Given the overwhelming evidence that Leave campaigners stretched funding rules beyond their legal limits, used covertly acquired Facebook data to target political advertising, and to put it bluntly cheated during the Referendum campaign, there is little surprise in the fact that Leave supporters are now urging their followers to use underhand methods to undermine the legitimacy of the Parliamentary Petition to revoke Article 50.
A handsome but somewhat callow-looking youth called Steven Edginton, the digital strategist for “Leave means Leave,” for example, claims – no doubt correctly though one never knows with people who consider their dishonesty virtuous – to have signed the petition three times in the names of Jean-Claude Junker, Donald Tusk and Michel Barnier.
Julia Hartley-Brewer has encouraged others to do the same, using, like Mr Edgington multiple email addresses. The purpose, obviously, is to undermine the legitimacy of the petition, so that however many signatures it garners it can be written off as untrustworthy and irrelevant.
Online parliamentary petitions are rather curious things. They have no statutory authority. Although the Petitions Committee (a House of Commons, not a Government body) promises to “respond” to all petitions receiving at least 10,000 signatures, and to “consider for debate” any receiving over 100,000, there is no mechanism for enforcing a refusal to respond or to organise a debate on a petition, no matter how many people sign it. I suppose if you wanted to waste a great deal of money on a pointless legal case there might be a theoretical possibility of judicially reviewing the Committee if it refused, without any reason, even to consider organising a debate on a wildly popular petition, but good luck with that if you want to give it a try; apart from anything else I’d guess that its proceedings would be covered by Parliamentary privilege. The petitions have only the most rudimentary security to prevent multiple voting, or voting in false names. They possess no more legal clout than a twitter poll, which is to say the same legal force as the 2016 Referendum: none whatever. Politically, I suppose they have a persuasive force ranking slightly above a twitter poll, but several orders of magnitude below the Referendum.
Nevertheless, according to James Patrick, who was formerly a police officer, anyone encouraging people to sign the petition in false or multiple names, and particularly anyone doing so themselves, is guilty of a criminal offence under S.3 of the Computer Misuse Act 1990. He advises those becoming aware of this behaviour to report it to the police.
It would be surprising if the police acted on any such complaint, except to tell the complainer to get a life and stop wasting police time with trivia, and indeed the West Midlands Police, at least, appear to have done just that (albeit in more polite language).
Thanks to the invaluable Threadreader App, here is Mr Patrick’s argument as he tweeted it:
Let’s talk about Section 3 of the super Computer Misuse Act of 1990, it’s the offence of messing with systems and systems data, and you can commit it just by being reckless.
If you do an unauthorised Act and know at the time you’re doing it’s unauthorised, you’re in trouble.
If you know is tested by evidence: so did you express knowledge it wasn’t authorised in a tweet, for example. Were there terms and conditions? Did you say you knew on TV, etc.
The next bit breaks down into two bits.
You can either be reckless as to whether your actions will complete the offence, or intend to do it.
The actions apply to any computer, program, or data. The actions are:
Impairing operation of a computer.
Preventing or hindering access to programs or data.
Impairing a program or the reliability of its data.
Enabling any of these three things.
So creating DDoS and false petition entries, for example, are obviously included.
Where the offence talks about actions it includes causing an act to be done and a series of acts.
Also, where it talks about impairing, preventing or hindering something, this includes temporarily.
So there’s no real escape from this offence.
Finally, it’s an either way offence. So it can be dealt with by magistrates (12 months in prison max) or by Crown Court trial (10 years in prison).
In the eyes of the law this offence is sufficiently serious to warrant a lengthy prison sentence.
With computer misuse having the capacity to affect every aspect of our economy, personal lives, and democracy, this is an important remedy to be aware of and a deterrent to all.
Hope you found this explainer useful. Have a good day.
I suggested to Mr Patrick that people following his advice and reporting people like Julia Hartley-Brewer to the police were more likely to be themselves arrested for wasting police time. His response was confident and unequivocal: “Utter horseshit.” He added that “a barrister should know better.”
He described others who expressed disagreement with him on the interpretation of the Computer Misuse Act as “dicks,” “nuggets” and “buffons.” They had “no understanding of the law” and were talking “drivel.” With his arrogance matched only by his bad manners it is perhaps just as well that Mr Patrick is no longer a police officer.
Anyway, let’s look, bit by bit, at S.3 of the Computer Misuse Act 1990 to see if signing the Petition multiple times, or in false names, is in fact an offence as Mr Patrick asserts.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
(a) he does any unauthorised act in relation to a computer;
(b) at the time when he does the act he knows that it is unauthorised; and
(c) either subsection (2) or subsection (3) below applies.
The first step is to see whether Ms Hartley-Brewer, or those following her advice, have done an “unauthorised act in relation to a computer.”
“Unauthorised act” (which includes a “series of acts”) is helpfully, if only partially, defined in S.17 (8).
“An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done)-
(a) is not himself a person who has responsibility for the computer …; and
(b) does not have consent to the act from any such person.
This helps to define “unauthorised,” not “act,” but there is clear authority that sending an email, for example, is an “act done in relation to a computer”: see DPP v. Lennon  EWHC 1201.
Normally, sending emails to a computer is an authorised act: the fact of having a computer configured to receive emails would imply consent to the act of sending an email to it, even if it is unwanted. Nevertheless, there are circumstances, in which consent is not implied: the sending of an email containing malicious software, for example, or (as in Lennon) the sending of millions of emails with intent to overwhelm a server.
When you sign a Parliamentary Petition you do not send an email. You enter your name and an email address into a box on the Parliamentary Petitions website, which then automatically sends a link to the email address which you have supplied. Once the link is clicked, the electronic signature is registered. There is nothing to stop you using a different email address to sign a second time, or indeed as many times as you have access to different email accounts. Nor is there anything to stop you giving a false name.
There is no relevant conceptual difference between clicking a link which registers on a computer, and sending an email. If sending an email is an “act done in relation to a computer,” so is clicking a link.
However, whether giving a false name, or signing multiple times, is an “unauthorised” act is not so clear.
Keep in mind that an act is “unauthorised” if the person doing the act (in this case signing the petition in a false name, or multiple times) does not have the “consent” of the “person with responsibility for the computer.” Quite who that “person” is I’m not sure, but we can pass over that minor problem for now.
A rather striking aspect of the website is that it contains no terms or conditions, and no warning that you are allowed to sign the petition only once. It does ask you to give your name and address, and to confirm that you are a British citizen or a UK resident.
But that’s it. There is no explicit prohibition on signing a petition multiple times or in the name of Jacob Rees-Mogg or Boris Johnson. If signing multiple times is to be regarded as “unauthorised” then a lack of consent must be implied. It is certainly not explicit.
We use this information to:
I suppose it might be argued that you are expected to sign only once, but that seems a remarkably vague basis upon which to base criminal liability when the system allows you to sign using as many email addresses as you have the use of.
And what of false names? The site asks for your name, but there may be many entirely legitimate reasons for not wanting to give your real name. For example, you might not want your identity to be published because, although you privately support the aim of the Petition, you want to do so anonymously. You might be a child (there is no age restriction) who does not want your parents to know about your Remainiac tendencies. Or, you might simply wish – as Ms Hartley-Brewer wishes – to make the whole Petition as unreliable as possible. As it’s a document with no legal force anyway, it would be odd if legal consequences flowed from not taking it as seriously as others think you should. It would be bizarre if signing it insincerely should expose you to a criminal prosecution.
If the website was deliberately bombarded with automatically generated fake signatures designed to cause it to crash that would be a different matter. No-one consents to their website being rendered unserviceable. Such a “denial of service” attack would be an unauthorised act, see Lennon above (a case in which a “mail bombing” program was used to send approximately 5 million emails with intent to “overwhelm” a company’s computer system).
But even if signing the petition in multiple false names could be considered a series of “unauthorised acts,” it still does not follow that it is criminal. To become a crime, it must be done with the requisite “mental element.” This is set out in subsections (2) and (3):
(2) This subsection applies if the person intends by doing the act–
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer;
(c) to impair the operation of any such program or the reliability of any such data; or
Subsection (3) provides that recklessness as to whether the act will do any of the things in subsection (2) paragraphs (a) to (c) will also suffice.
Although the Petitions website apparently crashed at the weekend under the weight of people signing the petition, there is no suggestion that Ms Hartley-Brewer or the callow youth on Channel 4 intended that to happen. On the contrary, their intention was to demonstrate that the apparently large numbers of people signing the petition were not to be taken at face value because it could so easily be manipulated, a perfectly reasonable point to make, if, perhaps, a rather childish way of making it. There is no evidence of any intent to “impair the operation of any computer” or indeed to “to prevent or hinder access to any program or data held in any computer.”
But if S.3 (2) (a) and (b) are not made out, what about (c)? Was there an intent“to impair … the reliability of data [held in the computer]?” Or if not an intent to do so, then recklessness that this would be the consequence?
The effect – and the intent – of signing with false names, or from multiple email addresses is that the numbers apparently signing the petition cannot be relied upon. Surely then that is an intent “to impair … the reliability of the data” held on whatever computer hosts the Petitions website?
Mr Patrick thinks so, and in a later tweet he referred to the Crown Prosecution Service legal guidance to make his point. As the CPS puts it:
“If a computer is caused to record information which shows that it came from one person, when it in fact came from someone else, that manifestly affects its reliability and thus the reliability of the data in the computer is impaired within the meaning of Section 3(2)(c).”
The quotation used by the CPS comes from the judgment of Lord Woolf CJ in Zezev v. Governor of Brixton Prison  EWHC Admin 589.
Unfortunately both the CPS and Mr Patrick appear to have taken a single sentence from Zezev and given it a weight which it is quite incapable of bearing. To explain why I am afraid we need to look at Zezev in a little detail.
The case involved a request for extradition by United States Government, which wanted to try Mr Zezev (and an accomplice) on charges of blackmail and conspiracy to modify a computer belonging to Bloombergs, the multinational news and financial information company. They had “gained unauthorised access to functions on the Bloomberg computer system,” and then blackmailed Bloombergs by threatening to reveal that their system was compromised. One of the principles of extradition law is that a person cannot be extradited unless the conduct alleged is a crime in both the requesting state (here the USA), and the state to which the request is made (the UK). Blackmail obviously satisfied this test, but it was argued on behalf of Mr Zezev that the evidence did not support the allegation that he had conspired to commit any computer crime under English law.
The CPS, on behalf of the United States, argued that he was guilty of conspiring to commit an offence under S.3 of the Computer Misuse Act, and the Court agreed. Unfortunately the judgment does not explain with much clarity exactly what it was that Zezev was meant to have done (I’m sure this was not because the judges themselves didn’t understand it) but it obviously went far beyond simply sending an email. Lord Woolf explained it like this:
“There was evidence against the applicant Zezev that he would use the computer so as to record the arrival of information which did not come from the purported source. In other words, the information would tell a lie about itself, namely that it had come from person A, when in fact it had come from person B.”
The crucial point is that Zezev himself used the computer he was accused of “misusing”; he had access to it, and somehow caused it to record incoming information incorrectly. Taken out of context the sentence on the CPS website makes it appear that Lord Woolf was laying down a general rule that sending an email containing incorrect information, or in a false name, can be considered an offence under the Computer Misuse Act. He was doing nothing of the sort.
So there it is. Whether or not you approve of Ms Hartley-Brewer’s actions, and whether or not you want Article 50 revoked (as I do, and I have signed the Petition, just the once and in my own name), you commit no crime by signing it multiple times, and you commit no crime by signing it in a false name either.