7. ATTACKS AGAINST INFORMATION SYSTEMS
Draft Council Framework Decision on attacks against information systems.
|Legal base:||Articles 29, 30(1)(a), 31 and 34(2)(b) EU
|Basis of consideration:
||Minister's letter of 15 October 2002|
|Previous Committee Report:
||HC 152-xxxvi (2001-02), paragraph 5 (10 July 2002)
|To be discussed in Council:
||No date fixed|
|Committee's assessment:||Legally and politically important
|Committee's decision:||Not cleared; further information requested
7.1 We considered this proposal for a Framework Decision
on the criminal law relating to attacks on computer and electronic
communications systems on 10 July 2002. We raised a number of
technical issues of definition and questioned whether for the
purposes of imposing a penalty it was right to include the causing
of indirect economic loss as an aggravating circumstance, even
where such loss was not reasonably foreseeable. We also asked
the Minister for his views on whether the proposal was really
necessary, given the adoption by the Council of Europe of a convention
The Minister's reply
7.2 In his letter of 15 October 2002, the Parliamentary
Under-Secretary of State at the Home Office (Mr Bob Ainsworth)
addresses our concerns of detail, as well as those on the penalties
for aggravating circumstances and the relationship of the proposal
with the Council of Europe cybercrime convention.
7.3 We noted on 10 July that the proposal applied to
conduct which was 'without right' and therefore excluded from
criminal liability conduct by an authorised person or conduct
which was 'recognised as lawful under domestic law'. We asked
the Minister to explain the meaning of this latter term, since
it seemed to us that a number of systems of law might be relevant,
leading to different interpretations in different Member States.
The Minister replies that the Framework Decision does not seek
to define the term 'without right' but seeks not to criminalise
conduct which is recognised as lawful under domestic law. The
Minister points out that the Council of Europe cybercrime convention
similarly does not restrict parties in their application of the
term 'without right', but recognises legitimate activities in
operating information systems, lawful Government conduct, legal
defences and exclusions from criminal liability as well as providing
a number of specific examples. The Minister considers that we
are right to say that the term 'under domestic law' could lead
to different interpretations in different countries and that,
while it may be possible to resolve all these differences, this
is a matter which will need to be addressed in the negotiations.
7.4 We also noted that there appeared to be an overlap
between the offence under Article 4a of seriously hindering or
interrupting an information system by deleting data and the offence
under Article 4b of deleting data on an information system with
the intention of causing damage. The Minister replies that we
are right to point out that in practice some acts may fall under
both Article 4a and 4b but considers that the Framework Decision
'covers the two specific intended outcomes more comprehensively
than the Computer Misuse Act'. The Minister adds that the overlap
is intentional and is 'less critical' than failing to criminalise
either type of conduct, and that he does not anticipate any practical
difficulties in framing UK legislation to reflect this part of
the Framework Decision.
7.5 The Minister shares our concern over the lack of
definition of 'serious cases' for the purpose of determining penalties,
and states that it is his intention to resolve the question in
7.6 In relation to our remarks on the causing of indirect
economic loss as an aggravating circumstance, the Minister states
that it is the Government's view that indirect economic loss should
affect the maximum penalties in the same way as direct economic
loss. However, the Minister adds:
"As the Committee highlights, there is no requisite intent
for the aggravating results which trigger the higher maximum penalty.
We will seek to simplify the whole penalty regime in the first
draft of the Framework Decision when negotiation begins and will
raise the issue of intent then. Of course, in the UK, the courts
consider intent in deciding sentences within the maximum penalty."
7.7 In response to our concern about whether this measure
is needed, given the existence of the Council of Europe cybercrime
convention, the Minister comments as follows:
"It is our view that while the Framework Decision draws
from the Convention, it will allow us to go further in setting
significantly more detailed and more comprehensive offences common
to all Member States. The Framework Decision would also provide
a common minimum framework of maximum penalties across Member
States, and will therefore ensure consistent extradition and European
Arrest Warrant implications for these offences, provided we can
ensure that the definitions are sufficiently clear."
7.8 We thank the Minister for his helpful letter.
It is evident from this that considerably more work will be needed
on this proposal before it is ready for adoption. We shall look
forward to an account of how the concerns we have identified have
been addressed in a revised version.
7.9 We shall hold the document under scrutiny, pending
deposit of the revised version.