UK lawmakers are currently considering changes to the country's criminal code that could result in hackers being locked up for longer than murderers or bank robbers.
Various members of Parliament, human rights groups, and computer experts, however, are objecting to the amendments, arguing that they could be used to target whistleblowers.
The proposed Act, known as the Serious Crime Bill, alters and amends various existing laws pertaining to the punishment of criminals ranging from child abusers and pedophiles to gangs and drug cartels to digital criminals. The House of Lords is scheduled to scrutinize the Serious Crime Bill again today.
In the case of computer wrongdoers, the changes would apply to the Computer Misuse Act 1990. These proposed changes are overly vague and loaded with ill-defined terms, critics say. A hacker who breaks into a financial institution could get a life sentence if the act is deemed to be "damaging the economy," for example. What exactly constitutes damaging the economy—or the environment, or national security, as alluded to in the amendments—is not explained.
It's a bit like the US's nonspecific Computer Fraud and Abuse Act (CFAA), an Act that sent hacker Andrew "weev" Auernheimer to prison for telling a media outlet about a security flaw. The CFAA is also regularly used as a big stick to frighten hacktivists, the most notorious instance being the 50+ years the late Aaron Swartz was threatened with for violating an academic journal's Terms of Service.
"The broad and vague definition … appears to be without precedent."
Efforts to clarify the language in the CFAA are met with stiff opposition from Silicon Valley companies, who benefit from the vague wording in the law as it makes it easier for them to sue competitors and any user that violates their Terms of Service. Unlike the US Congress, though, the British parliament is very peculiar with its language and laws.
Baroness Williams of Trafford, a member of the House of Lords, previously tabled some amendments on October 14th to address the unclear language. The Serious Crime Bill is sponsored by the Home Office, a department in the British government responsible for security issues. Phrases like "damage to the environment" troubled the Baroness. Last week, the Joint Committee on Human Rights (JCHR) echoed the Baroness' concerns and elaborated further, adding in a report:
The use of such broad concepts without further definition in other statutory contexts is one thing but, as the Government itself acknowledges, it is quite another in the context of criminal sanctions. Legal certainty requires that criminal offences are precisely defined so that individuals know how to avoid such sanctions. Vagueness is not permissible in the definition of criminal offences."
The Joint Committee on Human Rights went on to write in their report that the "broad and vague definition … appears to be without precedent" (in the UK at least) and that it as the amendment stands, it "appears to cross a significant line by using these unsatisfactory concepts in the definition of a serious criminal offence carrying a lengthy sentence."
A government spokesperson for the Home Office released a statement basically saying they beg to differ. This type of legislation was necessary, they argued, in order to ensure those committing such computer crimes would be appropriately punished. They called such unspecified cyber attacks "a threat to our national security" that costs "hard-working taxpayers at least £24bn a year." They did add that they were considering the JCHR's report though.
Currently, the maximum sentence for computer related crimes is 10 years; the proposed changes would up that to life.
Existing legislation is already adequate, cyber security expert and De Montfort University professor Peter Sommer told The Guardian. If Parliament were really concerned with cyber terrorism, he added, it should amend the legislation on terrorism, not add it to the Computer Misuse Act. Instead, he says, the proposed amendment in the Serious Crime Bill comes across more as "the opportunity to stand up and sound tough."
The US is no stranger to this "sounding tough" dance Professor Sommer speaks of, and has shown repeatedly it favors over-prosecution as a means to send a message. The late Aaron Swartz was at one point facing more than 50 years in prison (the maximum possible sentence) under the CFAA for downloading too many academic articles so he could then share them for free.
The Federal government was able to threaten him with so much jail time because the CFAA doesn't define what the phrases "exceeds authorized access" and "access without authorization" mean. American journalist Barrett Brown was facing a maximum sentence of 100 years (reduced to 8.5 years), and hacktivist Jeremy Hammond is currently serving a 10 year prison term for his LulzSec-related activities.
Meanwhile over in Britain, hackers who violated the Computer Misuse Act, like Ryan Cleary of LulzSec, faced one to three years in prison for their crimes.
Their sentences were deemed "long" by the British press.