Is The Computer Misuse Act (1990) Appropriate?
The Computer Misuse Act (1990) and whether it Remains an Appropriate Legislative Instrument
David Reid
The Computer Misuse Act (UK) 1990 (CMA) was one of the earliest acts aimed at protecting the integrity and security of computer systems. However the rapid development of technology has raised concerns as to whether the act remains effective and appropriate.
Section 1: Hacking
The Computer Misuse Act was created to aid the prosecution of technological related crimes, commonly known as hacking. The most prominent case was R v Gold and Schifreen, where Robert Schifreen and Stephen Gold accessed British Telecom’s Viewdata service by “shoulder surfing” an engineer’s username and password. The credentials were very simple; this brought about concerns as to the integrity and security of computer system access. The pair were prosecuted under the Forgery and Counterfeiting Act 1981, and received a relatively small penalty – fined £750 and £600 respectively. This case threw into light the lack of legislature regarding crimes of this manner, and so the CMA was created.
Hacking is defined in Section 1 of the CMA as, “unauthorised access to any programme or data held in any computer”. This definition is moulded such that external hackers like Schifreen and Gold can be prosecuted easily. However it has not been as simple in other cases such as Ellis v DPP (No 1). In this case an ex-student was using other student accounts that had been left logged in in order to access computers in the campus library. It was argued whether it could be deemed unauthorised under section 1. Lord Woolf CJ however said that the access was still unauthorised and that statutory provisions were sufficiently wide to include use of the computers; Ellis was prosecuted under section 1 of the CMA.
The question “what is unauthorised access?” has been a cause of concern for many cases under section 1. The key early case was DPP v Bignell [1998] Div. Ct. in which married police officers accessed the police database in order to find the car of an ex-lover. Accessing the database was not unauthorised, but their use of it was and they were found to be guilty. Other cases that contributed confusion were, R v Bow Street Magistrate and Allison, ex parte US Govt [1999] HL, R v Ashley Mitchell 2011 and R v Cuthbert 2005 Mag Ct.
The media and other critics applied a lot of pressure for change. The government accepted the All Party Internet Group’s recommendations and section 1 became triable in either way, which was an amendment from section 35 of the Police and Justice Act (PJA) 2006.
A person guilty of the offence in section 1 can be sentenced to imprisonment of a term not exceeding 12 months or upon indictment, imprisonment to a term not exceeding 2 years. There is debate for increasing the sentencing tariff to 3 years so that it can be considered a “serious crime” and thereby have a deterrent effect. However the current tariff allows both significant sentencing power and the ability to prosecute for mere attempts at the offence.
In addition to the prosecuting powers of section 1, section 3a states that Making, supplying or obtaining articles for use in computer misuse offences, punishable by up to 2 years in prison or a fine or both. This has caused concern in the technology community as to how the distinction will be made between lawful and unlawful use of the software. Despite having flaws, it is likely that this shall be an effective deterrent from both section 1 and section 3 offenders and is a step in the protection of our computers.
Section 3: MÂodifying Computers and Denial of Service Attacks (DoS)
Section 3 of the CMA was originally designed to prohibit the creation and distribution of viruses under the idea that they cause “unauthorised modification”. Four years after the creation of the CMA, the internet sparked a change from isolated computer systems, into a worldwide network in which all computers could communicate. This caused a revolution in computer misuse and new vulnerabilities to computer security. These developments are cited as the main reasons for developing legislation in a technologically neutral manner, so as not to require regular updating.
Proof that this was needed was in the R v Lennon case; Lennon was accused of sending 5 million e-mails to his former employer causing a DoS attack. This is known as “mail-bombing” and causes the server to overflow preventing access to the network. However this attack could not be addressed under section 3 as the receiving system was designed to handle such e-mail messages and therefore could be viewed as authorised. The decision was reversed upon appeal, however it confirmed that “authorisation” remained unclear.
Another question that has arisen in regards to section 3, is how modification is viewed regarding DoS attacks. Distributed denial of service (DDoS) attacks involve the installation of software on computers in order to take control of them. It is uncertain whether this could be viewed as unauthorised modification. Therefore, under section 36 of the 2006 Police and Justice act “unauthorised modification” was amended to “unauthorised impairment”. This removes the idea that only erasing or modification of computer systems are liable, and criminalises DoS attacks.
However, by looking at the difference between reported cybercrime incidents and the number of prosecutions each year, you can see that there are a large number of cases that seem to be slipping through the justice system. It can be assumed that this is due to the rapidly changing internet a technologically neutral approach in legislation, as adopted in section 3, has been unable to predict new and innovative attacks. It seems that the CMA has been more effective in dealing with computer focused attacks than attacks upon computer network systems.
Section 4: Jurisdiction
Section 4 of the CMA states that “(1) Except as provided below in this section, it is immaterial for the purposes of any offence under section 1 or 3 above- (a) whether any act or other event proof of which is required for conviction of the offence occurred in the home country concerned; or (b) whether the accused was in the home country concerned at the time of any such act or event.” This is a very wide scope, however with the advances in technology, it can be avoided. For example, by hosting a website such as StormFront, a white supremacist page on a server in America, it cannot be taken down due to their right of free speech. However while the creator remains in the UK, he can be prosecuted.
Conclusion
Computer Misuse Act 1990
R v Gold and Schifreen 1988
Shoulder surfing – definition of shoulder surfing in … (n.d.). Retrieved October 21, 2016, from
Forgery and Counterfeiting Act 1981
Computer Misuse Act 1990, s.1 (CMA).
Ellis v DPP (No 1) 2001
DPP v Bignell
R v Bow Street Magistrate and Allison, ex parte US Govt [1999] HL
R v Ashley Mitchell 2011
R v Cuthbert 2005 Mag Ct
The House of Commons, Computer Misuse Act (Amendment) Bill (5th April 2005)
All Party Internet Group, “Revision of the Computer Misuse Act” (June 2004)
Police and justice act 2006
David S. Wall, Cybercrime: The Transformation of Cybercrime in the Information Age (Polity Press 2007).
R v Lennon, unreported, November 2, 2005, Wimbledon Magistrates‟ Court (on).
Computer Misuse Act 1990, s.4 (CMA).