Criminal practitioners and particularly those with an interest and/or expertise in dealing with computer misuse and/or hacking cases should consider carefully the case of R v Martin [2013] EWCA Crim 1420.
Mr Martin, having pleaded guilty to various contraventions of the Computer Misuse Act 1990, was sentenced to a total of two years’ imprisonment.
The brief facts are that Mr Martin launched a denial of service attack on the University of Oxford’s website. As a result that site was unable to respond to legitimate traffic or responded so slowly as to be rendered effectively unavailable. When a system administrator for the website discovered that there were a large number of requests from a particular internet provider, the administrator blocked the address and normal service resumed. However, after the block was put in place, the attack migrated to other linked sites. These attacks took place in March 2011. A further attack was launched on 29 January 2012, and on this occasion Mr Martin used a program called CyberGhost and the effect was similar to those undertaken the previous year. Following this, Mr Martin launched a DOS attack on the University of Cambridge’s website and, of particular concern, an attack on the Kent Police website. Police later said that these were some of the most serious attacks on the website that they had seen. Mr Martin also targeted two individuals who sustained financial loss and disruption to their private and business affairs. Eventually Mr Martin was arrested and entered timely pleas of guilty.
In appealing the sentence of two years, Counsel stated where full credit was given for Mr Martin’s guilty plea, thus representing a sentence of three years’ imprisonment after a trial was two long for a number of reasons, including Mr Martin’s age (twenty-one at the time of the offences), and that the DOS attacks were not to cause permanent damage, nor access or otherwise alter data, but to slow up all the functionality of the website for a short period of time.
In dealing with the sentence, the Court of Appeal recognised that there are no sentencing guidelines relating to offenders under the Act and these offences or any other the Court must have regard to the purposes of sentencing as set out in the Criminal Justice Act 2003. The Court of Appeal concluded that these offences fell into the highest level of culpability and they were carefully planned and were intended to cause harm both to the individuals and the organisations targeted.
Counsel sought to rely on a reported case of R v Mangham [2012] EWCA Crim 973 where a sentence of four months’ imprisonment on appeal was imposed for various hacking offences. In this case, having read the judgement, there were exceptional features of personal mitigation and the Court, rightly in my opinion, concluded that Mangham should not be considered the benchmark for such cases, which now ordinarily attract sentences which are considerably longer for offending of this scale. The Court stated that sentences will be measured in years rather than months, and in doing so made the following observations:
“The prevalence of computer crime, its potential to cause enormous damage, both to the credibility of IT systems and the way in which our society now operates, and the apparent ease with which hackers, from the confines of their own homes, can damage important public institutions, not to say individuals, cannot be understated. The fact that organisations are compelled to spend substantial sums combating this type of crime, whether committed for gain or out of bravado, and the potential impact on individuals such as those affected in this case only underlines the need for a deterrent sentence.”
In the present case there are a number of aggravating features, including sophisticated planning, persistent conduct which shows a deliberate desire to maximise damage and disruption, an attack on the public interest which at various times rendered the websites of the Universities of Oxford and Cambridge and of Kent Police unusable, and the invasion of the individual privacy of two of the victims cannot be underestimated.
In accepting some of the mitigating factors, including that these offences had not been committed for profit (save for a minor transaction), and had the attacks been motivated by benefit, a longer sentence would have been inevitable.
In those circumstances, two years was a right and proper sentence.
The detection of computer crime and the prosecution of these offences is still in its infancy. Such cases are run by special caseworkers at the Crown Prosecution Service and are investigated by the Economic Crime Unit. These prosecuting authorities and investigators are still a long way behind hackers in terms of detection but, from my own experience of cases this year, there is clearly an appetite to put resources into detecting crimes of this nature, and successful prosecutions are now being reflected in the imposition of longer sentences than would have been the case eighteen months or two years ago.
As further prosecutions are inevitable, there will be further guidance given as to what sentences for what offences should be imposed. As with other areas of criminal conduct, as more cases are before the courts, more consistency will be applied to sentences.
All of this means that such cases need to be handled with care, sensitivity and a degree of expertise. Clients hacking into individuals’ or businesses’ computers and obtaining personal information can only expect prison sentences, and often the length of those sentences can be assisted by a defence practitioner identifying the issues early and mitigating the circumstances upon which the offences were committed. Once again, this needs careful analysis of the evidence at an early stage.
We at Lewis Nedas Law have an excellent record of defending suspects charged under the Computer Misuse Act we further instruct recognised experts to consider how the case has been prepared and on what basis. Miles Herman, a partner of the practice, is well-versed and used to all types of prosecutions under the Computer Misuse Act. Please contact us by completing our online enquiry form or calling us on 020 7387 2032 if we can assist you in this area of law.
Miles has a current case is presently before Southwark Crown Court where the defendant is charged with conspiracy and involves similar characteristics to the case referred to above.