A British security professional has been convicted of gaining unauthorized access to the website set up last December to handle charitable donations for the Asian tsunami.
Daniel Cuthbert, then a freelance information security consultant for ABN Amro bank, was found guilty of tampering with the computer systems of the Disaster Emergency Committee on New Year's Eve, 2004. This is the first conviction under Section One of the U.K.'s Computer Misuse Act 1990 for attempted unauthorized access to information systems.
Cuthbert, 28, was sentenced at Horseferry Road Magistrates' Court in London to pay £400 ($700) in fines and to cover £600 ($1050) costs for tripping the intrusion detection system of the Disaster Emergency Committee (DEC). There were gasps in the public gallery as the verdict was handed down.
Outside the court, an emotional Cuthbert said that he had no plans to appeal against the verdict.
"I have no career left," he said.
In sentencing, District Judge Mr Q Purdy said that it was "with some considerable regret" that he passed down a guilty verdict, but the Act made it quite clear that Cuthbert had knowingly performed unauthorized actions against DEC's systems. Judge Purdy acknowledged that, though Cuthbert had avoided a custodial sentence, the potentially dire impact on his career may be "a heavy price to pay."
The conviction could have serious knock-on effects for security professionals.
Peter Sommer, a senior research fellow with the Information Systems Integrity Group at the London School of Economics, said security professionals would now almost certainly have to be more careful and would want to have a cast iron description, when hired, of what they were authorized to do.
Sommer, who examined logs for Cuthbert's defense counsel and gave expert witness to the court, said he thought that, for the extent of Cuthbert's offense "it's a very heavy penalty to have to pay." He said he thought it was "fairly unfair," and that he had had "grave misgivings" about the decision to prosecute. But Cuthbert had initially, when arrested, lied to the police, which may have been his undoing.
When asked if this conviction might drive a wedge between the infosec community and the police, Sommer said "it's certainly not going to help ... and the Computer Crime Unit is going round the City [of London] with a begging bowl saying why don't you fund us directly ... and I think they're going to find it now more difficult."
Cuthbert's defense counsel said he had had no malicious intent, and that Cuthbert had entered his details with the DEC's donation site. Counsel for the defense also claimed Cuthbert was testing the security of the site to which he'd given his details by "nudging the door," to ensure "that the door was there and the door is closed."
But Judge Purdy said that, under the CMA, Cuthbert's ultimate aims, whether "malevolent or benevolent" did not bear upon the fact that "unauthorized access, however praiseworthy the motives, is an offense."
The Met Police's Computer Crime Unit led the investigation against Cuthbert, which has dragged on since early this year.
"We welcome today's outcome in a case which fully tests the computer crime legislation," said DC Robert Burls of the Metropolitan Police's Computer Crime Unit. "[We] hope it sends out a reassuring message to the general public that in this particular case the appropriate measures were in place that enabled donations to be made via the Disaster Emergency Committee website."