According to the charges, Oleg Zezov and Igor Yarimaka of Kazakhstan hacked into the computer systems of Bloomberg LP and attempted to extort $200,000 from Michael Bloomberg in exchange for information on how they did it. Michael Bloomberg informed the FBI and, working with the FBI, agreed to meet with the alleged extortionists in London to resolve the matter. The meeting was held on 10th August 2000. Shortly after the meeting, Zezov and Yarimaka were arrested by London police. The US requested their extradition.
Yarimaka and Zezov came before England’s High Court last week, arguing against extradition to the US and claiming that their acts were not offences under the UK legislation. The Computer Misuse Act dates back to 1990, before the birth of the World Wide Web, and due to its wording, its application to some apparently criminal acts has been doubted, notably denial of service attacks and deception for the purpose of gaining access to someone else's resources, some variations of which are known as spoofing.
The Act explains that a hacking offence is committed when “unauthorised modifications” are made to a computer with the “requisite intent and the requisite knowledge.” It goes on to say that this requisite intent exists when the modifications impair the operation of a computer, hinder access to a program or data or impair the operation of a program or “the reliability of any such data.”
Among the arguments which the alleged hackers made to the court this month was that “causing a computer to record the arrival of information that did not come from the source it purported to come from was not conduct affecting the reliability of the data.” However, the court disagreed.
Judges Woolf and Wright interpreted the words “reliability of any data” to mean that, “if a person caused a computer to record that information came from A when it in fact came from B, that manifestly affected the reliability of that information.”
Spoofing is a common trick among those who send spam – it exploits the reputation (and often the systems) of another party to add apparent legitimacy to their messages. This month’s ruling could open the door to new types of prosecution for spoofing incidents under the 1990 Act.