Computer Misuse Act 1990

The Computer Misuse Act 1990 makes provision for securing computer material against unauthorised access or modification.

The Computer Misuse Act was created to criminalize unauthorized access to computer systems and to discourage the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The Act has been used to prosecute

The Computer Misuse Act also introduces more serious offences of unauthorised access with the intent to commit further criminal offences.

The CMA does not provide a definition of a computer; this is because it was feared that any definition would soon become out of date due to the rapidity with which technology develops.

Definition is therefore left to the Courts who are expected to adopt the contemporary meaning of the word. In DPP v McKeown,DPP v Jones [1997] 2Cr App R, 155, HL at page 163 Lord Hoffman defined a computer as a device for storing, processing and retrieving information.


Offences


The Computer Misuse Act 1990 introduces 3 offences for computer misuse:

  • Unauthorised access to computer material;
  • Unauthorised access with intent to commit or facilitate commission of further offences;
  • Unauthorised modification of computer material.

The Act does not cover denial of service attacks which are dealt with under the Police and Justice Act 2006


Penalties


Unauthorized Access is called a summary offence and penalties are limited to

  • 6 months imprisonment and/or a maximum fine of £5000

For other two offences : Unauthorized access with intent… & Unauthorized modification …

  • Are more serious and carry jail terms of up to 5 years and unlimited fines

Note: Maximum jail sentences for some hacking offences have been doubled under the Police and Justice Act 2006


Background


The case of  R v Schifreen 1988 in which Robert Schrifreen and Stephen Gold gained unauthorised access to British Telecom's Prestel interactive viewdata service in 1984/1985 received signifant attention because the defendants had also gained access to private emails belonging to Prince Philip. They were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600, but acquitted on appeal.

Many legal scholars believed that hacking was not unlawful as the law then stood. The English Law Commission and the Scottish Law Commission both considered the matter. The Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the Law Commission considered a new law was necessary.


Arrangement of sections


Computer misuse offences

1.Unauthorised access to computer material.

2.Unauthorised access with intent to commit or facilitate commission of further offences.

3.Unauthorised modification of computer material.

Jurisdiction

4.Territorial scope of offences under this Act.

5.Significant links with domestic jurisdiction.

6.Territorial scope of inchoate offences related to offences under this Act.

7.Territorial scope of inchoate offences related to offences under external law corresponding to offences under this Act.

8.Relevance of external law.

9.British citizenship immaterial.

Miscellaneous and general

10.Saving for certain law enforcement powers.

11.Proceedings for offences under section 1.

12.Conviction of an offence under section 1 in proceedings for an offence under section 2 or 3.

13.Proceedings in Scotland.

14.Search warrants for offences under section 1.

15.Extradition where Schedule 1 to the Extradition Act 1989 applies.

16.Application to Northern Ireland.

17.Interpretation.

18.Citation, commencement etc.


Definition of "access"


“Access” means:

  • Altering or erasing a program
  • Copying it or moving it to a different place
  • Using a program or data
  • Causing output from the computer

“Output” includes any login messages, therefore you’re accessing a computer, even before you’ve logged-in! (this provision aims to deal with dial-in scanners)


Hacking


Hacking is a crime under the Act, whether or not damage is done. Whilst hackers might argue that their motivation was 'testing security' or that they didn't break in because security was inadequate, the organisation still has to spend management, financial and other resources dealing with the intrusion.


Viruses


Writing & distributing viruses is covered by the Act (“…any act which causes unauthorised modification…”). It doesn’t matter that no damage is done, or that the “damage” is temporary. The best defence is good anti-virus software.


Case Study


  • An employee who is about to made redundant finds the Managing Director’s password; logs into the computer system using this and looks at some confidential files - Unauthorised Access
  • Having received his redundancy notice he goes back in to try and cause some damage but fails to do so - unauthorised access with intent.
  • After asking a friend, he finds out how to delete files and wipes the main customer database - unauthorised modification

Police and Justice Act 2006


Sections 35 to 38 of the Police and Justice Act 2006 contains amendments to the Computer Misuse Act 1990.

  • Doubles the maximum jail sentence for some hacking offences.
  • Makes denial of service attacked illegal
  • Makes possession of some hacking tools illegal

Supervision and enforcement


The Computer Misuse Act 1990 is supervised by the Home Office and prosecutions dealt with by the Crown Prosecution Service in England and Wales. You can read the CPS guidance on the Act here


Reference


Computer Misuse Act 1990

UK/1990/C/18