Raphael was arrested at his home on the 23 March 2000. Police and FBI agents arrived in the early hours of the morning. It was alleged that he had intruded into nine e-commerce websites in Britain, America, Canada, Thailand and Japan and taken details of some 26,000 credit card numbers and disclosed some of the credit card information on the Internet.
Raphael, who was only 18 at the time explained to the police and FBI when he was interviewed that he had been concerned for sometime at the inherent security weakness in one particular make of software called Microsoft Internet Information Server. This inherent weakness enabled remote users to access information stored on computers using this software. Raphael explained he had contacted a number of e-commerce sites using this software and pointed out the security weakness but they had ignored him, and he had also contacted Bill Gates, the Microsoft Chief who again ignored him. He went on to explain that he was known on the website as “Curador”, “Custodian” or “The Saint” and he finally decided that the best way of bringing this to public attention was to publish some of the credit card numbers on a website which he set up. The prosecution accepted throughout that Raphael’s motivation was to expose and publish the fact that the e-commerce retailers were not security conscious, and secondly to broadcast the message that due to their indifference to security, individuals ought not to entrust e-commerce retailers with their credit card details. In this case Raphael initially faced a ten count indictment, each count alleging he caused a computer to perform a function with intent to secure unauthorised access and with attempt to facilitate the commission of an offence to which section 2 of the Computer Misuse Act 1990 applied. The case involved complex and novel points of law, and from the start there was intense media interest both in this country and abroad. At the plea and directions hearing on 20/10/00 Raphael entered not guilty pleas to all counts and the prosecution indicated they wish to serve an amended indictment. This was served a month later when the prosecution put their case in an entirely different way. The new indictment had six initial counts alleging an offence under the Computer Misuse Act 1990 section 2(1), alleging the defendant had committed an offence under section 3(1) of the Computer Misuse Act by doing an act which caused an unauthorised modification of the contents of a computer. The remaining four counts alleged obtaining services by deception on two separate occasions, by using a credit card number he had downloaded to set up two separate websites upon which to display the credit card information. and the related offences under the Computer Misuse Act section 2(1). This raised the totally new issue of modification. The defence instructed a computer security expert, Mr Peter Sommer to advise on the complex issues of authorisation and modification, and he advised that what Raphael had done did not amount to modification of the contents of a computer as alleged by the prosecution in the first six counts.
On 28 March 2001 the prosecution indicated they would reduce the first six counts to section 1 charges of simple unauthorised access if the defendant pleaded guilty to the remaining four counts. After lengthy discussion Raphael agreed to this compromise and was finally given a two year community rehabilitation order.
As there was no trial the complex and novel issues of unauthorised access and modification of a computer were never decided, but undoubtedly these issues will come before the court again in the near future.
See the following BBC news articles regarding this case: