House of Lords
Publications on the Internet|
|Judgments -- Regina v. Bow Street Magistrates Court and Allison (A.P.) Ex Parte Government of the United States of America (on Appeal from a Divisional Court of the Queens Bench Division)
Lord Hobhouse of Wood-borough Lord Millett
(ON APPEAL FROM A DIVISIONAL COURT
OF THE QUEENS BENCH DIVISION)
I have had the advantage of reading in draft the speech of my noble and learned friend Lord Hobhouse of Woodborough. For the reasons he has given I would allow the appeal.
I have had the advantage of reading in draft the speech which has been prepared by my noble and learned friend, Lord Hobhouse of Woodborough. I agree with it, and for the reasons which he gives I, too, would allow the appeal.
LORD SAVILLE OF NEWDIGATE
I have had the advantage of reading in draft the speech prepared by my noble and learned friend, Lord Hobhouse of Woodborough. I agree with it and, for the reasons he gives, I, too, would allow the appeal
LORD HOBHOUSE OF WOODBOROUGH
On 18 March 1997, Mr Allison was arrested upon a provisional warrant issued under the Extradition Act 1989 at the request of the Government of the United States. It alleged that he had between 1 January 1996 and 18 June 1996 within the jurisdiction of the United States of America conspired with Joan Ojomo and others -
(1) to secure unauthorised access to the American Express computer system with intent to commit theft,
(2) to secure unauthorised access to the American Express computer system with intent to commit forgery, and
(3) to cause unauthorised modification to the contents of the American Express computer system.
On 11 June 1997 the Bow Street Magistrate committed Mr Allison on the third charge but declined to commit him on the first and second of the proposed charges. Mr Allison brought Habeas Corpus proceedings challenging the view that any of the offences alleged were "extradition crimes" under the Act of 1989 and the United States of America (Extradition) Order 1976, SI 1976 No. 2144. The Government brought judicial review proceedings challenging the decision in law of the magistrate that the evidence did not disclose a prima facie case that there had been a conspiracy to commit offences falling within section 2 of the Computer Misuse Act 1990 as alleged in the first and second charges in the warrant.
These challenges to the decision of the magistrate were heard by the Divisional Court which gave judgment on 13 May 1998, Kennedy L.J. and Blofeld J.,  Q.B. 847. The Divisional Court dismissed both the Habeas Corpus proceedings and the judicial review proceedings. They however certified a question of law of general public importance:
This question was unhappily drafted; as will appear it perpetuates a confusion concerning the Act of 1990 which is implicit in the judgment of the Divisional Court.
On 15 July 1999 following a hearing concluded on 13 July, your Lordships' House allowed the Government's appeal, set aside the order of the Divisional Court, quashed the discharge by the magistrate of Mr Allison on the first and second of the proposed charges and remitted the cause back to the magistrate, with your Lordships' reasons to be given later.
Joan Ojomo was an employee of American Express. She was assigned to the credit section of the Company's office in Plantation, Florida, as a credit analyst. In her daily work it was possible for her to access all customers' accounts but she was only authorised to access those accounts that were assigned to her. However she accessed various other accounts and files which had not been assigned to her and which she had not been given authority to work on. Having accessed those accounts and files without authority, she gave confidential information obtained from those accounts and files to, among others, Mr Allison. The information she gave to him and to others was then used to encode other credit cards and supply PIN numbers which could then be fraudulently used to obtain large sums of money from automatic teller machines.
The evidence concerning Joan Ojomo's authority to access the material data showed that she did not have authority to access the data she used for this purpose. At no time did she have any blanket authorisation to access any account or file not specifically assigned to her to work on. Any access by her to an account which she was not authorised to be working on would be considered a breach of company policy and ethics and would be considered an unauthorised access by the Company. The computer records showed that she accessed 189 accounts that did not fall within the scope of her duties. Her accessing of these accounts was unauthorised.
Using these methods, she and her fellow conspirators defrauded American Express of approximately US$1,000,000. Mr Allison was arrested with forged American Express cards in his possession and was photographed using one such card to obtain money from an automatic teller machine in London.
The proposed charges against Mr Allison therefore involved his alleged conspiracy with Joan Ojomo for her to secure unauthorised access to data on the American Express computer with the intent to commit the further offences of forging cards and stealing from that Company. It is Joan Ojomo's alleged lack of authority which is an essential element in the offences charged.
The Extradition Act 1989:
The Act of 1989 was enacted following reports of the English and Scottish Law Commissions recommending revisions of the law of extradition. The Act consolidated the previous law with amendments to give effect to those recommendations. The Extradition Act 1870 was among those repealed by the Act of 1989. The Act of 1870 included a definition of "extradition crime" as meaning "a crime which, if committed in England ...., would be one of the crimes described in the first schedule" to the Act. The schedule, as would be expected having regard to its date, consisted of a relatively short list. Between 1870 and 1989 the list was extensively added to by later Acts. But none of these statutes included a reference to computer crime such as that made criminal by the Computer Misuse Act 1990.
The scheme of the Act of 1989 was that whilst repealing the Act of 1870, it effectively preserved the first schedule to that Act and the later amendments. It also preserved Orders in Council made under s.2 of the Act of 1870 and the power to amend them. Under such Statutory Instruments the relevant regime is that laid down in the first schedule to the Act of 1989. Paragraph 20 of this schedule provides that "extradition crime" in relation to a foreign state
The relevant Order in Council governing extradition to the United States of America is 1976 No. 2144. It gives effect to and schedules the Extradition Treaty between the respective Governments of the United Kingdom and the United States. Article III of the Treaty provides:
The schedule annexed to the Treaty does not include any reference to computer crime. Therefore if an offence under the Computer Misuse Act 1990 is to come within the terms of the Treaty it will have to be as some "other offence". There is no dispute in the present case that an offence under s.2 of the Act of 1990 comes within (1)(a) being punishable by imprisonment for more than one year. Similarly it is not disputed that the conduct charged would constitute felonies under the law of the United States, (1)(c). The question which has been raised by Mr Allison on his Habeas Corpus application is whether the offences alleged are extraditable under the law of the United Kingdom, (1)(b), and therefore as conspiracies come within paragraph (2) of the Article.
In September 1989 there was no provision of the law of the United Kingdom which made computer crime extraditable; indeed, there was no such provision which made it (as such) criminal at all. At that time such conduct fell outside the scope of the criminal law of the United Kingdom and accordingly outside the scope of the Extradition Treaty.
The Treaty and the Order in Council have not been amended. The provision which has been relied upon by the Government of the United States as bringing offences under the Computer Misuse Act 1990 within the terms of the Treaty is s.15 of that Act which provides -
The argument of Mr Allison is that this provision does not suffice to satisfy the requirement of paragraph 20 of the first schedule to the Act of 1989: it is not an amendment of the Order of 1976. This argument, however, fails to give effect to the obvious and express intention of s.15. The section provides that the relevant offences are ones to which such an Order can apply; it therefore makes the offences ones which are extraditable for the purpose of that Order. The Computer Misuse Act 1990 does not purport to alter the Treaty or the Order nor does it need to; they include not only the offences listed in the schedule annexed to the Treaty but also "any other offence". All that is needed is some provision of the law of the United Kingdom which provides, supplementing the provisions of the 1989 and earlier Acts, that computer crime shall both become an offence and be extraditable under the law of the United Kingdom; the 1990 Act contains provisions that meet this need.
The Divisional Court rightly held that the offences charged did come within the terms of the Treaty and the Order of 1976. In Reg. v. Secretary of State for the Home Department, Ex parte Gilmore  Q.B. 611, the Divisional Court rejected an argument that the effect of the Act of 1989 was to free the Treaty from the constraints imposed by the schedule to the Act of 1870. But that is not the question raised by the argument of Mr Allison in the present case. The question is one of the construction of the Act of 1990: does it make the offences referred to in s.15 extraditable for the purposes of (among others) Article III(1)(b) of this Treaty? That question was correctly answered by the Divisional Court in the present case in the affirmative. The Habeas Corpus proceedings rightly failed.
The Computer Misuse Act 1990:
Sections 1 and 2 of the Act provide:
Section 2 is thus dependent on s.1.
On the evidence before the magistrate, the conduct of Joan Ojomo came fairly and squarely within the provisions of s.1(1). She intentionally caused a computer to give her access to data which she knew she was not authorised to access. The reason why the magistrate did not commit Mr Allison on charges 1 and 2 was that he felt constrained by the provisions of s.17 and the interpretation put upon them by the Divisional Court in D.P.P. v. Bignell  Cr.App.R. 1; the Divisional Court also followed and applied Bignell's case.
The relevant subsections of s.17 reads -
Section 17 is an interpretation section. Subsection (2) defines what is meant by access and securing access to any programme or data. It lists four ways in which this may occur or be achieved. Its purpose is clearly to give a specific meaning to the phrase "to secure access". Subsection (5) is to be read with subsection (2). It deals with the relationship between the widened definition of securing access and the scope of the authority which the relevant person may hold. That is why the subsection refers to "access of any kind" and "access of the kind in question". Authority to view data may not extend to authority to copy or alter that data. The refinement of the concept of access requires a refinement of the concept of authorisation. The authorisation must be authority to secure access of the kind in question. As part of this refinement, the subsection lays down two cumulative requirements of lack of authority. The first is the requirement that the relevant person be not the person entitled to control the relevant kind of access. The word "control" in this context clearly means authorise and forbid. If the relevant person is so entitled, then it would be unrealistic to treat his access as being unauthorised. The second is that the relevant person does not have the consent to secure the relevant kind of access from a person entitled to control, ie authorise, that access.
Subsection (5) therefore has a plain meaning subsidiary to the other provisions of the Act. It simply identifies the two ways in which authority may be acquired--by being oneself the person entitled to authorise and by being a person who has been authorised by a person entitled to authorise. It also makes clear that the authority must relate not simply to the data or programme but also to the actual kind of access secured. Similarly, it is plain that it is not using the word "control" in a physical sense of the ability to operate or manipulate the computer and that it is not derogating from the requirement that for access to be authorised it must be authorised to the relevant data or relevant programme or part of a programme. It does not introduce any concept that authority to access one piece of data should be treated as authority to access other pieces of data "of the same kind" notwithstanding that the relevant person did not in fact have authority to access that piece of data. Section 1 refers to the intent to secure unauthorised access to any programme or data. These plain words leave no room for any suggestion that the relevant person may say: "Yes, I know that I was not authorised to access that data but I was authorised to access other data of the same kind.
Bignell's case was decided in 1997. The leading judgment was given by Astill J. with whom Pill L.J. agreed. Two police officers had been convicted before the stipendiary magistrate of an offence under s.1 of the Act of 1990. They had for their own private purposes caused a police computer operator to obtain for them from the Police National Computer information about the ownership and registration of two cars. They had no authority to make that request or to obtain that information for that purpose. They were only permitted to make such a request for police purposes; indeed, to obtain the information, they had to misrepresent to the computer operator the purpose of their request. The computer operator acted under an authorisation from the Commissioner of the Metropolitan Police. He was authorised to use the computer to access the data on the database at the request of police officers; he was required to ascertain and log the reason for the request.
The magistrate convicted the two officers of an offence under s.1. Their appeal to the Crown Court was allowed but the prosecution requested the Crown Court to state a case for the Divisional Court. The four stated questions of law are set out in the report at  1 Cr.App.R. p. 8. They asked whether the Crown Court had been right in law to allow the appeal. The Divisional Court upheld the decision of the Crown Court.
The conclusion of the Divisional Court was probably right. It was a possible view of the facts that the role of the defendants had merely been to request another to obtain information by using the computer. The computer operator did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed under s.1 of the Act of 1990. The Divisional Court rightly stated that the defendants could have been prosecuted for an offence under the Data Protection Act 1984.
However, in the course of his judgment Astill J., as he had been invited to by the Crown Court and the argument of counsel, expressed views about the purpose of the Act of 1990 and the effect of s.17(5). Thus, he treated the primary issue as being "whether a police officer who secures access to the Police National Computer for a non-police purpose secures unauthorised access" for the purposes of s.1. The submissions which he accepted were that the defendants "were authorised to control access to the computer within the meaning of s.17(5) because they were authorised to obtain the material on the computer by causing the computer to function" and that "controlling access is different from defining or restricting authority to access and s.7(5)(b) provides for the position of a person who enjoys a restricted level of access and is, therefore, barred from other levels of access without the consent of someone who is entitled to access at that level". This acceptance introduces a number of glosses which are not present in the Act. The concept of control is changed from that of being entitled to authorise to authorised to cause the computer to function. The concept of access to a program or data is changed to access to the computer at a particular "level". He also accepted the submission that the purpose of the Act was to criminalise the breaking into or hacking of computer systems which he understood to mean preserving the "integrity of computer systems". He accordingly characterised the defendants as persons who had "control access" (using the word "control" as a noun) "of the kind in question".
It was this use of language, departing from the language of the statute and unnecessary to the decision of that case, which misled the magistrate and the Divisional Court in the present case.
The Decision of the Divisional Court:
My Lords, what I have already said serves to identify the points upon which the Divisional Court fell into error. The certified question refers to "authority to access data of the kind in question". The use of the phrase "data of the kind in question" seems to derive from a simple mis-reading of s.17(5) and a confusion between kinds of access and kinds of data. Nor is s.1 of the Act concerned with authority to access kinds of data. It is concerned with authority to access the actual data involved. Because s.1(1) creates an offence which can be committed as a result of having an intent to secure unauthorised access without in fact actually succeeding in accessing any data, s.1(2) does not require that the relevant intent relate to any specific data. But that does not mean that access to the data in question does not have to be authorised.
The key passage in the judgment of Kennedy L.J., with which Blofeld J. agreed, follows on his quotation of s.17(5) at  Q.B. 847, 857:
Thus, Kennedy L.J. is making the same elisions as Astill J. He treats the phrase "entitlement to control" as if it related to the control of the computer as opposed to the entitlement to authorise operators to access to programs and data. He adopts the extraneous idea of an authorised level of access without considering whether, on the facts of the case, it corresponds to the relevant person's authority to access the data in fact accessed. He confines s.1 of the Act to the "hacking" of computer systems as opposed to the use of a computer to secure unauthorised access to programs or data. Upon a misreading of s.17(5), he fails to give effect to the plain words of s.1. The meaning of the statute is clear and unambiguous. But it is right that I should briefly say something about the argument based upon the Working Party Paper and Report of the Law Commission which (together with the Report of the Scottish Law Commission) led to the passing of the Act of 1990. The argument was influential in the Divisional Court both in Bignell and in the present case and was further relied on by the Respondent before your Lordships. The Respondent quoted passages from the Paper and the Report to the effect:
Read as a whole, the Report makes it clear that the term "hacking" is used conveniently to refer to all forms of unauthorised access whether by insiders or outsiders and that the problem of misuse by insiders is as serious as that by outsiders (para. 3.5). The offence should cover a person who causes the computer to perform a function when he "should know that that access is unauthorised" (para. 3.33, emphasis supplied). An employee should only be guilty of an offence if his employer has clearly defined the limits of the employee's authority to access a program or data (para. 3.37). Similar passages are to be found in the Report of the Scottish Law Commission.
Whilst the Report of the Law Commission supports the correctness of the decision in Bignell--the phrase 'causing a computer to perform any function' refers to the "manipulation" of a computer (para. 3.26)--it does not justify the language used by Astill J. followed by Kennedy L.J. in the present case. The consideration of the mischief which the Act was designed to meet confirms and does not contradict the clear meaning of s.1 of the Act and the equally clear purpose of s.17(2) and (5).
The decision of the Divisional Court in the present case was erroneous and the appeal fell to be allowed. As your Lordships' House has already announced the case has been remitted to the magistrate for reconsideration. Full reasons having been given for allowing the appeal, it is unnecessary separately to respond to the certified question.
I have had the advantage of reading in draft the speech of my noble and learned friend, Lord Hobhouse of Woodborough. I agree with it, and for the reasons he gives I too would allow the appeal.
Lords Parliament Commons Search Contact Us Index
|© Parliamentary copyright 1999||Prepared 5 August 1999|