. Then, she shares this tool with other security experts by uploading it to a security forum. One of the functions of these tools is usually the actual launch of an attack in order to check the resistance of the network to DoS attacks. The next step of this scenario is a malicious user obtaining this tool finding it in a forum, and using it to launch a real DoS attack. I am going to present in detail this scenario, show why it is not rare and analyse it in combination with the current legislation in order to show that the Police and Justice Act can criminalise legitimate practises used by security experts. This issue has been brought forward during the debate of the Police and Justice Bill in the House of Lords, in the House of Commons Standing Committee and by security experts. In 11 July of 2006, during the debate on the Police and Justice Bill, the Earls of Northesk and Erroll commented on paragraph 35 of the Bill stating that security experts create and use hacking tools that are likely to be used be criminals too. Lord Northesk stated among others: Here, it is not a case of whether system administrators believe that such tools are "likely" to be used in the commission of an offence; they know full well that they will be and, indeed, already are. [HoL06]. The importance of the issue was also arose in the debate of 10 October 2006 by the Baroness Anelay of St. Johns speaking on behalf of Lord Northesk and stating: However, because of the absence of legal certainty and clarity about how the likelihood test would be applied by the courts, an effect of the provision, if enacted, will be that trustworthy distribution sites of such software in the UK will be closed down rather than face the risk of possible prosecution [HoL06b]. Moreover, Lynne Featherstone, MP for Hornsey and Wood Green, proposed in the House of Commons Standing Committee debating on the Police And Justice Bill that: the drafting is sloppy because it means that legitimate computer consultants could be breaking the law by using tools that are used for hacking, even if there are legitimate security reasons for using those same tools [HoCSC]. It is also important to quote the opinions of some security experts. Bill Thompson, commentator of the BBC world, commentating on the bill said that: The proposals in the new bill that deal with the possession of security software could easily be abused to make life difficult for researchers or those, like me, who want to understand what these tools do. [BTo06]. We observe that there has been a concern about this specific section, 3A of the amended CMA. Despite this concern, there has not been a study of the issue from a computer scientist s point of view after the Police and Justice Act was enacted on the 8 th of November of Scenario In this section I am going to present a scenario that can easily occur and that, as I will analyse in 4.5.4, despite the fact that it is a common practice and extremely helpful for security experts, can be criminalised under the amended Computer Misuse Act. It is rather common for network administrators to develop testing tools in order to detect the vulnerabilities of their networks. I am considering, in this case, a network administrator who develops a simple tool that launches a DDoS against his network. Let us assume that his aim is to test a new Intrusion Detection System that his company purchased and to examine the network s resistance to a DDoS attack. He creates a tool that uses the computers of the company s network in order to launch an attack against the company s web server. After testing the IDS and his network, he wants to share this information with other security experts and network administrators in order to justify his opinion about the specific product and help them to test their systems too. In order to do this, he uploads the code of the application he developed to a computer security forum so that other experts can also attack their systems and check their strength. The last step of the scenario is when a hacker searches in the forum, finds the tool and downloads it in order to use it for launching DDoS attacks. Spyridon Rekkas 26

34 4.5.3 Possibility of the scenario I have done a research on the internet in order to trace DoS testing tools developed by individuals in order to verify this scenario. A search with keywords such as security denial of service and test tools in Google returns some results that are really interesting and verify the existence of the scenario proposed. During my search in the internet for DoS testing tools I found several websites and forums from where you can easily download tools that perform Denial of Service attacks and are created by administrators and security experts in order to test their systems. For example, the website packetstormsecurity.org is a forum in which security analysts upload testing tools that launch attacks. It is stated on the top of the page that: Denial of Service tools are for use when testing your own machines only. Use of these tools on a test network is the only way to build a stable network enabled product that will not crash under the load of a distributed packet flood. [PS] but it is clear that they can also be used by hackers. Moreover, the same search returned a piece of code that exploits a vulnerability of VoIP. The webpage containing this code is part of the site securiteam.com that is owned by a security group who created this site in order to help you cope with the newest security threats and keep you closely updated [milw0rm07]. Finally, a search in torrent websites returned a torrent called Beginners Hacking Tools containing a Denial of Service attack feature. The creator of this torrent claims that he is seeding this for educational purposes [BHT]. Examining the results of this search, we can assume that the scenario proposed before is likely to happen. Moreover, there is no doubt that sharing testing tools is important for network administrators and security experts. It is the nature of Information Security that there is a flow of information and ideas so that the community of administrators remains informed about vulnerabilities and new tools Legal analysis After presenting a scenario which, in my opinion if followed, could criminalise the testing tools created and shared by network administrators, and after showing that this scenario is possible, I am going to examine the relevant legislation to show that indeed in some cases legitimate tools and practices used by network administrators can be an offence under CMA. As mentioned in 4.5.1, the relevant section of the Police and Justice Act is 3A about Making, supplying or obtaining articles for use in offence under section 1 or 3. The important section is 3A(2) that states: A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3. There is no doubt that when a person uploads a program, or gives details about a security vulnerability, then this person supplies this article, where article includes any program or data held in electronic form according to 3A(4). Moreover, the testing tool that I described in section can be used to commit an offence under section 3 of the CMA. To become more specific, a computer program that launches a DoS attack in order to test a system s vulnerabilities can also be used for a real DoS attack. The critical wording of the section is the phrase believing that it is likely to be used to commit, or to assist in the commission of an offence. As I mentioned before, it is a common practice for network administrators to share tools like this and help each other in detecting vulnerabilities. Moreover, it is also known that hackers perform searches in security forums, like the one I described in 4.5.3, searching for tools. This fact was also mentioned by the Lord of Northesk in the debate of 11 July Bearing in mind these facts we can assume that a security expert who publishes a tool for launching denial of service attacks with the purpose of testing a network, knows and believes that it is likely to be downloaded by a hacker and used for launching a Denial of Service attack. This does not mean that the creator of the tool wants it to be used for an offence, but it is better for the security community to share its expertise even though some of their tools can be also used by hackers. Nevertheless, it is certain that the creator of the DoS tool believes that it is likely to be used by a malicious user. Moreover, despite the fact that Vernon Coaker MP, Home Office Minister stated that: The test for the offence will be whether the person believed at the time that the tool would be used more criminally than legitimately, so IT Spyridon Rekkas 27

35 professionals will not be affected [VC06] it is difficult to predict and know about the future usage of a tool you develop and very complicated to monitor the use of a program in order to decide if it is used criminally or legitimately. To summarise, I believe that section 3A criminalises the sharing of certain tools between security experts in forums and blogs Conclusion In this chapter I showed that section 3A of the revised Computer Misuse Act criminalises a usual practice of network administrators and security experts. I presented a common scenario of an administrator creating a tool that launches a DoS attack in order to test the resistance of his network and the effectiveness of an IDS product he bought. Then, following the usual practice of sharing his expertise with other administrators, he uploads it in a security forum, such as packetstormsecurity.org. In continuation, a malicious hacker downloads the tool and actually launches a DoS attack against a company. After analysing this practice with section 3A of the Computer Misuse Act, I concluded that the action of creating and uploading such a tool is an offence. This study shows that the practice of sharing DoS tools for testing networks can be considered illegal. The impact of this fact is really important for network security. As I mentioned above, security experts rely in several occasions on security forums and experts blogs in order to keep their knowledge up to date. As a result, if sharing expertise by means of security tools proves in Court to be illegal, because a hacker also uses these tools, this can affect the flow of information and innovation among administrators and be a hindrance for the development of security technology. During an informal conversation I had with Dr. Richard Clayton, expert in the field of computer security, he mentioned that we should wait for the guidelines from the Crown Prosecution Service on the Police and Justice Act. This is a fact as we can not draw completely safe conclusions until we have these guidelines and until the Act is brought totally into effect; action expected to happen until the April of Nevertheless, in my opinion, and as I examined above, this issue should be addressed as the fear of performing an unlawful act can influence the sharing of expertise among security experts. 5. Conclusion The purpose of this dissertation was to analyse the cybercrime of Denial of Service and the relevant legislation. I performed a study on Denial of Service attacks and especially on the ways of launching an attack, on the defences against these attacks and on the overall cost for a business. Based on this information, I created a complete definition of DoS attacks. In the next chapter I presented the relevant legislation of the UK in detail and I also examined the legislation of the EU, of the USA, of Australia, of New Zealand and of South Africa, countries that are developed in the sector of computer security. Then, I tried to identify a way of attacking that could be legal under the UK law. I performed a complete analysis by examining all the attacking techniques I described in the second chapter in comparison with the UK legislation and especially the amended Computer Misuse Act. The outcome of the analysis is that there is not a legal way of performing a Denial of Service attack legally. By examining the CMA, I continued researching on the issue of DoS. In chapter 4.5 I studied, from a computer scientists point of view, the section of the amended CMA about supplying tools to be used for an offence, section 3A(2). Even though there was a debate about this section, which possibly criminalises administrative tools, I could not find a technical study about this issue in the bibliography. I presented a practice used by security experts, to create and share attacking tools in order to test their systems, and analysed it bearing in mind section 3A(2). I demonstrated that this section can criminalise this useful practice used by security experts and network administrators. Spyridon Rekkas 28

36 References [About] Bradley Mitchell, Ping of Death, about.com, accessed on 10 June 2007, [AG05] Avi Goldfarb, Why do denial of service attacks reduce future visits? Switching costs vs. changing preferences, February 2005, University of Toronto [AM06] Elias Athanasopoulos, Evangelos P. Markatos, Misusing Unstructured P2P Systems to Perform DoS Attacks: The Network that Never Forgets, Technical Report 370 ICS-FORTH, February 2006 [Angel] tfn tfn2k trin00, accessed on 20 June 2007, [APIG05] All Party Parliamentary Internet Group, APIG Chairman Calls For Greater Penalties for Hacking and Denial of Service Attacks, 10 March 2005, accessed on 17 July [AT07] Nate Anderson, Massive DDoS attack target Estonia; Russia accused, arstechnica.com, 14 May 2007, accessed on 15 June 2007, [AusC00] Distributed Denial of Service Attacks, auscert.org.au, 16 February 2000, accessed on 5 June 2007, [AusC04] AA Denial of Service Vulnerability in IEEE Wireless Devices, auscert.org.au, 13 May 2004, accessed on 5 August 2007, [BBC03] Teenager cleared of hacking, bbc.co.uk, 17 October 2003, accessed on 21 July 2007, [BC04] Valer Bocan, Vladimir Cretu, Security and Denial of Service Threats in GSM Networks, Buletinul Stiintific al Universitatii Politehnica din Timisoara, ROMANIA, PERIODICA POLITECHNICA, Transactions on AUTOMATIC CONTROL and COMPUTER SCIENCE Vol.49 (63), 2004, ISSN X [BHT] Beginners Hacking Tools, torrent added 11 August 2007, accessed on 21 August 2007, [BM07] Bradley Mitchell, Wireless Standards b a g and n, about.com, accessed on 17/08/07, [BT00] Bennett Todd, Distributed Denial of Service Attacks, linuxsecurity.com, 18 February 2000, accessed on 18 June 2007, [BTo06] Bill Thompson, How to legislate against hackers, bbc.co.uk, 13 March 2006, accessed on 18 August 2007, [CBSTaC] Terms of Service, Colocation Blue Square Colocation Redbus Colocation, UK Server Hosting, UK Colocation hosting VoIP Reseller, accessed on 28/08/07, [CCPI] Denial of Service Tools, planetindia.net, accessed on 12 June 2007, [CERT00] CERT Advisory CA Denial-of-Service vulnerabilities in TCP/IP stacks, cert.org, 4 December 2000, accessed on 10 June 2007, [CERT96] CERT Advisory CA TCP SYN flooding and IP Spoofing attacks, cert.org, 19 September 1996, accessed on 20 June 2007, [CERT99] Denial of Service Attacks, CERT Coordination Centre, 1999, accessed on 3 June 2007, [CERT99b] CERT Incident Note IN-99-07, CERT Coordination Centre, cert.org, 18 November 1999, accessed on 15 June 2007, [CIAC99] J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks, ciac.org, 1 September 1999, accessed on 2 August 1999, [CIAC00] Paul J. Criscuolo, Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000 And Stacheldraht, 14 February 2000 [CIE] IP Packet Structure, freesoft.org, accessed on 10 June 2007, [CISCO05] Preventing Distributed Denial of Service Attacks with CISCO self-defending networks, cisco.com, df Spyridon Rekkas 29

37 [CK06] Denial of Service, cknow.com, 19 February 2006, accessed on 20 Jube 2007, [CNN99] Ellen Messmer, Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites, government says, cnn.com, 12 May 1999, accessed on 15 June 2007, [CW06] Update: Two DNS servers hit by denial-of-service attacks. The attacks were targeted at Network Solutions' Worldnic name servers, computerworld.com, 28 March 2006, accessed on 6 June 2007, [DG06] Dieter Gollmann, Computer Security 2 nd edition, John Wiley & Sons, 2006 [Dit99] David Dittrich, The "stacheldraht" distributed denial of service attack tool, Washington.edu, 31 December 1999, accessed on 28 June 2007, [DL] Dirk Lehmann, Intrusion Detection, what is ID?, Siemens CERT, accessed on 10 August 2007, [DR05] Hacking Probe Man in Court, dailyrecord.co.uk, 18 January 2005, accessed on 21 July 2007, ing-probe-man-in-court-name_page.html [EM00] Ellen Messmer, New denial-of-service attack tool uses relay chat, networkworld.com, 9 June 2000, accessed on 28 June 2007, [ETMP05] William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta, Exploiting Open Functionality in SMS Capable Cellular Networks, CCS 05, Alexandria, Virginia, USA [EurLEX02] Proposal for a Council Framework Decision on attacks against information systems, the European Commission, &an_doc=2002&nu_doc=173 [Gex07] Andrew Noyes, Biggest threat to Internet could be a massive virtual blackout, govexec.com, 5 April 2007, accessed on 16 June 2007, [ghtac] greathosting.co.uk, Terms and Conditions, accessed on 28/08/07, [GIGE] DDoS protection, Cost Overview, gigenet.com, accessed on 10 June 2007, [GKF02] Vikram Gupta, Srikanth Krishnamurthy, Michalis Faloutsos, Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks, 2002 [GS98] PN Grabosky, Russel G Smith, Crime in the Digital Age, Controlling Telecommunications and Cyberspace Illegalities, Transaction Publishers/The Federation Press, 1998 [Gua04] The web s wise guys, guardian.co.uk, 3 June 2004, accessed on 5 June 2007, [HDL05] Heather D. Lane, Security Vulnerabilities and Wireless LAN Technology, 6 February 2005 [HMPW01] Alan Householder, Art Manion, Linda Pesante, George M. Weaver, Managing the threat of Denial-of-Service attacks, October 2001, CERT Coordination Centre, [HoCSC] House of Commons Standing Committee, Police and Justice Bill, [HoL06] House of Lords Debates, 11 July 2006, theyworkforyou.com [HoL06b] House of Lords Debates, 10 October 2006, theyworkforyou.com, [HP07] Intrusion Detection, Honeypots and Incident Handling Resources, honeypots.net, 26 May 2007, accessed on 25 July 2007, [HW01] Kevin J. Houle, George M. Weaver, Trends in Denial of Service Attack Technology, October 2001, CERT Coordination Centre, [ICANN07] ICANN, Factsheet on Root Server attack on 6 February 2007, 1 March 2007, [Ing05] Peter Ingram, Ofcom, Denial of Service, 14 January 2005, Spyridon Rekkas 30

38 [INS06] Top 5 Intrusion Detection Systems, insecure.org, accessed on 7 August 2007, [INS97] The Land Attack IP DoS, insecure.org, 20 November 1997, accessed on 10 June 2007, [ISP07] Intrusion Detection Systems Directory: Quick Reference Chart, isp-planet.com, accessed on 7 August 2007, [ISS] Distributed Denial of Service Attack Tools, iss.net, accessed on 3 July 2007, [IW] Brian Livingston, We can prevent those distributed denial of service attacks with 'egress filtering, infoworld.com, accessed on 19 June 2007, [IWAR00] Trinity v3/ Stacheldraht Distributed Denial of Service Tool, iwar.org.uk, 13 October 2000, accessed on 28 June 2007, [JA99] Frank Stajano, Ross Anderson, The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks, Springer-Verlag Berlin Heidelberg 1999 [JG03] Jim Geir, Denial of Service a Big WLAN Issue, wi-fiplanet.com, 1 May 2003, accessed on 3 August 2007, [JI] John Ioannidis, Distributed Denial of Service, AT&T Labs, accessed on 18 June 2007, [JL05] John Leyden, Scot in court on DDoS charges, theregister.co.uk, 18 January 2005, accessed on 21 July 2007, [JM05] Jarmo Mölsä, Mitigating denial of service attacks: A tutorial, Journal of Computer Security 13 (2005) , IOS Press [JMa] Jeremy Martin, Information Systems Security Training DoS Attacks: Instigation and Mitigation, infosecprofessionals.com [JP] John Podesta, USA Patriot Act: The good, the bad and the Sunset, American Bar Association, accessed on 25 July 2007, [KC06] Georgina Kon, Peter Church, A Denial of Service but not a Denial of Justice, 2006, Linklaters, Elsevier Ltd. [KL01] David Karig, Ruby Lee, Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L , October 2001, [KMSW01] Frank Kargl, Jörn Maier, Stefan Schlott, Michael Weber, Protecting Web Servers from Distributed Denial of Service Attacks, accessed on 15 June 2007, [MA02] Mandy Andre, Denial of Service, Fighting Back, networkworld.com, 9 February 2002, accessed on 5 June 2007, [Man01] Mandy Andress, In denial no longer after experts fall, infoworld.com, 22 June 2001, accessed on 5 June 2007, [MDDR05] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiner, Internet Denial of Service, Attack and Defense Mechanisms, Prentice Hall, 2005 [MHHK04] Thomas Martin, Michael Hsiao, Dong Ha, Jayan Krishnaswami, "Denial-of-Service Attacks on Battery-powered Mobile Computers," Proceedings of the 2nd IEEE Pervasive Computing Conference, Orlando, Florida, March 2004 [MIC99] Microsoft Security Program: Microsoft Security Bulletin (MS99-034), Patch available for Fragmented IGMP Packet Vulnerability, microsoft.com, 9 September 1999, accessed on 6 June 2007, [milw0rm07] milw0rm, Linksys SPA941 Denial of Service Exploit (Reboot), securiteam.com, 26 April 2007, accessed on 21 August 2007, [MJLT06] Michael J L Turner, Computer Misuse Act 1990 cases, computerevidence.co.uk, accessed on 21 July 2007, [MmD04] Mindi McDowell, Understanding Denial of Service Attacks, us-cert.gov, 2004, accessed on 16 June 2007, [NewM02] Stopping Attacks: The importance of Denial of Service (DoS) Security Appliances, techguide.com, [NW02] Nathalie Weiler, Honeypots for Distributed Denial of Service Attacks, Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 02) Spyridon Rekkas 31

39 [NW07] Jeremy Kirk, Estonia recovers from massive denial-of-service attack, networkworld.com, 17 May 2007, accessed on 15 June 2007, [NWD] UDP Flood Attack, networkdictionay.com, accessed on 15 June 2007, [NYT07] Steven Lee Myers, Estonia Computers Blitzed, Possibly by the Russians, nytimes.com, 19 May 2007, accessed on 15 June 2007, 82&ei=5088 [Ofcom06] UK Interface Requirement: UK Radio Interface Requirement for Wideband Transmission Systems operating in the 2.4 GHz ISM Band and Using Wide Band Modulation Techniques, November 2006 [OL05] Denial of Service prosecution in the UK, out-law.com, 17 January 2005, accessed on 21 July 2007, [OL05b] Parliament hears 10 minutes on Denial of Service law, out-law.com, 7 April 2005, accessed on 17 July 2007, [PF] Peter Ford, Implementing a Culture of Security in Australia, Australian Government, Attorney General s Department [PHC01] Ron Plesser, Jim Halpert, Milo Cividanes, Summary and Analysis of Key Sections of USA PATRIOT ACT of 2001, E-commerce and Privacy Group, 31 October 2001, accessed on 25 July 2007, [PJC00] Paul J. Criscuolo, Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319, UCRL-ID , Rev. 1 [PS] packetstormsecurity.org, section: distributed, accessed on 21 August 2007, [RA03] Rebecca Allison, Youth cleared of crashing American port s computer, guardian.co.uk, 18 October 2003, accessed on 21 July 2007, [RAZR00] BindView Razor Team, Distributed Denial of Service Defence Tactics, packetstormsecurity.com, 14 February 2000, accessed on 23 June 2007, [RC06] Richard Clayton, Complexities in Criminalising Denial of Service Attacks, February 2006 [SF04] Kevin Poulsen, FBI busts alleged DDoS mafia, securityfocus.com, 26 August 2004, accessed on 10 June 2007, [SES07] Catherine Engelke, What is zero-day exploit?, searchsecurity.com, 4 June 2007, accessed on 18 June 2007, [SF03] Matthew Tanase, IP Spoofing:An Introduction, securityfocus.com, 11 March 2003, accessed on 20 June 2006, [SIL04] Andy McCue, Online bookies taken down by internet blackmail gangs, silicon.com, 9 June 2004, accessed on 18 June 2007, [SL04] Stephen M. Specht, Ruby B. Lee, Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures, princeton.edu, Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004 International Workshop on Security in Parallel and Distributed Systems, pp , September 2004 [SuS05] Introduction to Denial of Service attacks, surasoft.com, accessed on 20 June 2007, [Sym99] Motoaki Yamamura, W32.DoS.Trinoo, symantec.com, 30 December 1999, accesed on 15 June 2007, [TE05] Tom Espiner, Denial of service attacks are legal 'grey area', znet.co.uk, 2 November 2005, accessed on 17 July 2007, [TISN06] Managing DoS Attacks, advice for CEOs, Trusted Information Sharing Network for Critical Infrastructure Protection, July 2006, data/assets/pdf_file/41313/dos_ceo_executive_summary.pdf [TUHH] Intrusion Detection Systems, Tecnische Universitat Hamburg-Harburg [UniH] Teardrop, accessed on 10 June 2007, [USC06] US-CERT Quarterly Trends and Analysis Report, 1 September 2006, us-cert.gov Spyridon Rekkas 32

40 [USC06b] US-CERT The Continuing Denial of Service Threat Posed by DNS Recursion v2.0, uscert.gov [USC07] US-CERT current activity / Microsoft Windows GDI+ ICO Vulnerability, us-cert.gov, 6 June 2007, accessed on 10 June 2007, [USDoJ06] "Botherder" Dealt Record Prison Sentence for Selling and Spreading Malicious Computer Code, U.S. Department of Justice Central District of California, [Usen00] Dave Dittrich, What allowed this to happen?, usenix.org, 22 July 2000, accessed on 17 June 2007, [VC06] Vernon Coaker MP, Home Office Minister, Changes to the Computer Misuse Act will not affect legitimate users, computerweekly.com, 18 July 2006, accessed on 28/08/07, [WA07] William West, Emmanuel Agu Experimental Evaluation of Energy-Based Denial-of Service Attacks in Wireless Networks, International Journal of Computer Science and Network Security, VOL.7 No.6, June 2007 Spyridon Rekkas 33

41 Bibliography 1. ICANN Security and Stability Advisory Committee, SSAC Advisory SAC008 DNS Distributed Denial of Service(DDoS) Attacks. 2. Notice of Ofcom s Proposal to Amend the Wireless Telegraphy (Exemption) Regulations Paul Hansell, The 2.4 GHz ISM Band, Aegis Systems Ltd. 4. Parliamentary Office of Science and Technology, Postnote, number 271, October Dr. Gunter Muller, Security and Privacy Risks in Future IT, IIG in cooperation with ENISA. 6. Mark Rasdale, Legislation for Robots and Zombies, Computer Law and Security Report 7. Darkreading, 8. DDoS world, Spyridon Rekkas 34

42 Appendix 1 UK Statutes 1.A Computer Misuse Act 1990 Computer Misuse Act 1990 (c. 18) 1990 CHAPTER 18 ARRANGEMENT OF SECTIONS Go to Preamble 1. Computer misuse offences Unauthorised access to computer material Unauthorised access with intent to commit or facilitate commission of further offences Unauthorised modification of computer material. 2. Jurisdiction Territorial scope of offences under this Act Significant links with domestic jurisdiction Territorial scope of inchoate offences related to offences under this Act Territorial scope of inchoate offences related to offences under external law corresponding to offences under this Act Relevance of external law British citizenship immaterial. 3. Miscellaneous and general Saving for certain law enforcement powers Proceedings for offences under section Conviction of an offence under section 1 in proceedings for an offence under section 2 or Proceedings in Scotland Search warrants for offences under section Extradition where Schedule 1 to the Extradition Act 1989 applies Application to Northern Ireland Interpretation Citation, commencement etc. An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes. [29th June 1990] Be it enacted by the Queen s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows: Computer misuse offences 1 Unauthorised access to computer material (1) A person is guilty of an offence if (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case. Spyridon Rekkas 35

43 (2) The intent a person has to have to commit an offence under this section need not be directed at (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer. (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both. 2 Unauthorised access with intent to commit or facilitate commission of further offences (1) A person is guilty of an offence under this section if he commits an offence under section 1 above ( the unauthorised access offence ) with intent (a) to commit an offence to which this section applies; or (b) to facilitate the commission of such an offence (whether by himself or by any other person); and the offence he intends to commit or facilitate is referred to below in this section as the further offence. (2) This section applies to offences (a) for which the sentence is fixed by law; or (b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the [1980 c. 43.] Magistrates' Courts Act 1980). (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible. (5) A person guilty of an offence under this section shall be liable (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both. 3 Unauthorised modification of computer material (1) A person is guilty of an offence if (a) he does any act which causes an unauthorised modification of the contents of any computer; and (b) at the time when he does the act he has the requisite intent and the requisite knowledge. (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; or (c) to impair the operation of any such program or the reliability of any such data. (3) The intent need not be directed at (a) any particular computer; (b) any particular program or data or a program or data of any particular kind; or (c) any particular modification or a modification of any particular kind. (4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised. (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary. (6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. (7) A person guilty of an offence under this section shall be liable (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both. Jurisdiction 4 Territorial scope of offences under this Act (1) Except as provided below in this section, it is immaterial for the purposes of any offence under section 1 or 3 above Spyridon Rekkas 36

44 (a) whether any act or other event proof of which is required for conviction of the offence occurred in the home country concerned; or (b) whether the accused was in the home country concerned at the time of any such act or event. (2) Subject to subsection (3) below, in the case of such an offence at least one significant link with domestic jurisdiction must exist in the circumstances of the case for the offence to be committed. (3) There is no need for any such link to exist for the commission of an offence under section 1 above to be established in proof of an allegation to that effect in proceedings for an offence under section 2 above. (4) Subject to section 8 below, where (a) any such link does in fact exist in the case of an offence under section 1 above; and (b) commission of that offence is alleged in proceedings for an offence under section 2 above; section 2 above shall apply as if anything the accused intended to do or facilitate in any place outside the home country concerned which would be an offence to which section 2 applies if it took place in the home country concerned were the offence in question. (5) This section is without prejudice to any jurisdiction exercisable by a court in Scotland apart from this section. (6) References in this Act to the home country concerned are references (a) in the application of this Act to England and Wales, to England and Wales; (b) in the application of this Act to Scotland, to Scotland; and (c) in the application of this Act to Northern Ireland, to Northern Ireland. 5 Significant links with domestic jurisdiction (1) The following provisions of this section apply for the interpretation of section 4 above. (2) In relation to an offence under section 1, either of the following is a significant link with domestic jurisdiction (a) that the accused was in the home country concerned at the time when he did the act which caused the computer to perform the function; or (b) that any computer containing any program or data to which the accused secured or intended to secure unauthorised access by doing that act was in the home country concerned at that time. (3) In relation to an offence under section 3, either of the following is a significant link with domestic jurisdiction (a) that the accused was in the home country concerned at the time when he did the act which caused the unauthorised modification; or (b) that the unauthorised modification took place in the home country concerned. 6 Territorial scope of inchoate offences related to offences under this Act (1) On a charge of conspiracy to commit an offence under this Act the following questions are immaterial to the accused s guilt (a) the question where any person became a party to the conspiracy; and (b) the question whether any act, omission or other event occurred in the home country concerned. (2) On a charge of attempting to commit an offence under section 3 above the following questions are immaterial to the accused s guilt (a) the question where the attempt was made; and (b) the question whether it had an effect in the home country concerned. (3) On a charge of incitement to commit an offence under this Act the question where the incitement took place is immaterial to the accused s guilt. (4) This section does not extend to Scotland. 7 Territorial scope of inchoate offences related to offences under external law corresponding to offences under this Act (1) The following subsections shall be inserted after subsection (1) of section 1 of the [1977 c. 45.] Criminal Law Act 1977 (1A) Subject to section 8 of the Computer Misuse Act 1990 (relevance of external law), if this subsection applies to an agreement, this Part of this Act has effect in relation to it as it has effect in relation to an agreement falling within subsection (1) above. (1B) Subsection (1A) above applies to an agreement if (a) a party to it, or a party s agent, did anything in England and Wales in relation to it before its formation; or (b) a party to it became a party in England and Wales (by joining it either in person or through an agent); or (c) a party to it, or a party s agent, did or omitted anything in England and Wales in pursuance of it; Spyridon Rekkas 37

45 and the agreement would fall within subsection (1) above as an agreement relating to the commission of a computer misuse offence but for the fact that the offence would not be an offence triable in England and Wales if committed in accordance with the parties' intentions.. (2) The following subsections shall be inserted after subsection (4) of that section (5) In the application of this Part of this Act to an agreement to which subsection (1A) above applies any reference to an offence shall be read as a reference to what would be the computer misuse offence in question but for the fact that it is not an offence triable in England and Wales. (6) In this section computer misuse offence means an offence under the Computer Misuse Act (3) The following subsections shall be inserted after section 1(1) of the [1981 c. 47.] Criminal Attempts Act 1981 (1A) Subject to section 8 of the Computer Misuse Act 1990 (relevance of external law), if this subsection applies to an act, what the person doing it had in view shall be treated as an offence to which this section applies. (1B) Subsection (1A) above applies to an act if (a) it is done in England and Wales; and (b) it would fall within subsection (1) above as more than merely preparatory to the commission of an offence under section 3 of the Computer Misuse Act 1990 but for the fact that the offence, if completed, would not be an offence triable in England and Wales.. (4) Subject to section 8 below, if any act done by a person in England and Wales would amount to the offence of incitement to commit an offence under this Act but for the fact that what he had in view would not be an offence triable in England and Wales (a) what he had in view shall be treated as an offence under this Act for the purposes of any charge of incitement brought in respect of that act; and (b) any such charge shall accordingly be triable in England and Wales. 8 Relevance of external law (1) A person is guilty of an offence triable by virtue of section 4(4) above only if what he intended to do or facilitate would involve the commission of an offence under the law in force where the whole or any part of it was intended to take place. (2) A person is guilty of an offence triable by virtue of section 1(1A) of the [1977 c. 45.] Criminal Law Act 1977 only if the pursuit of the agreed course of conduct would at some stage involve (a) an act or omission by one or more of the parties; or (b) the happening of some other event; constituting an offence under the law in force where the act, omission or other event was intended to take place. (3) A person is guilty of an offence triable by virtue of section 1(1A) of the [1981 c. 47.] Criminal Attempts Act 1981 or by virtue of section 7(4) above only if what he had in view would involve the commission of an offence under the law in force where the whole or any part of it was intended to take place. (4) Conduct punishable under the law in force in any place is an offence under that law for the purposes of this section, however it is described in that law. (5) Subject to subsection (7) below, a condition specified in any of subsections (1) to (3) above shall be taken to be satisfied unless not later than rules of court may provide the defence serve on the prosecution a notice (a) stating that, on the facts as alleged with respect to the relevant conduct, the condition is not in their opinion satisfied; (b) showing their grounds for that opinion; and (c) requiring the prosecution to show that it is satisfied. (6) In subsection (5) above the relevant conduct means (a) where the condition in subsection (1) above is in question, what the accused intended to do or facilitate; (b) where the condition in subsection (2) above is in question, the agreed course of conduct; and (c) where the condition in subsection (3) above is in question, what the accused had in view. (7) The court, if it thinks fit, may permit the defence to require the prosecution to show that the condition is satisfied without the prior service of a notice under subsection (5) above. (8) If by virtue of subsection (7) above a court of solemn jurisdiction in Scotland permits the defence to require the prosecution to show that the condition is satisfied, it shall be competent for the prosecution for that purpose to examine any witness or to put in evidence any production not included in the lists lodged by it. (9) In the Crown Court the question whether the condition is satisfied shall be decided by the judge alone. Spyridon Rekkas 38

46 (10) In the High Court of Justiciary and in the sheriff court the question whether the condition is satisfied shall be decided by the judge or, as the case may be, the sheriff alone. 9 British citizenship immaterial (1) In any proceedings brought in England and Wales in respect of any offence to which this section applies it is immaterial to guilt whether or not the accused was a British citizen at the time of any act, omission or other event proof of which is required for conviction of the offence. (2) This section applies to the following offences (a) any offence under this Act; (b) conspiracy to commit an offence under this Act; (c) any attempt to commit an offence under section 3 above; and (d) incitement to commit an offence under this Act. Miscellaneous and general 10 Saving for certain law enforcement powers Section 1(1) above has effect without prejudice to the operation (a) in England and Wales of any enactment relating to powers of inspection, search or seizure; and (b) in Scotland of any enactment or rule of law relating to powers of examination, search or seizure. 11 Proceedings for offences under section 1 (1) A magistrates' court shall have jurisdiction to try an offence under section 1 above if (a) the accused was within its commission area at the time when he did the act which caused the computer to perform the function; or (b) any computer containing any program or data to which the accused secured or intended to secure unauthorised access by doing that act was in its commission area at that time. (2) Subject to subsection (3) below, proceedings for an offence under section 1 above may be brought within a period of six months from the date on which evidence sufficient in the opinion of the prosecutor to warrant the proceedings came to his knowledge. (3) No such proceedings shall be brought by virtue of this section more than three years after the commission of the offence. (4) For the purposes of this section, a certificate signed by or on behalf of the prosecutor and stating the date on which evidence sufficient in his opinion to warrant the proceedings came to his knowledge shall be conclusive evidence of that fact. (5) A certificate stating that matter and purporting to be so signed shall be deemed to be so signed unless the contrary is proved. (6) In this section commission area has the same meaning as in the Justices of the [1979 c. 55.] Peace Act (7) This section does not extend to Scotland. 12 Conviction of an offence under section 1 in proceedings for an offence under section 2 or 3 (1) If on the trial on indictment of a person charged with (a) an offence under section 2 above; or (b) an offence under section 3 above or any attempt to commit such an offence; the jury find him not guilty of the offence charged, they may find him guilty of an offence under section 1 above if on the facts shown he could have been found guilty of that offence in proceedings for that offence brought before the expiry of any time limit under section 11 above applicable to such proceedings. (2) The Crown Court shall have the same powers and duties in relation to a person who is by virtue of this section convicted before it of an offence under section 1 above as a magistrates' court would have on convicting him of the offence. (3) This section is without prejudice to section 6(3) of the [1967 c. 58.] Criminal Law Act 1967 (conviction of alternative indictable offence on trial on indictment). (4) This section does not extend to Scotland. 13 Proceedings in Scotland (1) A sheriff shall have jurisdiction in respect of an offence under section 1 or 2 above if (a) the accused was in the sheriffdom at the time when he did the act which caused the computer to perform the function; or (b) any computer containing any program or data to which the accused secured or intended to secure unauthorised access by doing that act was in the sheriffdom at that time. (2) A sheriff shall have jurisdiction in respect of an offence under section 3 above if Spyridon Rekkas 39

47 (a) the accused was in the sheriffdom at the time when he did the act which caused the unauthorised modification; or (b) the unauthorised modification took place in the sheriffdom. (3) Subject to subsection (4) below, summary proceedings for an offence under section 1, 2 or 3 above may be commenced within a period of six months from the date on which evidence sufficient in the opinion of the procurator fiscal to warrant proceedings came to his knowledge. (4) No such proceedings shall be commenced by virtue of this section more than three years after the commission of the offence. (5) For the purposes of this section, a certificate signed by or on behalf of the procurator fiscal and stating the date on which evidence sufficient in his opinion to warrant the proceedings came to his knowledge shall be conclusive evidence of that fact. (6) A certificate stating that matter and purporting to be so signed shall be deemed to be so signed unless the contrary is proved. (7) Subsection (3) of section 331 of the [1975 c. 21.] Criminal Procedure (Scotland) Act 1975 (date of commencement of proceedings) shall apply for the purposes of this section as it applies for the purposes of that section. (8) In proceedings in which a person is charged with an offence under section 2 or 3 above and is found not guilty or is acquitted of that charge, he may be found guilty of an offence under section 1 above if on the facts shown he could have been found guilty of that offence in proceedings for that offence commenced before the expiry of any time limit under this section applicable to such proceedings. (9) Subsection (8) above shall apply whether or not an offence under section 1 above has been libelled in the complaint or indictment. (10) A person found guilty of an offence under section 1 above by virtue of subsection (8) above shall be liable, in respect of that offence, only to the penalties set out in section 1. (11) This section extends to Scotland only. 14 Search warrants for offences under section 1 (1) Where a circuit judge is satisfied by information on oath given by a constable that there are reasonable grounds for believing (a) that an offence under section 1 above has been or is about to be committed in any premises; and (b) that evidence that such an offence has been or is about to be committed is in those premises; he may issue a warrant authorising a constable to enter and search the premises, using such reasonable force as is necessary. (2) The power conferred by subsection (1) above does not extend to authorising a search for material of the kinds mentioned in section 9(2) of the [1984 c. 60.] Police and Criminal Evidence Act 1984 (privileged, excluded and special procedure material). (3) A warrant under this section (a) may authorise persons to accompany any constable executing the warrant; and (b) remains in force for twenty-eight days from the date of its issue. (4) In executing a warrant issued under this section a constable may seize an article if he reasonably believes that it is evidence that an offence under section 1 above has been or is about to be committed. (5) In this section premises includes land, buildings, movable structures, vehicles, vessels, aircraft and hovercraft. (6) This section does not extend to Scotland. 15 Extradition where Schedule 1 to the Extradition Act 1989 applies The offences to which an Order in Council under section 2 of the [1870 c. 52.] Extradition Act 1870 can apply shall include (a) offences under section 2 or 3 above; (b) any conspiracy to commit such an offence; and (c) any attempt to commit an offence under section 3 above. 16 Application to Northern Ireland (1) The following provisions of this section have effect for applying this Act in relation to Northern Ireland with the modifications there mentioned. (2) In section 2(2)(b) (a) the reference to England and Wales shall be read as a reference to Northern Ireland; and (b) the reference to section 33 of the [1980 c. 43.] Magistrates' Courts Act 1980 shall be read as a reference to Article 46(4) of the [S.I. 1981/1675 (N.I.26).] Magistrates' Courts (Northern Ireland) Order Spyridon Rekkas 40

48 (3) The reference in section 3(6) to the [1971 c. 48.] Criminal Damage Act 1971 shall be read as a reference to the [S.I. 1977/426 (N.I.4).] Criminal Damage (Northern Ireland) Order (4) Subsections (5) to (7) below apply in substitution for subsections (1) to (3) of section 7; and any reference in subsection (4) of that section to England and Wales shall be read as a reference to Northern Ireland. (5) The following paragraphs shall be inserted after paragraph (1) of Article 9 of the [S.I. 1983/1120 (N.I.13).] Criminal Attempts and Conspiracy (Northern Ireland) Order 1983 (1A) Subject to section 8 of the Computer Misuse Act 1990 (relevance of external law), if this paragraph applies to an agreement, this Part has effect in relation to it as it has effect in relation to an agreement falling within paragraph (1). (1B) Paragraph (1A) applies to an agreement if (a) a party to it, or a party s agent, did anything in Northern Ireland in relation to it before its formation; (b) a party to it became a party in Northern Ireland (by joining it either in person or through an agent); or (c) a party to it, or a party s agent, did or omitted anything in Northern Ireland in pursuance of it; and the agreement would fall within paragraph (1) as an agreement relating to the commission of a computer misuse offence but for the fact that the offence would not be an offence triable in Northern Ireland if committed in accordance with the parties' intentions.. (6) The following paragraph shall be inserted after paragraph (4) of that Article (5) In the application of this Part to an agreement to which paragraph (1A) applies any reference to an offence shall be read as a reference to what would be the computer misuse offence in question but for the fact that it is not an offence triable in Northern Ireland. (6) In this Article computer misuse offence means an offence under the Computer Misuse Act (7) The following paragraphs shall be inserted after Article 3(1) of that Order (1A) Subject to section 8 of the Computer Misuse Act 1990 (relevance of external law), if this paragraph applies to an act, what the person doing it had in view shall be treated as an offence to which this Article applies. (1B) Paragraph (1A) above applies to an act if (a) it is done in Northern Ireland; and (b) it would fall within paragraph (1) as more than merely preparatory to the commission of an offence under section 3 of the Computer Misuse Act 1990 but for the fact that the offence, if completed, would not be an offence triable in Northern Ireland.. (8) In section 8 (a) the reference in subsection (2) to section 1(1A) of the [1977 c. 45.] Criminal Law Act 1977 shall be read as a reference to Article 9(1A) of that Order; and (b) the reference in subsection (3) to section 1(1A) of the [1981 c. 47.] Criminal Attempts Act 1981 shall be read as a reference to Article 3(1A) of that Order. (9) The references in sections 9(1) and 10 to England and Wales shall be read as references to Northern Ireland. (10) In section 11, for subsection (1) there shall be substituted (1) A magistrates' court for a county division in Northern Ireland may hear and determine a complaint charging an offence under section 1 above or conduct a preliminary investigation or preliminary inquiry into an offence under that section if (a) the accused was in that division at the time when he did the act which caused the computer to perform the function; or (b) any computer containing any program or data to which the accused secured or intended to secure unauthorised access by doing that act was in that division at that time. ; and subsection (6) shall be omitted. (11) The reference in section 12(3) to section 6(3) of the [1967 c. 58.] Criminal Law Act 1967 shall be read as a reference to section 6(2) of the [1967 c. 18 (N.I.).] Criminal Law Act (Northern Ireland) (12) In section 14 (a) the reference in subsection (1) to a circuit judge shall be read as a reference to a county court judge; and (b) the reference in subsection (2) to section 9(2) of the [1984 c. 60.] Police and Criminal Evidence Act 1984 shall be read as a reference to Article 11(2) of the [S.I. 1989/1341 (N.I. 12).] Police and Criminal Evidence (Northern Ireland) Order Interpretation (1) The following provisions of this section apply for the interpretation of this Act. Spyridon Rekkas 41

49 (2) A person secures access to any program or data held in a computer if by causing a computer to perform any function he (a) alters or erases the program or data; (b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held; (c) uses it; or (d) has it output from the computer in which it is held (whether by having it displayed or in any other manner); and references to access to a program or data (and to an intent to secure such access) shall be read accordingly. (3) For the purposes of subsection (2)(c) above a person uses a program if the function he causes the computer to perform (a) causes the program to be executed; or (b) is itself a function of the program. (4) For the purposes of subsection (2)(d) above (a) a program is output if the instructions of which it consists are output; and (b) the form in which any such instructions or any other data is output (and in particular whether or not it represents a form in which, in the case of instructions, they are capable of being executed or, in the case of data, it is capable of being processed by a computer) is immaterial. (5) Access of any kind by any person to any program or data held in a computer is unauthorised if (a) he is not himself entitled to control access of the kind in question to the program or data; and (b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled. (6) References to any program or data held in a computer include references to any program or data held in any removable storage medium which is for the time being in the computer; and a computer is to be regarded as containing any program or data held in any such medium. (7) A modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer (a) any program or data held in the computer concerned is altered or erased; or (b) any program or data is added to its contents; and any act which contributes towards causing such a modification shall be regarded as causing it. (8) Such a modification is unauthorised if (a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and (b) he does not have consent to the modification from any person who is so entitled. (9) References to the home country concerned shall be read in accordance with section 4(6) above. (10) References to a program include references to part of a program. 18 Citation, commencement etc (1) This Act may be cited as the Computer Misuse Act (2) This Act shall come into force at the end of the period of two months beginning with the day on which it is passed. (3) An offence is not committed under this Act unless every act or other event proof of which is required for conviction of the offence takes place after this Act comes into force. 1.B Police and Justice Act 2006 Computer misuse 35 Unauthorised access to computer material (1) In the Computer Misuse Act 1990 (c. 18) ( the 1990 Act ), section 1 (offence of unauthorised access to computer material) is amended as follows. Spyridon Rekkas 42

50 (2) In subsection (1) (a) in paragraph (a), after any computer there is inserted, or to enable any such access to be secured ; (b) in paragraph (b), after secure there is inserted, or to enable to be secured,. (3) For subsection (3) there is substituted (3) A person guilty of an offence under this section shall be liable (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. 36 Unauthorised acts with intent to impair operation of computer, etc For section 3 of the 1990 Act (unauthorised modification of computer material) there is substituted 3 Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. (1) A person is guilty of an offence if (a) he does any unauthorised act in relation to a computer; (b) at the time when he does the act he knows that it is unauthorised; and (c) either subsection (2) or subsection (3) below applies. (2) This subsection applies if the person intends by doing the act (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; (c) to impair the operation of any such program or the reliability of any such data; or (d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done. (3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above. (4) The intention referred to in subsection (2) above, or the recklessness Spyridon Rekkas 43

51 referred to in subsection (3) above, need not relate to (a) any particular computer; (b) any particular program or data; or (c) a program or data of any particular kind. (5) In this section (a) a reference to doing an act includes a reference to causing an act to be done; (b) act includes a series of acts; (c) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily. (6) A person guilty of an offence under this section shall be liable (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both. 37 Making, supplying or obtaining articles for use in computer misuse offences After section 3 of the 1990 Act there is inserted 3A Making, supplying or obtaining articles for use in offence under section 1 or 3 (1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3. (2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3. (3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3. (4) In this section article includes any program or data held in electronic form. (5) A person guilty of an offence under this section shall be liable (a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine Spyridon Rekkas 44

52 not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. 1.C Malicious Communications Act 1988 Malicious Communications Act CHAPTER 27 An Act to make provision for the punishment of persons who send or deliver letters or other articles for the purpose of causing distress or anxiety. [29th July 1988] Be it enacted by the Queen s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows: 1 Offence of sending letters etc. with intent to cause distress or anxiety (1) Any person who sends to another person (a) a letter or other article which conveys (i) a message which is indecent or grossly offensive; (ii) a threat; or (iii) information which is false and known or believed to be false by the sender; or (b) any other article which is, in whole or part, of an indecent or grossly offensive nature, is guilty of an offence if his purpose, or one of his purposes, in sending it is that it should, so far as falling within paragraph (a) or (b) above, cause distress or anxiety to the recipient or to any other person to whom he intends that it or its contents or nature should be communicated. (2) A person is not guilty of an offence by virtue of subsection (1)(a)(ii) above if he shows (a) that the threat was used to reinforce a demand which he believed he had reasonable grounds for making; and (b) that he believed that the use of the threat was a proper means of reinforcing the demand. (3) In this section references to sending include references to delivering and to causing to be sent or delivered and sender shall be construed accordingly. (4) A person guilty of an offence under this section shall be liable on summary conviction to a fine not exceeding level 4 on the standard scale. 2 Northern Ireland An Order in Council under paragraph 1(1)(b) of Schedule 1 to the [1974 c. 28.] Northern Ireland Act 1974 (legislation for Northern Ireland in the interim period) which states that it is made only for purposes corresponding to those of this Act (a) shall not be subject to paragraph 1(4) and (5) of that Schedule (affirmative resolution of both Houses of Parliament); but Spyridon Rekkas 45

53 (b) shall be subject to annulment in pursuance of a resolution of either House. 3 Short title, commencement and extent (1) This Act may be cited as the Malicious Communications Act (2) Section 1 above shall not come into force until the end of the period of two months beginning with the day on which this Act is passed. (3) This Act does not extend to Scotland or, except for section 2, to Northern Ireland. 1.D Protection of Harassment Act 1997 Protection from Harassment Act CHAPTER 40 ARRANGEMENT OF SECTIONS Go to Preamble 1. England and Wales Prohibition of harassment Offence of harassment Civil remedy Putting people in fear of violence Restraining orders Limitation Interpretation of this group of sections. 2. Scotland Harassment Breach of non-harassment order Limitation Non-harassment order following criminal offence. 3. General National security, etc Corresponding provision for Northern Ireland Extent Commencement Short title. An Act to make provision for protecting persons from harassment and similar conduct. [21st March 1997] Be it enacted by the Queen s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows: England and Wales 1 Prohibition of harassment (1) A person must not pursue a course of conduct (a) which amounts to harassment of another, and (b) which he knows or ought to know amounts to harassment of the other. (2) For the purposes of this section, the person whose course of conduct is in question ought to know that it amounts to harassment of another if a reasonable person in possession of the same information would think the course of conduct amounted to harassment of the other. (3) Subsection (1) does not apply to a course of conduct if the person who pursued it shows (a) that it was pursued for the purpose of preventing or detecting crime, Spyridon Rekkas 46

54 (b) that it was pursued under any enactment or rule of law or to comply with any condition or requirement imposed by any person under any enactment, or (c) that in the particular circumstances the pursuit of the course of conduct was reasonable. 2 Offence of harassment (1) A person who pursues a course of conduct in breach of section 1 is guilty of an offence. (2) A person guilty of an offence under this section is liable on summary conviction to imprisonment for a term not exceeding six months, or a fine not exceeding level 5 on the standard scale, or both. (3) In section 24(2) of the [1984 c. 60.] Police and Criminal Evidence Act 1984 (arrestable offences), after paragraph (m) there is inserted (n) an offence under section 2 of the Protection from Harassment Act 1997 (harassment).. 3 Civil remedy (1) An actual or apprehended breach of section 1 may be the subject of a claim in civil proceedings by the person who is or may be the victim of the course of conduct in question. (2) On such a claim, damages may be awarded for (among other things) any anxiety caused by the harassment and any financial loss resulting from the harassment. (3) Where (a) in such proceedings the High Court or a county court grants an injunction for the purpose of restraining the defendant from pursuing any conduct which amounts to harassment, and (b) the plaintiff considers that the defendant has done anything which he is prohibited from doing by the injunction, the plaintiff may apply for the issue of a warrant for the arrest of the defendant. (4) An application under subsection (3) may be made (a) where the injunction was granted by the High Court, to a judge of that court, and (b) where the injunction was granted by a county court, to a judge or district judge of that or any other county court. (5) The judge or district judge to whom an application under subsection (3) is made may only issue a warrant if (a) the application is substantiated on oath, and (b) the judge or district judge has reasonable grounds for believing that the defendant has done anything which he is prohibited from doing by the injunction. (6) Where (a) the High Court or a county court grants an injunction for the purpose mentioned in subsection (3)(a), and (b) without reasonable excuse the defendant does anything which he is prohibited from doing by the injunction, he is guilty of an offence. (7) Where a person is convicted of an offence under subsection (6) in respect of any conduct, that conduct is not punishable as a contempt of court. (8) A person cannot be convicted of an offence under subsection (6) in respect of any conduct which has been punished as a contempt of court. (9) A person guilty of an offence under subsection (6) is liable (a) on conviction on indictment, to imprisonment for a term not exceeding five years, or a fine, or both, or (b) on summary conviction, to imprisonment for a term not exceeding six months, or a fine not exceeding the statutory maximum, or both. 4 Putting people in fear of violence (1) A person whose course of conduct causes another to fear, on at least two occasions, that violence will be used against him is guilty of an offence if he knows or ought to know that his course of conduct will cause the other so to fear on each of those occasions. (2) For the purposes of this section, the person whose course of conduct is in question ought to know that it will cause another to fear that violence will be used against him on any occasion if a reasonable person in possession of the same information would think the course of conduct would cause the other so to fear on that occasion. (3) It is a defence for a person charged with an offence under this section to show that (a) his course of conduct was pursued for the purpose of preventing or detecting crime, (b) his course of conduct was pursued under any enactment or rule of law or to comply with any condition or requirement imposed by any person under any enactment, or (c) the pursuit of his course of conduct was reasonable for the protection of himself or another or for the protection of his or another s property. Spyridon Rekkas 47

55 (4) A person guilty of an offence under this section is liable (a) on conviction on indictment, to imprisonment for a term not exceeding five years, or a fine, or both, or (b) on summary conviction, to imprisonment for a term not exceeding six months, or a fine not exceeding the statutory maximum, or both. (5) If on the trial on indictment of a person charged with an offence under this section the jury find him not guilty of the offence charged, they may find him guilty of an offence under section 2. (6) The Crown Court has the same powers and duties in relation to a person who is by virtue of subsection (5) convicted before it of an offence under section 2 as a magistrates' court would have on convicting him of the offence. 5 Restraining orders (1) A court sentencing or otherwise dealing with a person ( the defendant ) convicted of an offence under section 2 or 4 may (as well as sentencing him or dealing with him in any other way) make an order under this section. (2) The order may, for the purpose of protecting the victim of the offence, or any other person mentioned in the order, from further conduct which (a) amounts to harassment, or (b) will cause a fear of violence, prohibit the defendant from doing anything described in the order. (3) The order may have effect for a specified period or until further order. (4) The prosecutor, the defendant or any other person mentioned in the order may apply to the court which made the order for it to be varied or discharged by a further order. (5) If without reasonable excuse the defendant does anything which he is prohibited from doing by an order under this section, he is guilty of an offence. (6) A person guilty of an offence under this section is liable (a) on conviction on indictment, to imprisonment for a term not exceeding five years, or a fine, or both, or (b) on summary conviction, to imprisonment for a term not exceeding six months, or a fine not exceeding the statutory maximum, or both. 6 Limitation In section 11 of the [1980 c. 58.] Limitation Act 1980 (special time limit for actions in respect of personal injuries), after subsection (1) there is inserted (1A) This section does not apply to any action brought for damages under section 3 of the Protection from Harassment Act Interpretation of this group of sections (1) This section applies for the interpretation of sections 1 to 5. (2) References to harassing a person include alarming the person or causing the person distress. (3) A course of conduct must involve conduct on at least two occasions. (4) Conduct includes speech. Scotland 8 Harassment (1) Every individual has a right to be free from harassment and, accordingly, a person must not pursue a course of conduct which amounts to harassment of another and (a) is intended to amount to harassment of that person; or (b) occurs in circumstances where it would appear to a reasonable person that it would amount to harassment of that person. (2) An actual or apprehended breach of subsection (1) may be the subject of a claim in civil proceedings by the person who is or may be the victim of the course of conduct in question; and any such claim shall be known as an action of harassment. (3) For the purposes of this section conduct includes speech; harassment of a person includes causing the person alarm or distress; and a course of conduct must involve conduct on at least two occasions. (4) It shall be a defence to any action of harassment to show that the course of conduct complained of (a) was authorised by, under or by virtue of any enactment or rule of law; (b) was pursued for the purpose of preventing or detecting crime; or (c) was, in the particular circumstances, reasonable. Spyridon Rekkas 48

56 (5) In an action of harassment the court may, without prejudice to any other remedies which it may grant (a) award damages; (b) grant (i) interdict or interim interdict; (ii) if it is satisfied that it is appropriate for it to do so in order to protect the person from further harassment, an order, to be known as a non-harassment order, requiring the defender to refrain from such conduct in relation to the pursuer as may be specified in the order for such period (which includes an indeterminate period) as may be so specified, but a person may not be subjected to the same prohibitions in an interdict or interim interdict and a nonharassment order at the same time. (6) The damages which may be awarded in an action of harassment include damages for any anxiety caused by the harassment and any financial loss resulting from it. (7) Without prejudice to any right to seek review of any interlocutor, a person against whom a nonharassment order has been made, or the person for whose protection the order was made, may apply to the court by which the order was made for revocation of or a variation of the order and, on any such application, the court may revoke the order or vary it in such manner as it considers appropriate. (8) In section 10(1) of the [1976 c. 13.] Damages (Scotland) Act 1976 (interpretation), in the definition of personal injuries, after to reputation there is inserted, or injury resulting from harassment actionable under section 8 of the Protection from Harassment Act Breach of non-harassment order (1) Any person who is found to be in breach of a non-harassment order made under section 8 is guilty of an offence and liable (a) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine, or to both such imprisonment and such fine; and (b) on summary conviction, to imprisonment for a period not exceeding six months or to a fine not exceeding the statutory maximum, or to both such imprisonment and such fine. (2) A breach of a non-harassment order shall not be punishable other than in accordance with subsection (1). 10 Limitation (1) After section 18A of the [1973 c. 52.] Prescription and Limitation (Scotland) Act 1973 there is inserted the following section 18B Actions of harassment (1) This section applies to actions of harassment (within the meaning of section 8 of the Protection from Harassment Act 1997) which include a claim for damages. (2) Subject to subsection (3) below and to section 19A of this Act, no action to which this section applies shall be brought unless it is commenced within a period of 3 years after (a) the date on which the alleged harassment ceased; or (b) the date, (if later than the date mentioned in paragraph (a) above) on which the pursuer in the action became, or on which, in the opinion of the court, it would have been reasonably practicable for him in all the circumstances to have become, aware, that the defender was a person responsible for the alleged harassment or the employer or principal of such a person. (3) In the computation of the period specified in subsection (2) above there shall be disregarded any time during which the person who is alleged to have suffered the harassment was under legal disability by reason of nonage or unsoundness of mind.. (2) In subsection (1) of section 19A of that Act (power of court to override time-limits), for section 17 or section 18 and section 18A there is substituted section 17, 18, 18A or 18B. 11 Non-harassment order following criminal offence After section 234 of the [1995 c. 46.] Criminal Procedure (Scotland) Act 1995 there is inserted the following section Non-harassment orders 234A Non-harassment orders (1) Where a person is convicted of an offence involving harassment of a person ( the victim ), the prosecutor may apply to the court to make a non-harassment order against the offender requiring him to refrain from such conduct in relation to the victim as may be specified in the order for such period (which includes an indeterminate period) as may be so specified, in addition to any other disposal which may be made in relation to the offence. Spyridon Rekkas 49

57 (2) On an application under subsection (1) above the court may, if it is satisfied on a balance of probabilities that it is appropriate to do so in order to protect the victim from further harassment, make a non-harassment order. (3) A non-harassment order made by a criminal court shall be taken to be a sentence for the purposes of any appeal and, for the purposes of this subsection order includes any variation or revocation of such an order made under subsection (6) below. (4) Any person who is found to be in breach of a non-harassment order shall be guilty of an offence and liable (a) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine, or to both such imprisonment and such fine; and (b) on summary conviction, to imprisonment for a period not exceeding 6 months or to a fine not exceeding the statutory maximum, or to both such imprisonment and such fine. (5) The Lord Advocate, in solemn proceedings, and the prosecutor, in summary proceedings, may appeal to the High Court against any decision by a court to refuse an application under subsection (1) above; and on any such appeal the High Court may make such order as it considers appropriate. (6) The person against whom a non-harassment order is made, or the prosecutor at whose instance the order is made, may apply to the court which made the order for its revocation or variation and, in relation to any such application the court concerned may, if it is satisfied on a balance of probabilities that it is appropriate to do so, revoke the order or vary it in such manner as it thinks fit, but not so as to increase the period for which the order is to run. (7) For the purposes of this section harassment shall be construed in accordance with section 8 of the Protection from Harassment Act General 12 National security, etc (1) If the Secretary of State certifies that in his opinion anything done by a specified person on a specified occasion related to (a) national security, (b) the economic well-being of the United Kingdom, or (c) the prevention or detection of serious crime, and was done on behalf of the Crown, the certificate is conclusive evidence that this Act does not apply to any conduct of that person on that occasion. (2) In subsection (1), specified means specified in the certificate in question. (3) A document purporting to be a certificate under subsection (1) is to be received in evidence and, unless the contrary is proved, be treated as being such a certificate. 13 Corresponding provision for Northern Ireland An Order in Council made under paragraph 1(1)(b) of Schedule 1 to the [1974 c. 28.] Northern Ireland Act 1974 which contains a statement that it is made only for purposes corresponding to those of sections 1 to 7 and 12 of this Act (a) shall not be subject to sub-paragraphs (4) and (5) of paragraph 1 of that Schedule (affirmative resolution of both Houses of Parliament), but (b) shall be subject to annulment in pursuance of a resolution of either House of Parliament. 14 Extent (1) Sections 1 to 7 extend to England and Wales only. (2) Sections 8 to 11 extend to Scotland only. (3) This Act (except section 13) does not extend to Northern Ireland. 15 Commencement (1) Sections 1, 2, 4, 5 and 7 to 12 are to come into force on such day as the Secretary of State may by order made by statutory instrument appoint. (2) Sections 3 and 6 are to come into force on such day as the Lord Chancellor may by order made by statutory instrument appoint. (3) Different days may be appointed under this section for different purposes. 16 Short title This Act may be cited as the Protection from Harassment Act Spyridon Rekkas 50

58 1.E Communications Act 2003 Section Improper use of public electronic communications network (1) A person is guilty of an offence if he (a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or (b) causes any such message or matter to be so sent. (2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he (a) sends by means of a public electronic communications network, a message that he knows to be false, (b) causes such a message to be sent; or (c) persistently makes use of a public electronic communications network. (3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both. (4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)). 1.F Wireless Telegraphy Act 1949 Section 13 Deliberate Interference 13. (l) Any person who uses any apparatus for the purpose of interfering with any wireless telegraphy shall be guilty of an offence under this Act. (2) This section shall apply whether or not the apparatus in question is wireless telegraphy apparatus or apparatus to which any of the preceding provisions of this Part of this Act apply, and whether or not any notice under section eleven or section twelve of this Act has been given with respect to the apparatus, or, if given, has been varied or revoked. Spyridon Rekkas 51

59 Appendix 2 Other Countries Legislation 2.A EU - COUNCIL FRAMEWORK DECISION 2005/222/JHA COUNCIL FRAMEWORK DECISION 2005/222/JHA of 24 February 2005 on attacks against information systems THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty on European Union, and in particular Articles 29, 30(1)(a), 31(1)(e) and 34(2)(b) thereof, Having regard to the proposal from the Commission, Having regard to the opinion of the European Parliament (1), Whereas: (1) The objective of this Framework Decision is to improve cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems. (2) There is evidence of attacks against information systems, in particular as a result of the threat from organised crime, and increasing concern at the potential of terrorist attacks against information systems which form part of the critical infrastructure of the Member States. This constitutes a threat to the achievement of a safer information society and an area of freedom, security and justice, and therefore requires a response at the level of the European Union. (3) An effective response to those threats requires a comprehensive approach to network and information security, as underlined in the eeurope Action Plan, in the Communication by the Commission Network and Information Security: Proposal for a European Policy Approach and in the Council Resolution of 28 January 2002 on a common approach and specific actions in the area of Spyridon Rekkas 52

60 network and information security (2). (4) The need to further increase awareness of the problems related to information security and provide practical assistance has also been stressed in the European Parliament Resolution of 5 September (5) Significant gaps and differences in Member States laws in this area may hamper the fight against organised crime and terrorism, and may complicate effective police and judicial cooperation in the area of attacks against information systems. The transnational and borderless character of modern information systems means that attacks against such systems are often trans-border in nature, thus underlining the urgent need for further action to approximate criminal laws in this area. (6) The Action Plan of the Council and the Commission on how to best implement the provisions of the Treaty of Amsterdam on an area of freedom, security and justice (3), the Tampere European Council on 15 to 16 October 1999, the Santa Maria da Feira European Council on 19 to 20 June 2000, the Commission in the Scoreboard and the European Parliament in its Resolution of 19 May 2000 indicate or call for legislative action against high technology crime, including common definitions, incriminations and sanctions. (7) It is necessary to complement the work performed by international organisations, in particular the Council of Europe s work on approximating criminal law and the G8 s work on transnational cooperation in the area of high tech crime, by providing a common approach in the European Union in this area. This call was further elaborated by the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime. (8) Criminal law in the area of attacks against information systems should be approximated in order to ensure the Spyridon Rekkas 53

61 greatest possible police and judicial cooperation in the area of criminal offences related to attacks against information systems, and to contribute to the fight against organised crime and terrorism. (9) All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The personal data processed in the context of the implementation of this Framework Decision should be protected in accordance with the principles of the said Convention. (10) Common definitions in this area, particularly of information systems and computer data, are important to ensure a consistent approach in Member States in the application of this Framework Decision. (11) There is a need to achieve a common approach to the constituent elements of criminal offences by providing for common offences of illegal access to an information system, illegal system interference and illegal data interference. (12) In the interest of combating computer-related crime, each Member State should ensure effective judicial cooperation in respect of offences based on the types of conduct referred to in Articles 2, 3, 4 and 5. (13) There is a need to avoid over-criminalisation, particularly of minor cases, as well as a need to avoid criminalising right-holders and authorised persons. (14) There is a need for Member States to provide for penalties for attacks against information systems. The penalties thus provided for shall be effective, proportionate and dissuasive. (15) It is appropriate to provide for more severe penalties when an attack against an information system is committed within the framework of a criminal organisation, as defined in the Joint Action 98/733 JHA of 21 December 1998 on making it a criminal offence to participate in a criminal organisation in the Member State of the European Union (1). It is also appropriate to provide for more severe penalties where such an attack has Spyridon Rekkas 54

62 caused serious damages or has affected essential interests. (16) Measures should also be foreseen for the purposes of cooperation between Member States with a view to ensuring effective action against attacks against information systems. Member States should therefore make use of the existing network of operational contact points referred to in the Council Recommendation of 25 June 2001 on contact points maintaining a 24-hour service for combating high-tech crime (2), for the exchange of information. (17) Since the objectives of this Framework Decision, ensuring that attacks against information systems be sanctioned in all Member States by effective, proportionate and dissuasive criminal penalties and improving and encouraging judicial cooperation by removing potential complications, cannot be sufficiently achieved by the Member States, as rules have to be common and compatible, and can therefore be better achieved at the level of the Union, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the EC Treaty. In accordance with the principle of proportionality, as set out in that Article, this Framework Decision does not go beyond what is necessary in order to achieve those objectives. (18) This Framework Decision respects the fundamental rights and observes the principles recognised by Article 6 of the Treaty on European Union and reflected in the Charter of Fundamental Rights of the European Union, and notably Chapters II and VI thereof, HAS ADOPTED THIS FRAMEWORK DECISION: Article 1 Definitions For the purposes of this Framework Decision, the following definitions shall apply: (a) information system means any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data, as well as computer data stored, processed, Spyridon Rekkas 55

63 retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance; (b) computer data means any representation of facts, information or concepts in a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function; (c) legal person means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations; (d) without right means access or interference not authorised by the owner, other right holder of the system or part of it, or not permitted under the national legislation. Article 2 Illegal access to information systems 1. Each Member State shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which are not minor. 2. Each Member State may decide that the conduct referred to in paragraph 1 is incriminated only where the offence is committed by infringing a security measure. Article 3 Illegal system interference Each Member State shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minor. Article 4 Illegal data interference Each Member State shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system is punishable as a criminal offence when committed without right, at least for cases which are not minor. Spyridon Rekkas 56

64 Article 5 Instigation, aiding and abetting and attempt 1. Each Member State shall ensure that the instigation of aiding and abetting an offence referred to in Articles 2, 3 and 4 is punishable as a criminal offence. 2. Each Member State shall ensure that the attempt to commit the offences referred to in Articles 2, 3 and 4 is punishable as a criminal offence. 3. Each Member State may decide not to apply paragraph 2 for the offences referred to in Article 2. Article 6 Penalties 1. Each Member State shall take the necessary measures to ensure that the offences referred to in Articles 2, 3, 4 and 5 are punishable by effective, proportional and dissuasive criminal penalties. 2. Each Member State shall take the necessary measures to ensure that the offences referred to in Articles 3 and 4 are punishable by criminal penalties of a maximum of at least between one and three years of imprisonment. Article 7 Aggravating circumstances 1. Each Member State shall take the necessary measures to ensure that the offence referred to in Article 2(2) and the offence referred to in Articles 3 and 4 are punishable by criminal penalties of a maximum of at least between two and five years of imprisonment when committed within the framework of a criminal organisation as defined in Joint Action 98/733/JHA apart from the penalty level referred to therein. 2. A Member State may also take the measures referred to in paragraph 1 when the offence has caused serious damages or has affected essential interests. Article 8 Liability of legal persons 1. Each Member State shall take the necessary measures to ensure that legal persons can be held liable for offences referred to in Articles 2, 3, 4 and 5, committed for their benefit by any Spyridon Rekkas 57

65 person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on: (a) a power of representation of the legal person, or (b) an authority to take decisions on behalf of the legal person, or (c) an authority to exercise control within the legal person. 2. Apart from the cases provided for in paragraph 1, Member States shall ensure that a legal person can be held liable where the lack of supervision or control by a person referred to in paragraph 1 has made possible the commission of the offences referred to in Articles 2, 3, 4 and 5 for the benefit of that legal person by a person under its authority. Liability of a legal person under paragraphs 1 and 2 shall not exclude criminal proceedings against natural persons who are involved as perpetrators, instigators or accessories in the commission of the offences referred to in Articles 2, 3, 4 and 5. Article 9 Penalties for legal persons 1. Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 8(1) is punishable by effective, proportionate and dissuasive penalties, which shall include criminal or non-criminal fines and may include other penalties, such as: (a) exclusion from entitlement to public benefits or aid; (b) temporary or permanent disqualification from the practice of commercial activities; (c) placing under judicial supervision; or (d) a judicial winding-up order. 2. Each Member State shall take the necessary measures to ensure that a legal person held liable pursuant to Article 8(2) is punishable by effective, proportionate and dissuasive penalties or measures. Article 10 Jurisdiction 1. Each Member State shall establish its jurisdiction with regard to the offences referred to in Articles 2, 3, 4 and 5 where the offence has been committed: Spyridon Rekkas 58

66 (a) in whole or in part within its territory; or (b) by one of its nationals; or (c) for the benefit of a legal person that has its head office in the territory of that Member State. 2. When establishing its jurisdiction in accordance with paragraph (1)(a), each Member State shall ensure that the jurisdiction includes cases where: (a) the offender commits the offence when physically present on its territory, whether or not the offence is against an information system on its territory; or (b) the offence is against an information system on its territory, whether or not the offender commits the offence when physically present on its territory. 3. A Member State which, under its law, does not as yet extradite or surrender its own nationals shall take the necessary measures to establish its jurisdiction over and to prosecute, where appropriate, the offences referred to in Articles 2, 3, 4 and 5, when committed by one of its nationals outside its territory. 4. Where an offence falls within the jurisdiction of more than one Member State and when any of the States concerned can validly prosecute on the basis of the same facts, the Member States concerned shall cooperate in order to decide which of them will prosecute the offenders with the aim, if possible, of centralising proceedings in a single Member State. To this end, the Member States may have recourse to any body or mechanism established within the European Union in order to facilitate cooperation between their judicial authorities and the coordination of their action. Sequential account may be taken of the following factors: the Member State shall be that in the territory of which the offences have been committed according to paragraph 1(a) and paragraph 2, the Member State shall be that of which the perpetrator is a national, the Member State shall be that in which the perpetrator has been found. 5. A Member State may decide not to apply, or to apply only Spyridon Rekkas 59

67 in specific cases or circumstances, the jurisdiction rules set out in paragraphs 1(b) and 1(c). 6. Member States shall inform the General Secretariat of the Council and the Commission where they decide to apply paragraph 5, where appropriate with an indication of the specific cases or circumstances in which the decision applies. Article 11 Exchange of information 1. For the purpose of exchange of information relating to the offences referred to in Articles 2, 3, 4 and 5, and in accordance with data protection rules, Member States shall ensure that they make use of the existing network of operational points of contact available 24 hours a day and seven days a week. 2. Each Member State shall inform the General Secretariat of the Council and the Commission of its appointed point of contact for the purpose of exchanging information on offences relating to attacks against information systems. The General Secretariat shall forward that information to the other Member States. Article 12 Implementation 1. Member States shall take the necessary measures to comply with the provisions of this Framework Decision by 16 March By 16 March 2007 Member States shall transmit to the General Secretariat of the Council and to the Commission the text of any provisions transposing into their national law the obligations imposed on them under this Framework Decision. By 16 September 2007, on the basis of a report established on the basis of information and a written report by the Commission, the Council shall assess the extent to which Member States have complied with the provisions of this Framework Decision. Article 13 Entry into force This Framework Decision shall enter into force on the date of its publication in the Official Journal of the European Union. Done at Brussels, 24 February Spyridon Rekkas 60

68 For the Council The President N. SCHMIT 2.B EU - Convention on Cybercrime Convention on Cybercrime Budapest, 23.XI Preamble The member States of the Council of Europe and the other States signatory hereto, Considering that the aim of the Council of Europe is to achieve a greater unity between its members; Recognising the value of fostering co-operation with the other States parties to this Convention; Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international cooperation; Conscious of the profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks; Concerned by the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks; Recognising the need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies; Believing that an effective fight against cybercrime requires increased, rapid and well-functioning international co-operation in criminal matters; Convinced that the present Convention is necessary to deter action directed against the confidentiality, Spyridon Rekkas 61

69 integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation; Mindful of the need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights as enshrined in the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights and other applicable international human rights treaties, which reaffirm the right of everyone to hold opinions without interference, as well as the right to freedom of expression, including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, and the rights concerning the respect for privacy; Mindful also of the right to the protection of personal data, as conferred, for example, by the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; Considering the 1989 United Nations Convention on the Rights of the Child and the 1999 International Labour Organization Worst Forms of Child Labour Convention; Taking into account the existing Council of Europe conventions on co-operation in the penal field, as well as similar treaties which exist between Council of Europe member States and other States, and stressing that the present Convention is intended to supplement those conventions in order to make criminal investigations and proceedings concerning criminal offences related to computer systems and data more effective and to enable the collection of evidence in electronic form of a criminal offence; Welcoming recent developments which further advance international understanding and co-operation in combating cybercrime, including action taken by the United Nations, the OECD, the European Union and the G8; Recalling Committee of Ministers Recommendations No. R (85) 10 concerning the practical application of the European Convention on Mutual Assistance in Criminal Matters in respect of letters rogatory for the interception of telecommunications, No. R (88) 2 on piracy in the field of copyright and neighbouring rights, No. R (87) 15 regulating the use of personal data in the police sector, No. R (95) 4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services, as well as No. R (89) 9 on computer-related crime providing guidelines for national legislatures concerning the definition of certain computer crimes and No. R (95) 13 concerning problems of criminal procedural law connected with information technology; Spyridon Rekkas 62

70 Having regard to Resolution No. 1 adopted by the European Ministers of Justice at their 21st Conference (Prague, 10 and 11 June 1997), which recommended that the Committee of Ministers support the work on cybercrime carried out by the European Committee on Crime Problems (CDPC) in order to bring domestic criminal law provisions closer to each other and enable the use of effective means of investigation into such offences, as well as to Resolution No. 3 adopted at the 23rd Conference of the European Ministers of Justice (London, 8 and 9 June 2000), which encouraged the negotiating parties to pursue their efforts with a view to finding appropriate solutions to enable the largest possible number of States to become parties to the Convention and acknowledged the need for a swift and efficient system of international co-operation, which duly takes into account the specific requirements of the fight against cybercrime; Having also regard to the Action Plan adopted by the Heads of State and Government of the Council of Europe on the occasion of their Second Summit (Strasbourg, 10 and 11 October 1997), to seek common responses to the development of the new information technologies based on the standards and values of the Council of Europe; Have agreed as follows: Chapter I Use of terms Article 1 Definitions For the purposes of this Convention: a "computer system" means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data; b "computer data" means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function; c "service provider" means: i any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and ii any other entity that processes or stores computer data on behalf of such communication service or users of such service. Spyridon Rekkas 63

71 d "traffic data" means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication s origin, destination, route, time, date, size, duration, or type of underlying service. Chapter II Measures to be taken at the national level Section 1 Substantive criminal law Title 1 Offences against the confidentiality, integrity and availability of computer data and systems Article 2 Illegal access Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. Article 3 Illegal interception Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system. Article 4 Data interference 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right. 2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm. Article 5 System interference Spyridon Rekkas 64

72 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data. Article 6 Misuse of devices 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right: a the production, sale, procurement for use, import, distribution or otherwise making available of: i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5; ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. 2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system. 3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article. Title 2 Computer-related offences Article 7 Computer-related forgery Spyridon Rekkas 65

73 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches. Article 8 Computer-related fraud Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by: a any input, alteration, deletion or suppression of computer data, b any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person. Title 3 Content-related offences Article 9 Offences related to child pornography 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: a producing child pornography for the purpose of its distribution through a computer system; b offering or making available child pornography through a computer system; c distributing or transmitting child pornography through a computer system; d procuring child pornography through a computer system for oneself or for another person; e possessing child pornography in a computer system or on a computer-data storage medium. Spyridon Rekkas 66

74 2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts: a a minor engaged in sexually explicit conduct; b a person appearing to be a minor engaged in sexually explicit conduct; c realistic images representing a minor engaged in sexually explicit conduct. 3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years. 4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, sub-paragraphs d. and e, and 2, sub-paragraphs b. and c. Title 4 Offences related to infringements of copyright and related rights Article 10 Offences related to infringements of copyright and related rights 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system. 2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as defined under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system. 3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not Spyridon Rekkas 67

75 derogate from the Party s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article. Title 5 Ancillary liability and sanctions Article 11 Attempt and aiding or abetting 1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed. 2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c. of this Convention. 3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article. Article 12 Corporate liability 1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on: a a power of representation of the legal person; b an authority to take decisions on behalf of the legal person; c an authority to exercise control within the legal person. 2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority. 3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or Spyridon Rekkas 68

76 administrative. 4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence. Article 13 Sanctions and measures 1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that the criminal offences established in accordance with Articles 2 through 11 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty. 2 Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions. Section 2 Procedural law Title 1 Common provisions Article 14 Scope of procedural provisions 1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings. 2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to: a the criminal offences established in accordance with Articles 2 through 11 of this Convention; b other criminal offences committed by means of a computer system; and c the collection of evidence in electronic form of a criminal offence. 3 a. Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20. Spyridon Rekkas 69

77 b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system: i is being operated for the benefit of a closed group of users, and ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications. Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21. Article 15 Conditions and safeguards 1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality. 2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure. 3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties. Title 2 Expedited preservation of stored computer data Article 16 Expedited preservation of stored computer data 1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including Spyridon Rekkas 70

78 traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification. 2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed. 3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law. 4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15. Article 17 Expedited preservation and partial disclosure of traffic data 1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to: a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and b ensure the expeditious disclosure to the Party s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted. 2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15. Title 3 Production order Article 18 Production order 1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order: a a person in its territory to submit specified computer data in that person s possession or control, which is stored in a computer system or a computer-data storage medium; and Spyridon Rekkas 71

79 b a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider s possession or control. 2 The powers and procedures referred to in this article shall be subject to Articles 14 and For the purpose of this article, the term subscriber information means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established: a the type of communication service used, the technical provisions taken thereto and the period of service; b the subscriber s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement; c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement. Title 4 Search and seizure of stored computer data Article 19 Search and seizure of stored computer data 1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access: a a computer system or part of it and computer data stored therein; and b a computer-data storage medium in which computer data may be stored in its territory. 2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system. 3 Each Party shall adopt such legislative and other measures as may be necessary to empower its Spyridon Rekkas 72

80 competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to: a seize or similarly secure a computer system or part of it or a computer-data storage medium; b make and retain a copy of those computer data; c maintain the integrity of the relevant stored computer data; d render inaccessible or remove those computer data in the accessed computer system. 4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2. 5 The powers and procedures referred to in this article shall be subject to Articles 14 and 15. Title 5 Real-time collection of computer data Article 20 Real-time collection of traffic data 1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to: a collect or record through the application of technical means on the territory of that Party, and b compel a service provider, within its existing technical capability: i to collect or record through the application of technical means on the territory of that Party; or ii to co-operate and assist the competent authorities in the collection or recording of, traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system. 2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to Spyridon Rekkas 73

81 ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory. 3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it. 4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15. Article 21 Interception of content data 1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to: a collect or record through the application of technical means on the territory of that Party, and b compel a service provider, within its existing technical capability: i to collect or record through the application of technical means on the territory of that Party, or ii to co-operate and assist the competent authorities in the collection or recording of, content data, in real-time, of specified communications in its territory transmitted by means of a computer system. 2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory. 3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it. 4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15. Section 3 Jurisdiction Spyridon Rekkas 74

82 Article 22 Jurisdiction 1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed: a in its territory; or b on board a ship flying the flag of that Party; or c on board an aircraft registered under the laws of that Party; or d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State. 2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof. 3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition. 4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. 5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution. Chapter III International co-operation Section 1 General principles Title 1 General principles relating to international co-operation Article 23 General principles relating to international co-operation Spyridon Rekkas 75

83 The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Title 2 Principles relating to extradition Article 24 Extradition 1 a. This article applies to extradition between Parties for the criminal offences established in accordance with Articles 2 through 11 of this Convention, provided that they are punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year, or by a more severe penalty. b. Where a different minimum penalty is to be applied under an arrangement agreed on the basis of uniform or reciprocal legislation or an extradition treaty, including the European Convention on Extradition (ETS No. 24), applicable between two or more parties, the minimum penalty provided for under such arrangement or treaty shall apply. 2 The criminal offences described in paragraph 1 of this article shall be deemed to be included as extraditable offences in any extradition treaty existing between or among the Parties. The Parties undertake to include such offences as extraditable offences in any extradition treaty to be concluded between or among them. 3 If a Party that makes extradition conditional on the existence of a treaty receives a request for extradition from another Party with which it does not have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offence referred to in paragraph 1 of this article. 4 Parties that do not make extradition conditional on the existence of a treaty shall recognise the criminal offences referred to in paragraph 1 of this article as extraditable offences between themselves. 5 Extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition. 6 If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offence, the requested Party shall submit the case at the request of the requesting Party to its competent Spyridon Rekkas 76

84 authorities for the purpose of prosecution and shall report the final outcome to the requesting Party in due course. Those authorities shall take their decision and conduct their investigations and proceedings in the same manner as for any other offence of a comparable nature under the law of that Party. 7 a. Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the name and address of each authority responsible for making or receiving requests for extradition or provisional arrest in the absence of a treaty. b. The Secretary General of the Council of Europe shall set up and keep updated a register of authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times. Title 3 General principles relating to mutual assistance Article 25 General principles relating to mutual assistance 1 The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. 2 Each Party shall also adopt such legislative and other measures as may be necessary to carry out the obligations set forth in Articles 27 through Each Party may, in urgent circumstances, make requests for mutual assistance or communications related thereto by expedited means of communication, including fax or , to the extent that such means provide appropriate levels of security and authentication (including the use of encryption, where necessary), with formal confirmation to follow, where required by the requested Party. The requested Party shall accept and respond to the request by any such expedited means of communication. 4 Except as otherwise specifically provided in articles in this chapter, mutual assistance shall be subject to the conditions provided for by the law of the requested Party or by applicable mutual assistance treaties, including the grounds on which the requested Party may refuse co-operation. The requested Party shall not exercise the right to refuse mutual assistance in relation to the offences referred to in Articles 2 through 11 solely on the ground that the request concerns an offence which it considers a fiscal offence. 5 Where, in accordance with the provisions of this chapter, the requested Party is permitted to make mutual assistance conditional upon the existence of dual criminality, that condition shall be deemed fulfilled, Spyridon Rekkas 77

85 irrespective of whether its laws place the offence within the same category of offence or denominate the offence by the same terminology as the requesting Party, if the conduct underlying the offence for which assistance is sought is a criminal offence under its laws. Article 26 Spontaneous information 1 A Party may, within the limits of its domestic law and without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offences established in accordance with this Convention or might lead to a request for co-operation by that Party under this chapter. 2 Prior to providing such information, the providing Party may request that it be kept confidential or only used subject to conditions. If the receiving Party cannot comply with such request, it shall notify the providing Party, which shall then determine whether the information should nevertheless be provided. If the receiving Party accepts the information subject to the conditions, it shall be bound by them. Title 4 Procedures pertaining to mutual assistance requests in the absence of applicable international agreements Article 27 Procedures pertaining to mutual assistance requests in the absence of applicable international agreements 1 Where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties, the provisions of paragraphs 2 through 9 of this article shall apply. The provisions of this article shall not apply where such treaty, arrangement or legislation exists, unless the Parties concerned agree to apply any or all of the remainder of this article in lieu thereof. 2 a. Each Party shall designate a central authority or authorities responsible for sending and answering requests for mutual assistance, the execution of such requests or their transmission to the authorities competent for their execution. b. The central authorities shall communicate directly with each other; c. Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the names and addresses of the authorities designated in pursuance of this paragraph; Spyridon Rekkas 78

86 d. The Secretary General of the Council of Europe shall set up and keep updated a register of central authorities designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times. 3 Mutual assistance requests under this article shall be executed in accordance with the procedures specified by the requesting Party, except where incompatible with the law of the requested Party. 4 The requested Party may, in addition to the grounds for refusal established in Article 25, paragraph 4, refuse assistance if: a the request concerns an offence which the requested Party considers a political offence or an offence connected with a political offence, or b it considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. 5 The requested Party may postpone action on a request if such action would prejudice criminal investigations or proceedings conducted by its authorities. 6 Before refusing or postponing assistance, the requested Party shall, where appropriate after having consulted with the requesting Party, consider whether the request may be granted partially or subject to such conditions as it deems necessary. 7 The requested Party shall promptly inform the requesting Party of the outcome of the execution of a request for assistance. Reasons shall be given for any refusal or postponement of the request. The requested Party shall also inform the requesting Party of any reasons that render impossible the execution of the request or are likely to delay it significantly. 8 The requesting Party may request that the requested Party keep confidential the fact of any request made under this chapter as well as its subject, except to the extent necessary for its execution. If the requested Party cannot comply with the request for confidentiality, it shall promptly inform the requesting Party, which shall then determine whether the request should nevertheless be executed. 9 a. In the event of urgency, requests for mutual assistance or communications related thereto may be sent directly by judicial authorities of the requesting Party to such authorities of the requested Party. In any such cases, a copy shall be sent at the same time to the central authority of the requested Party through the central authority of the requesting Party. Spyridon Rekkas 79

87 b. Any request or communication under this paragraph may be made through the International Criminal Police Organisation (Interpol). c. Where a request is made pursuant to sub-paragraph a. of this article and the authority is not competent to deal with the request, it shall refer the request to the competent national authority and inform directly the requesting Party that it has done so. d. Requests or communications made under this paragraph that do not involve coercive action may be directly transmitted by the competent authorities of the requesting Party to the competent authorities of the requested Party. e. Each Party may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, inform the Secretary General of the Council of Europe that, for reasons of efficiency, requests made under this paragraph are to be addressed to its central authority. Article 28 Confidentiality and limitation on use 1 When there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and the requested Parties, the provisions of this article shall apply. The provisions of this article shall not apply where such treaty, arrangement or legislation exists, unless the Parties concerned agree to apply any or all of the remainder of this article in lieu thereof. 2 The requested Party may make the supply of information or material in response to a request dependent on the condition that it is: a kept confidential where the request for mutual legal assistance could not be complied with in the absence of such condition, or b not used for investigations or proceedings other than those stated in the request. 3 If the requesting Party cannot comply with a condition referred to in paragraph 2, it shall promptly inform the other Party, which shall then determine whether the information should nevertheless be provided. When the requesting Party accepts the condition, it shall be bound by it. 4 Any Party that supplies information or material subject to a condition referred to in paragraph 2 may require the other Party to explain, in relation to that condition, the use made of such information or material. Spyridon Rekkas 80

88 Section 2 Specific provisions Title 1 Mutual assistance regarding provisional measures Article 29 Expedited preservation of stored computer data 1 A Party may request another Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data. 2 A request for preservation made under paragraph 1 shall specify: a the authority seeking the preservation; b the offence that is the subject of a criminal investigation or proceedings and a brief summary of the related facts; c the stored computer data to be preserved and its relationship to the offence; d any available information identifying the custodian of the stored computer data or the location of the computer system; e the necessity of the preservation; and f that the Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the stored computer data. 3 Upon receiving the request from another Party, the requested Party shall take all appropriate measures to preserve expeditiously the specified data in accordance with its domestic law. For the purposes of responding to a request, dual criminality shall not be required as a condition to providing such preservation. 4 A Party that requires dual criminality as a condition for responding to a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of stored data may, in respect of offences other than those established in accordance with Articles 2 through 11 of this Convention, reserve the right to refuse the request for preservation under this article in cases where it has reasons to believe that at the time of disclosure the condition of dual criminality cannot be fulfilled. Spyridon Rekkas 81

89 5 In addition, a request for preservation may only be refused if: a the request concerns an offence which the requested Party considers a political offence or an offence connected with a political offence, or b the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. 6 Where the requested Party believes that preservation will not ensure the future availability of the data or will threaten the confidentiality of or otherwise prejudice the requesting Party s investigation, it shall promptly so inform the requesting Party, which shall then determine whether the request should nevertheless be executed. 7 Any preservation effected in response to the request referred to in paragraph 1 shall be for a period not less than sixty days, in order to enable the requesting Party to submit a request for the search or similar access, seizure or similar securing, or disclosure of the data. Following the receipt of such a request, the data shall continue to be preserved pending a decision on that request. Article 30 Expedited disclosure of preserved traffic data 1 Where, in the course of the execution of a request made pursuant to Article 29 to preserve traffic data concerning a specific communication, the requested Party discovers that a service provider in another State was involved in the transmission of the communication, the requested Party shall expeditiously disclose to the requesting Party a sufficient amount of traffic data to identify that service provider and the path through which the communication was transmitted. 2 Disclosure of traffic data under paragraph 1 may only be withheld if: a the request concerns an offence which the requested Party considers a political offence or an offence connected with a political offence; or b the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. Title 2 Mutual assistance regarding investigative powers Article 31 Mutual assistance regarding accessing of stored computer data Spyridon Rekkas 82

90 1 A Party may request another Party to search or similarly access, seize or similarly secure, and disclose data stored by means of a computer system located within the territory of the requested Party, including data that has been preserved pursuant to Article The requested Party shall respond to the request through the application of international instruments, arrangements and laws referred to in Article 23, and in accordance with other relevant provisions of this chapter. 3 The request shall be responded to on an expedited basis where: a there are grounds to believe that relevant data is particularly vulnerable to loss or modification; or b the instruments, arrangements and laws referred to in paragraph 2 otherwise provide for expedited cooperation. Article 32 Trans-border access to stored computer data with consent or where publicly available A Party may, without the authorisation of another Party: a access publicly available (open source) stored computer data, regardless of where the data is located geographically; or b access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system. Article 33 Mutual assistance regarding the real-time collection of traffic data 1 The Parties shall provide mutual assistance to each other in the real-time collection of traffic data associated with specified communications in their territory transmitted by means of a computer system. Subject to the provisions of paragraph 2, this assistance shall be governed by the conditions and procedures provided for under domestic law. 2 Each Party shall provide such assistance at least with respect to criminal offences for which real-time collection of traffic data would be available in a similar domestic case. Article 34 Mutual assistance regarding the interception of content data Spyridon Rekkas 83

91 The Parties shall provide mutual assistance to each other in the real-time collection or recording of content data of specified communications transmitted by means of a computer system to the extent permitted under their applicable treaties and domestic laws. Title 3 24/7 Network Article 35 24/7 Network 1 Each Party shall designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Such assistance shall include facilitating, or, if permitted by its domestic law and practice, directly carrying out the following measures: a the provision of technical advice; b the preservation of data pursuant to Articles 29 and 30; c the collection of evidence, the provision of legal information, and locating of suspects. 2 a. A Party s point of contact shall have the capacity to carry out communications with the point of contact of another Party on an expedited basis. b. If the point of contact designated by a Party is not part of that Party s authority or authorities responsible for international mutual assistance or extradition, the point of contact shall ensure that it is able to co-ordinate with such authority or authorities on an expedited basis. 3 Each Party shall ensure that trained and equipped personnel are available, in order to facilitate the operation of the network. Chapter IV Final provisions Article 36 Signature and entry into force 1 This Convention shall be open for signature by the member States of the Council of Europe and by nonmember States which have participated in its elaboration. 2 This Convention is subject to ratification, acceptance or approval. Instruments of ratification, acceptance Spyridon Rekkas 84

92 or approval shall be deposited with the Secretary General of the Council of Europe. 3 This Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date on which five States, including at least three member States of the Council of Europe, have expressed their consent to be bound by the Convention in accordance with the provisions of paragraphs 1 and 2. 4 In respect of any signatory State which subsequently expresses its consent to be bound by it, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of the expression of its consent to be bound by the Convention in accordance with the provisions of paragraphs 1 and 2. Article 37 Accession to the Convention 1 After the entry into force of this Convention, the Committee of Ministers of the Council of Europe, after consulting with and obtaining the unanimous consent of the Contracting States to the Convention, may invite any State which is not a member of the Council and which has not participated in its elaboration to accede to this Convention. The decision shall be taken by the majority provided for in Article 20.d. of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers. 2 In respect of any State acceding to the Convention under paragraph 1 above, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe. Article 38 Territorial application 1 Any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, specify the territory or territories to which this Convention shall apply. 2 Any State may, at any later date, by a declaration addressed to the Secretary General of the Council of Europe, extend the application of this Convention to any other territory specified in the declaration. In respect of such territory the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of receipt of the declaration by the Secretary General. 3 Any declaration made under the two preceding paragraphs may, in respect of any territory specified in such declaration, be withdrawn by a notification addressed to the Secretary General of the Council of Europe. The withdrawal shall become effective on the first day of the month following the expiration of a Spyridon Rekkas 85

93 period of three months after the date of receipt of such notification by the Secretary General. Article 39 Effects of the Convention 1 The purpose of the present Convention is to supplement applicable multilateral or bilateral treaties or arrangements as between the Parties, including the provisions of: the European Convention on Extradition, opened for signature in Paris, on 13 December 1957 (ETS No. 24); the European Convention on Mutual Assistance in Criminal Matters, opened for signature in Strasbourg, on 20 April 1959 (ETS No. 30); the Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, opened for signature in Strasbourg, on 17 March 1978 (ETS No. 99). 2 If two or more Parties have already concluded an agreement or treaty on the matters dealt with in this Convention or have otherwise established their relations on such matters, or should they in future do so, they shall also be entitled to apply that agreement or treaty or to regulate those relations accordingly. However, where Parties establish their relations in respect of the matters dealt with in the present Convention other than as regulated therein, they shall do so in a manner that is not inconsistent with the Convention s objectives and principles. 3 Nothing in this Convention shall affect other rights, restrictions, obligations and responsibilities of a Party. Article 40 Declarations By a written notification addressed to the Secretary General of the Council of Europe, any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, declare that it avails itself of the possibility of requiring additional elements as provided for under Articles 2, 3, 6 paragraph 1.b, 7, 9 paragraph 3, and 27, paragraph 9.e. Article 41 Federal clause 1 A federal State may reserve the right to assume obligations under Chapter II of this Convention consistent with its fundamental principles governing the relationship between its central government and constituent States or other similar territorial entities provided that it is still able to co-operate under Chapter Spyridon Rekkas 86

94 III. 2 When making a reservation under paragraph 1, a federal State may not apply the terms of such reservation to exclude or substantially diminish its obligations to provide for measures set forth in Chapter II. Overall, it shall provide for a broad and effective law enforcement capability with respect to those measures. 3 With regard to the provisions of this Convention, the application of which comes under the jurisdiction of constituent States or other similar territorial entities, that are not obliged by the constitutional system of the federation to take legislative measures, the federal government shall inform the competent authorities of such States of the said provisions with its favourable opinion, encouraging them to take appropriate action to give them effect. Article 42 Reservations By a written notification addressed to the Secretary General of the Council of Europe, any State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, declare that it avails itself of the reservation(s) provided for in Article 4, paragraph 2, Article 6, paragraph 3, Article 9, paragraph 4, Article 10, paragraph 3, Article 11, paragraph 3, Article 14, paragraph 3, Article 22, paragraph 2, Article 29, paragraph 4, and Article 41, paragraph 1. No other reservation may be made. Article 43 Status and withdrawal of reservations 1 A Party that has made a reservation in accordance with Article 42 may wholly or partially withdraw it by means of a notification addressed to the Secretary General of the Council of Europe. Such withdrawal shall take effect on the date of receipt of such notification by the Secretary General. If the notification states that the withdrawal of a reservation is to take effect on a date specified therein, and such date is later than the date on which the notification is received by the Secretary General, the withdrawal shall take effect on such a later date. 2 A Party that has made a reservation as referred to in Article 42 shall withdraw such reservation, in whole or in part, as soon as circumstances so permit. 3 The Secretary General of the Council of Europe may periodically enquire with Parties that have made one or more reservations as referred to in Article 42 as to the prospects for withdrawing such reservation(s). Article 44 Amendments 1 Amendments to this Convention may be proposed by any Party, and shall be communicated by the Spyridon Rekkas 87

95 Secretary General of the Council of Europe to the member States of the Council of Europe, to the nonmember States which have participated in the elaboration of this Convention as well as to any State which has acceded to, or has been invited to accede to, this Convention in accordance with the provisions of Article Any amendment proposed by a Party shall be communicated to the European Committee on Crime Problems (CDPC), which shall submit to the Committee of Ministers its opinion on that proposed amendment. 3 The Committee of Ministers shall consider the proposed amendment and the opinion submitted by the CDPC and, following consultation with the non-member States Parties to this Convention, may adopt the amendment. 4 The text of any amendment adopted by the Committee of Ministers in accordance with paragraph 3 of this article shall be forwarded to the Parties for acceptance. 5 Any amendment adopted in accordance with paragraph 3 of this article shall come into force on the thirtieth day after all Parties have informed the Secretary General of their acceptance thereof. Article 45 Settlement of disputes 1 The European Committee on Crime Problems (CDPC) shall be kept informed regarding the interpretation and application of this Convention. 2 In case of a dispute between Parties as to the interpretation or application of this Convention, they shall seek a settlement of the dispute through negotiation or any other peaceful means of their choice, including submission of the dispute to the CDPC, to an arbitral tribunal whose decisions shall be binding upon the Parties, or to the International Court of Justice, as agreed upon by the Parties concerned. Article 46 Consultations of the Parties 1 The Parties shall, as appropriate, consult periodically with a view to facilitating: a the effective use and implementation of this Convention, including the identification of any problems thereof, as well as the effects of any declaration or reservation made under this Convention; b the exchange of information on significant legal, policy or technological developments pertaining to cybercrime and the collection of evidence in electronic form; Spyridon Rekkas 88

96 c consideration of possible supplementation or amendment of the Convention. 2 The European Committee on Crime Problems (CDPC) shall be kept periodically informed regarding the result of consultations referred to in paragraph 1. 3 The CDPC shall, as appropriate, facilitate the consultations referred to in paragraph 1 and take the measures necessary to assist the Parties in their efforts to supplement or amend the Convention. At the latest three years after the present Convention enters into force, the European Committee on Crime Problems (CDPC) shall, in co-operation with the Parties, conduct a review of all of the Convention s provisions and, if necessary, recommend any appropriate amendments. 4 Except where assumed by the Council of Europe, expenses incurred in carrying out the provisions of paragraph 1 shall be borne by the Parties in the manner to be determined by them. 5 The Parties shall be assisted by the Secretariat of the Council of Europe in carrying out their functions pursuant to this article. Article 47 Denunciation 1 Any Party may, at any time, denounce this Convention by means of a notification addressed to the Secretary General of the Council of Europe. 2 Such denunciation shall become effective on the first day of the month following the expiration of a period of three months after the date of receipt of the notification by the Secretary General. Article 48 Notification The Secretary General of the Council of Europe shall notify the member States of the Council of Europe, the non-member States which have participated in the elaboration of this Convention as well as any State which has acceded to, or has been invited to accede to, this Convention of: a any signature; b the deposit of any instrument of ratification, acceptance, approval or accession; c any date of entry into force of this Convention in accordance with Articles 36 and 37; Spyridon Rekkas 89

97 d any declaration made under Article 40 or reservation made in accordance with Article 42; e any other act, notification or communication relating to this Convention. 2.C USA Fraud and Related Activity in Connection with Computers U.S.C Fraud and Related Activity in Connection with Computers Fraud and Related Activity in Connection with Computers (a) Whoever (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-- (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication; (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any one-year period; (5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or Spyridon Rekkas 90

98 (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)-- (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security; (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; (7) with intent to extort from any person, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (c) The punishment for an offense under subsection (a) or (b) of this section is -- (1) (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (2) (A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(a)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; (B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2)or an attempt to commit an offense punishable under this subparagraph, if- (i) the offense was committed for purposes of commercial advantage or private financial gain; (ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or (iii) the value of the information obtained exceeds $5,000; (C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (3) (A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4), or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(a)(iii) or (a)(7) of this section which occurs after a conviction Spyridon Rekkas 91

99 for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and (4) (A) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(a)(i), or an attempt to commit an offense punishable under that subsection; (B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(a)(ii), or an attempt to commit an offense punishable under that subsection; (C) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(a)(i) or (a)(5)(a)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section. (d)(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. (2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title. (3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General. (e) As used in this section (1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term "protected computer" means a computer (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communications, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; (3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States; (4) the term "financial institution" means (A) an institution with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) a credit union with accounts insured by the National Credit Union Administration; (D) a member of the Federal home loan bank system and any home loan bank; (E) any institution of the Farm Credit System under the Farm Credit Act of 1971; (F) a brokerdealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934; (G) the Securities Investor Protection Corporation; (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act. (5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution; (6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; (7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; (8) the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information; Spyridon Rekkas 92

100 (9) the term 'government entity' includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country. (10) the term 'conviction' shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer; (11) the term 'loss' includes any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and (12) the term 'person' means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity. (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States. (g) Any person who suffers damage or loss by reason of a violation of the section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(b). Damages for a violation involving only conduct described in subsection (a)(5)(b)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. (h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under section 1030(a)(5) of title 18, United States Code. Section 814(e) Amendment of sentencing guidelines relating to certain computer fraud and abuse.-- Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. 2.D USA Patriot Act 2001 Sections 202 and 814 SEC AUTHORITY TO INTERCEPT WIRE, ORAL, AND ELECTRONIC COMMUNICATIONS RELATING TO COMPUTER FRAUD AND ABUSE OFFENSES. Section 2516(1)(c) of title 18, United States Code, is amended by striking and section 1341 (relating to mail fraud), and inserting section 1341 (relating to mail fraud), a felony violation of section 1030 (relating to computer fraud and abuse), SEC DETERRENCE AND PREVENTION OF CYBERTERRORISM. (a) CLARIFICATION OF PROTECTION OF PROTECTED COMPUTERS. Section 1030(a)(5) of title 18, United States Code, is amended (1) by inserting (i) after (A) ; Spyridon Rekkas 93

101 (2) by redesignating subparagraphs (B) and (C) as clauses (ii) and (iii), respectively; (3) by adding and at the end of clause (iii), as so redesignated; and (4) by adding at the end the following: (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused) (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;. (b) PROTECTION FROM EXTORTION. Section 1030(a)(7) of title 18, United States Code, is amended by striking, firm, association, educational institution, financial institution, government entity, or other legal entity,. (c) PENALTIES. Section 1030(c) of title 18, United States Code, is amended (1) in paragraph (2) (A) in subparagraph (A) (i) by inserting except as provided in subparagraph (B), before a fine ; (ii) by striking (a)(5)(c) and inserting (a)(5)(a)(iii) ; and (iii) by striking and at the end; (B) in subparagraph (B), by inserting or an attempt to commit an offense punishable under this subparagraph, Spyridon Rekkas 94

102 after subsection (a)(2), in the matter preceding clause (i); and (C) in subparagraph (C), by striking and at the end; (2) in paragraph (3) (A) by striking, (a)(5)(a), (a)(5)(b), both places it appears; and (B) by striking (a)(5)(c) and inserting (a)(5)(a)(iii) ; and (3) by adding at the end the following: (4)(A) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(a)(i), or an attempt to commit an offense punishable under that subsection; (B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(a)(ii), or an attempt to commit an offense punishable under that subsection; (C) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(a)(i) or (a)(5)(a)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section.. (d) DEFINITIONS. Section 1030(e) of title 18, United States Code is amended (1) in paragraph (2)(B), by inserting, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States before the semicolon; (2) in paragraph (7), by striking and at the end; (3) by striking paragraph (8) and inserting the following: (8) the term damage means any impairment to the integrity or availability of data, a program, a system, or information; ; (4) in paragraph (9), by striking the period at the end and inserting a semicolon; and (5) by adding at the end the following: (10) the term conviction shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized Spyridon Rekkas 95

103 access, or exceeding authorized access, to a computer; (11) the term loss means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and (12) the term person means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.. (e) DAMAGES IN CIVIL ACTIONS. Section 1030(g) of title 18, United States Code is amended (1) by striking the second sentence and inserting the following: A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(b). Damages for a violation involving only conduct described in subsection (a)(5)(b)(i) are limited to economic damages. ; and (2) by adding at the end the following: No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.. (f) AMENDMENT OF SENTENCING GUIDELINES RELATING TO CERTAIN COMPUTER FRAUD AND ABUSE. Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. Spyridon Rekkas 96

104 2.E Australia Cybercrime Act 2001 Divisions 476, 477 Part 10.7 Computer offences Division 476 Preliminary Definitions (1) In this Part: access to data held in a computer means: (a) the display of the data by the computer or any other output of the data from the computer; or (b) the copying or moving of the data to any other place in the computer or to a data storage device; or (c) in the case of a program the execution of the program. Commonwealth computer means a computer owned, leased or operated by a Commonwealth entity. data includes: (a) information in any form; or (b) any program (or part of a program). data held in a computer includes: (a) data held in any removable data storage device for the time being held in a computer; or (b) data held in a data storage device on a computer network of which the computer forms a part. data storage device means a thing (for example, a disk or file server) containing, or designed to contain, data for use by a computer. electronic communication means a communication of information in any form by means of guided or unguided electromagnetic energy. impairment of electronic communication to or from a computer includes: (a) the prevention of any such communication; or (b) the impairment of any such communication on an electronic link or network used by the computer; but does not include a mere interception of any such communication. modification, in respect of data held in a computer, means: (a) the alteration or removal of the data; or (b) an addition to the data. telecommunications service means a service for carrying communications by means of guided or unguided electromagnetic energy or both. unauthorised access, modification or impairment has the meaning given in section (2) In this Part, a reference to: Spyridon Rekkas 97

105 (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; is limited to such access, modification or impairment caused, whether directly or indirectly, by the execution of a function of a computer Meaning of unauthorised access, modification or impairment (1) In this Part: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; or (d) the impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means; by a person is unauthorised if the person is not entitled to cause that access, modification or impairment. (2) Any such access, modification or impairment caused by the person is not unauthorised merely because he or she has an ulterior purpose for causing it. (3) For the purposes of an offence under this Part, a person causes any such unauthorised access, modification or impairment if the person s conduct substantially contributes to it. (4) For the purposes of subsection (1), if: (a) a person causes any access, modification or impairment of a kind mentioned in that subsection; and (b) the person does so under a warrant issued under the law of the Commonwealth, a State or a Territory; the person is entitled to cause that access, modification or impairment Geographical jurisdiction Section 15.1 (extended geographical jurisdiction Category A) applies to offences under this Part Saving of other laws (1) This Part is not intended to exclude or limit the operation of any other law of the Commonwealth, a State or a Territory. (2) Subsection (1) has effect subject to section Liability for certain acts (1) A staff member or agent of ASIS or DSD (the agency) is not subject to any civil or criminal liability for any computer-related act done outside Australia if the act is done in the proper performance of a function of the agency. (2) A person is not subject to any civil or criminal liability for any act done inside Australia if: (a) the act is preparatory to, in support of, or otherwise directly connected with, overseas activities of the agency concerned; and (b) the act: (i) taken together with a computer-related act, event, circumstance or result that took place, or was intended to take place, outside Australia, could amount to an offence; but (ii) in the absence of that computer-related act, event, circumstance or result, would not amount to an offence; and (c) the act is done in the proper performance of a function of the Spyridon Rekkas 98

106 agency. (2A) Subsection (2) is not intended to permit any act in relation to premises, persons, computers, things, or telecommunications services in Australia, being: (a) an act that ASIO could not do without a Minister authorising it by warrant issued under Division 2 of Part III of the Australian Security Intelligence Organisation Act 1979 or under Part III of the Telecommunications (Interception) Act 1979; or (b) an act to obtain information that ASIO could not obtain other than in accordance with section 283 of the Telecommunications Act (2B) The Inspector-General of Intelligence and Security may give a certificate in writing certifying any fact relevant to the question of whether an act was done in the proper performance of a function of an agency. (2C) In any proceedings, a certificate given under subsection (2B) is prima facie evidence of the facts certified. (3) In this section: ASIS means the Australian Secret Intelligence Service. civil or criminal liability means any civil or criminal liability (whether under this Part, under another law or otherwise). computer-related act, event, circumstance or result means an act, event, circumstance or result involving: (a) the reliability, security or operation of a computer; or (b) access to, or modification of, data held in a computer or on a data storage device; or (c) electronic communication to or from a computer; or (d) the reliability, security or operation of any data held in or on a computer, computer disk, credit card, or other data storage device; or (e) possession or control of data held in a computer or on a data storage device; or (f) producing, supplying or obtaining data held in a computer or on a data storage device. DSD means that part of the Department of Defence known as the Defence Signals Directorate. staff member means: (a) in relation to ASIS the Director-General of ASIS or a member of the staff of ASIS (whether an employee of ASIS, a consultant to ASIS, or a person who is made available by another Commonwealth or State authority or other person to perform services for ASIS); and (b) in relation to DSD the Director of DSD or a member of the staff of DSD (whether an employee of DSD, a consultant to DSD, or a person who is made available by another Commonwealth or State authority or other person to perform services for DSD). Division 477 Serious computer offences Unauthorised access, modification or impairment with intent to commit a serious offence Intention to commit a serious Commonwealth, State or Territory offence (1) A person is guilty of an offence if: (a) the person causes: (i) any unauthorised access to data held in a computer; or (ii) any unauthorised modification of data held in a Spyridon Rekkas 99

107 computer; or (iii) any unauthorised impairment of electronic communication to or from a computer; and (b) the unauthorised access, modification or impairment is caused by means of a telecommunications service; and (c) the person knows the access, modification or impairment is unauthorised; and (d) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the access, modification or impairment. (2) Absolute liability applies to paragraph (1)(b). (3) In a prosecution for an offence against subsection (1), it is not necessary to prove that the defendant knew that the offence was: (a) an offence against a law of the Commonwealth, a State or a Territory; or (b) a serious offence. Intention to commit a serious Commonwealth offence (4) A person is guilty of an offence if: (a) the person causes: (i) any unauthorised access to data held in a computer; or (ii) any unauthorised modification of data held in a computer; or (iii) any unauthorised impairment of electronic communication to or from a computer; and (b) the person knows the access, modification or impairment is unauthorised; and (c) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth (whether by that person or another person) by the access, modification or impairment. (5) In a prosecution for an offence against subsection (3), it is not necessary to prove that the defendant knew that the offence was: (a) an offence against a law of the Commonwealth; or (b) a serious offence. Penalty (6) A person who is guilty of an offence against this section is punishable, on conviction, by a penalty not exceeding the penalty applicable to the serious offence. Impossibility (7) A person may be found guilty of an offence against this section even if committing the serious offence is impossible. No offence of attempt (8) It is not an offence to attempt to commit an offence against this section. Meaning of serious offence (9) In this section: serious offence means an offence that is punishable by imprisonment for life or a period of 5 or more years Unauthorised modification of data to cause impairment (1) A person is guilty of an offence if: (a) the person causes any unauthorised modification of data held in a computer; and (b) the person knows the modification is unauthorised; and (c) the person is reckless as to whether the modification impairs or will impair: (i) access to that or any other data held in any computer; or Spyridon Rekkas 100

108 (ii) the reliability, security or operation, of any such data; and (d) one or more of the following applies: (i) the data that is modified is held in a Commonwealth computer; (ii) the data that is modified is held on behalf of the Commonwealth in a computer; (iii) the modification of the data is caused by means of a telecommunications service; (iv) the modification of the data is caused by means of a Commonwealth computer; (v) the modification of the data impairs access to, or the reliability, security or operation of, other data held in a Commonwealth computer; (vi) the modification of the data impairs access to, or the reliability, security or operation of, other data held on behalf of the Commonwealth in a computer; (vii) the modification of the data impairs access to, or the reliability, security or operation of, other data by means of a telecommunications service. Penalty: 10 years imprisonment. (2) Absolute liability applies to paragraph (1)(d). (3) A person may be guilty of an offence against this section even if there is or will be no actual impairment to: (a) access to data held in a computer; or (b) the reliability, security or operation, of any such data. (4) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section (unauthorised impairment of electronic communication) Unauthorised impairment of electronic communication (1) A person is guilty of an offence if: (a) the person causes any unauthorised impairment of electronic communication to or from a computer; and (b) the person knows that the impairment is unauthorised; and (c) one or both of the following applies: (i) the electronic communication is sent to or from the computer by means of a telecommunications service; (ii) the electronic communication is sent to or from a Commonwealth computer. Penalty: 10 years imprisonment. (2) Absolute liability applies to paragraph (1)(c). (3) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section (unauthorised modification of data to cause impairment). 2.F New Zealand Crimes Act 1961 Sections 248, Interpretation For the purposes of this section and sections 249 and 250, access, in relation to any computer system, means instruct, communicate with, store data in, receive data from, or otherwise make use of any of the resources of the computer system computer system Spyridon Rekkas 101

109 (a)means- (i)a computer; or (ii)2 or more interconnected computers (iii)any communication links between computers or to remote terminals or another device; or (iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and (b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.] 250Damaging or interfering with computer system (1)Every one is liable to imprisonment for a term not exceeding 10 years who intentionally or recklessly destroys, damages, or alters any computer system if he or she knows or ought to know that danger to life is likely to result. (2)Every one is liable to imprisonment for a term not exceeding 7 years who intentionally or recklessly, and without authorisation, knowing that he or she is not authorised, or being reckless as to whether or not he or she is authorised, (a)damages, deletes, modifies, or otherwise interferes with or impairs any data or software in any computer system; or (b)causes any data or software in any computer system to be damaged, deleted, modified, or otherwise interfered with or impaired; or (c)causes any computer system to (i)fail; or (ii)deny service to any authorised users. 2.G South Africa - Electronic Communications and Transactions Act, Chapter 13 CHAPTER XIII CYBER CRIME Definition 85. In this Chapter, unless the context indicates otherwise - "access" includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data. Spyridon Rekkas 102

110 Unauthorised access to, interception of or interference with data 86. (1) Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence. (2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence. (3) A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence. (4) A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence. (5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence. Computer-related extortion, fraud and forgery 87. (1) A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence. (2) A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence. Attempt, and aiding and abetting 88. (1) A person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89(1) or (2), as the case may be. (2) Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89(1) or (2), as the case may be. Penalties Spyridon Rekkas 103

111 89. (1) A person convicted of an offence referred to in sections 37(3),40(2), 58(2), 80(5),82(2) or 86(1), (2) or (3) is liable to a fine or imprisonment for a period not exceeding 12 months. (2) A person convicted of an offence referred to in section 86(4) or (5) or section 87 is liable to a fine or imprisonment for a period not exceeding five years. Spyridon Rekkas 104