What is the Computer Misuse Act?
The main purpose of the Computer Misuse Act (CMA) was to tackle cyber crime by making unauthorised access to, and modification of, computer data illegal.
The Act represented the first major legislative attempt to tackle cyber threats and criminalise hacking, viruses, malware, and spyware.
Why was the 1990 Computer Misuse Act introduced?
The Computer Misuse Act’s purpose was to regulate the growing world of computers, which back in 1990 was simply not adequately protected by law.
Concerns around the relevance of the existing legal framework to computers was brought to light with the 1987 case of Steve Gold and Robert Schifreen, who gained unauthorised access to a BT service, which eventually led to them accessing the Duke of Edinburgh’s email account. Their conviction under the Forgery and Counterfeiting Act 1981 was overturned on appeal, as the facts of the case did not match a criminal offence under existing legislation.
The Computer Misuse Act still governs the wider digital environment, with the internet, smart phones, and social media emerging in the decades after the Act first gained Royal Assent.
Main Provisions of the Act
The Computer Misuse Act applies to any digital operation with a significant link to the United Kingdom. This covers situations where a computer being targeted is in the UK; if the person responsible carried out the operation from the UK; if they used a server located in the UK; or if the resulting cyberattack caused damage within the country.
Section 1 of the Act criminalises hacking and what it describes as ‘unauthorized access to computer material’. A person is guilty of an unauthorised act if they attempt to access information that they are aware they are unauthorised to access.
Section 2 then addresses ‘unauthorized access with intent to commit, or facilitate commission of, further offenses’. This is when the hacker, already guilty under Section 1, has carried out the hacking because they intend to commit more crimes, such as extortion or fraud, using the data they have accessed.
Section 3 of the Act then refers to unauthorized acts with the intent to impair the operation of a computer, either recklessly or intentionally. Again, this section relies on a crime under Section 1 having been established and adds further penalties if the hacking meant to damage (such as through a virus) or alter the computer or computer system and its contents (such as through modifying, deleting data or introducing malware and spyware), or simply had this effect as a result of the unauthorised access.
All crimes under the Computer Misuse Act can result in a fine and potential imprisonment.
Subsequent Amendments to the Act
In recent years there have been a number of amendments to the Computer Misuse Act.
A 2006 addition to the original Computer Misuse Act, specifically outlawed the making, supplying or obtaining articles for use in an offense under Section. This now addressed the issue of people using malware, viruses and other such tools developed by others, for the purposes of hacking.
Where the original 1990 Act had for the first time explicitly criminalised activities which damaged computers, in 2015, a further provision was added in relation to serious damage. This 2015 addition significantly increased the penalties for ‘unauthorized acts causing, or creating risk of, serious damage’.
Under the 2015 change, ‘serious damage’ extended beyond the digital world and refered to damage to people, the environment, and States. The remit of the Act now expanded to cover the possibility of cyber-terrorism and a state backed cyber attack. Crimes which are committed, and which fall within the remit of ‘serious damage’, can now result in a maximum sentence of life imprisonment.
Examples of the Act in action
Over the years, a number of cyber criminals have been prosecuted under the Computer Misuse Act.
For example, in a 2013 case, the Crown (R) vs Martin, 2013, saw a defendant, who had hacked several websites including those of the Universities of Oxford and Cambridge, pleading guilty to breaches of Sections 1, 2, 3 and 3A and receiving a sentence of two years’ imprisonment.
In a 2014 case, the Crown (R) vs Brown, 2014, the offender, who was in possession of stolen bank details, was convicted of two crimes under Section 2 of the Act, as well as another count under the Fraud Act 2006, and sentenced to three years’ imprisonment, reduced to two on appeal.
In a 2018 case involving a minor, the Crown (R) v Mudd, the accused confessed of crimes under Sections 1 and 3, as well as concealing criminal property, which is a crime outside of the Computer Misuse Act. The defendant was sentenced to two years in a young offenders’ institution, which was reduced to 21 months on appeal.
In 2018, the Information Commissioner’s Office also prosecuted its first Computer Misuse Act case when a car accident repair firm employee repeatedly accessed personal data stored on a software system used by his firm with colleagues’ login details. The trial resulted in the defendant receiving a 6-month prison sentence.
Calls for Reform of the Computer Misuse Act
The Computer Misuse Act was designed to retain some flexibility in the face of a swiftly developing digital landscape.
For this reason, ‘computer’ is undefined in the Act, allowing prosecutors to easily apply it to crimes involving new technology, such as smartphones.
As discussed, the Computer Misuse Act has also been amended several times to uphold its relevance and effectivity in deterring cybercrime.
According to an analysis of figures from HM Courts and Tribunals Service in 2019 by tech news website the Register, there were 441 prosecutions under the Computer Misuse Act between 2007 and 2018. In 2018, nearly 90% of these prosecutions resulted in convictions. However, out of the total of 45 convictions in 2018, only nine resulted in immediate prison sentences. In 2018, it was also equally likely for offenders under the Computer Misuse Act to receive an official caution rather than prosecution. Critics of the Act say that these figures show an attitude towards computer misuse that is too forgiving, and do not sufficiently deter people from breaking the law in this way, citing rising rates of cybercrime.
Another concern with the Computer Misuse Act is that, since its introduction thirty years ago, an extensive cyber security research industry has developed. The Act is said to fail to sufficiently differentiate the activities of this cyber security industry from those of hackers seeking to commit crimes. Accordingly, so-called ‘white hat’ ethical hackers who test unauthorised access for research reasons, may be liable to prosecution under the current Act. Critics argue that this has worked to curtail the UK’s participation at the cutting edge of such research.
Computer Misuse Act in Full
The Computer Misuse Act can be read in full here.