Runescape, the Computer Misuse Act and theft

The background:

Details here.  A group of Runescape players mount a phishing scam, obtain other players’ accounts, strip those accounts of gold and loot.  Presumably they make an in-game or real-world profit.  Then the UK Police (specifically the Central Police e-crimes unit) swoop in.  They arrest a caution an individual in Avon and Somerset “on suspicion of a number of computer misuse offences”.

Police pwn players

This appears to have been the first time that a UK games company has gone to the police to protect the integrity of its game.  Not much at all has been said about exactly what offences have been alleged. 

UPDATE: I had initially thought that one way in which the Police could go after the accused would be to prosecute for theft.  However, on a closer look (and thanks to the guys in the comment thread), it seems that a better way may be under the Computer Misuse Act 1990 – with which I must admit I was previously unfamiliar.  Thanks!

What is the Computer Misuse Act 1990? (CMA)

In the late 1980s there was controversy in the UK regarding the legality of hacking, following a UK case called R v Gold and Schifreen – in a nutshell, two guys were able to hack a British Telecom system but, as the law stood at the time, hacking was not expressly illegal and therefore they were acquitted.  This was a factor in the Parliament of the day passing the CMA.

As a very quick summary, the CMA was intended to criminalise three kinds of conduct:

(i) Intentional attempts to cause a computer to perform any function with intent to obtain unauthorised secure access to a computer or data on it (the section 1 offence)

(ii) Same as (i) but with the intent to carry out a further criminal offence (e.g. hacking a PC in order to commit fraud) (the second 2 offence), and

(iii) acting in any way which causes the unauthorised modification of the contents of any computer, with the intent to impair the operation of any computer/programme or to hinder access to data on any computer (the section 3 offence).

Carrying out any of the above renders you liable to a fine and/or imprisonment (between six months and five years depending on how you plead to the offence).

Is the phisher/account-ninja covered?

‘Yes, but the wording isn’t brilliant’, seems to be the general answer.  Certainly phishing could be said to fall under the section 1 offence under the argument that the phisher sets programmes running which find out the account details etc of the innocent person(s).  To the extent that the phisher had intent to use those details to commit further criminal offences then he/she could also fall under section 2 – which carries harsher penalties.  Then there is the somewhat more nebulous section 3: does phishing or ninjaing someone’s account “impair” or “hinder” any other computer or program?  Maybe – perhaps if having your account details “hinders” your ability to use the programme?

But this gets even more interesting

Anyway, what we want to do is focus on section 2.  If the phisher stole Runescape account details with a view to somehow trying to gain access of others’ computers or stealing their bank details, then there would in principle be a case for arguing that they had had intent to commit further criminal offences under section 2.  But what if the phishers only intended to enrich themselves in-game by, for example, turning the stolen accounts’ assets into gold and transferring that gold to themselves or even selling it on the black market (which would be a breach of the EULA etc but not necessarily illegal as such).  Could enriching yourself in-game or in the real-world through a game by unauthorised means be classified as an offence?

That is the really interesting part to this case and, if the Police are interested in pushing for the strongest sentence possible against these phishers, they will need to consider this sometime soon – if they haven’t already.

That’s exciting, isn’t it?  Makes us think about adding a chapter to that book on virtual law which we’ll have to write one day…

In the meantime, the story goes on…

Little more has been announced since the Police announcement earlier this week, but no doubt further details will follow in due course.  It’s also worth bearing in mind that Jagex has stated that this is part of a long-term investigation in both the USA and UK – so there may be further twists in the tale yet…

~ by Jas on December 2, 2009.