In an interview with Core Politics, published by the Mail on Sunday, the Conservative MP for Saffron Walden said that she had hacked into the website of Labour politician Harriet Harman "a decade ago." At the time, she was a member of the (rival) Conservative party but was not yet an elected official. After guessing the website's username and password, Badenoch says, she "changed all the stuff in there to say nice things" about her own party. After the story came out, Badenoch apologized to Harman, who has accepted the statement and wishes to move on.
But the confession, which was reported on Sunday, has sent some people racing to grab copies of the Computer Misuse Act (CMA) 1990. Section 1 of the law clearly explains that a person is guilty of an offense if he or she knowingly accesses someone else's computer or data without permission. Technology lawyer Neil Brown said that "changing someone's website without their authorization would be a criminal offense if the person making the change knew that they did not have authority." So, on the face of it, it seems a fairly open-and-shut case, no matter how unsophisticated her attack.
But despite consternation from hackers and politicos, it's likely that the MP will escape censure for the hack. This is because in 2008, when the crime was committed, a breach of the CMA was a summary offense. Put simply, that's a crime considered trivial enough that it can be tried only in magistrates' court, the lowest tier of all England's and Wales' mainstream courts.
Since a Section 1 violation was seen as relatively trivial, it had a fairly short limit on when proceedings could be brought against it. At the time, law enforcement agencies would have needed to begin proceedings within six months. It's assumed that the attack took place in early 2008, so the time limit lapsed well before the end of that year.
In a lengthy thread on Twitter, barrister Greg Callus explained that the timing of Badenoch's hacking was extremely lucky. This is because a change in the law, dated from October 1st, 2008, made Section 1 offenses triable "either way." That's the sort of crime that can be tried either in lower courts or higher ones, depending on the facts of the case.
An "either way" offense is one where the magistrate can decide if their power to punish is equal to the severity of the crime. Hack your high school's website to say the principal smells and they'll probably deal with you themselves. Hack a rival politician's website during an election, however, and you may be referred to a superior court for more severe punishment.
Because Badenoch committed the crime while the previous legal regime was in place, she cannot now be punished. Callus says that "anyone demanding criminal charges, or suggesting a 2-year sentence might be forthcoming, will be disappointed." Lawyer Neil Brown confirmed that position, telling Engadget that "given the passage of time, it's unlikely that Ms. Badenoch could face prosecution."
The legislation, too, is now likely to come under further scrutiny, with University of Oxford researcher Andrew Dwyer tweeting that the "Computer Misuse Act is woefully inadequate in the definition of cybercrime." That won't provide much comfort to other politically motivated hackers who feel that something is wrong here. "Considering others have been prosecuted for similar, juvenile attacks on websites," former LulzSec member Mustafa Al-Bassam told The Guardian, "I'll be curious to see if the law will be applied equally." Sadly for him, it's likely that the law will be applied equally here too, just not in the way he is expecting.