17 July 2020
The Computer Misuse Act 1990 is the UK's legal defense against hacking, allowing the state to prosecute those who use or access computers for malicious purposes.
Three decades since the law's enactment, rates of cybercrime are still rising year on year, and hackers are more powerful and effective than ever.
Has the Act kept up with the threats posed by modern-day hackers? Understanding this law is a key way for businesses with UK operations to keep cybercriminals out of their systems.
The Computer Misuse Act criminalizes several acts, including accessing data without authorization (i.e. hacking) and installing malware (e.g. computer viruses, spyware, or ransomware) on a person's computer.
The term "computer" is intentionally left undefined in the Act. This is in order to give the courts some flexibility, in light of rapid changes in technology.
Consider the definition provided in the case of DPP v McKeown, DPP v Jones: "a device for storing, processing and retrieving information."
Or the following definitions, from the Council of Europe's Convention on Cybercrime (available here):
It's reasonable to interpret "computer" as including desktop computers, laptops, mobile devices, and servers.
The Act can be used to prosecute crimes with a "significant link" to the UK. This can mean any of the following scenarios:
These rules also apply to conspiracy to commit an offense under the Act (e.g. planning to hack a computer that is located in the UK while located abroad).
The Computer Misuse Act is over 30 years old. Three decades is a long time in tech.
The Act has been amended several times over the years to add offenses covering cyber-terrorism and malware development.
According to tech website The Register, 422 cases were prosecuted under the Act between 2008 and 2018. Of these, 76 percent of cases resulted in a "guilty" verdict, which is a relatively high conviction rate. This suggests that the law is an effective tool against cybercrime.
However, only 16 percent of those convicted were immediately sentenced to prison, with a further 29 percent given a "suspended sentence" (meaning that the defendant can avoid prison if they meet certain conditions for a given time period).
Critics also say that the Act fails to recognize the value of "ethical" or "white hat" hacking, and could be used to prosecute developers of legitimate software.
Under the Computer Misuse Act, the "material" accessed by a hacker does not need to be personal data. However, it commonly is. Records of credit card details, names and addresses, national insurance numbers, etc., can all be used for identity fraud.
The Data Protection Act and the GDPR place specific obligations on businesses to secure personal data against attackers. Failing to do so could lead to penalties and private legal claims.
Some means by which to achieve compliance with the Data Protection Act and the GDPR include:
There are five criminal offenses listed in the Act. To make things simpler, we've numbered these offenses one to five, but they are more commonly referred to by the sections of the Act in which they appear.
The first offense listed in the Computer Misuse Act is "unauthorized access to computer material," which amounts to "hacking."
Here's how the main part of this offense appears, at Section 1 of the Act:
This offense occurs when a person knowingly uses a computer with an intent to obtain unauthorized access to any data or program stored on a computer. It covers remote or direct access, using the hacker's own computer or another computer.
The hacker must be aware that their access is unauthorized (i.e. they cannot commit this offense accidentally).
The hacker must intend to access any unauthorized data or program, but this need not be any specific data or program. Therefore, speculative access (i.e. to see if anything valuable exists on a computer) is covered.
A person can be guilty of the offense of "unauthorized access to computer material" if they have permission to access certain parts of a system but not others.
In the case of Regina v Bow Street ex p the U.S. Government, an employee who had some access to data on a computer was found guilty under the Act because he accessed information above his authority.
The court determined that "an employee should only be guilty of an offense if his employer has clearly defined the limits of the employee's authority to access a program or data."
Failing to clearly define the limits of your employees' access to data could leave you liable if they access unauthorized material.
Having a clear and robust IT Security Policy can help ensure your employees understand what data they can access and what data is off-limits.
The second offense under the Act is "unauthorized access with intent to commit or facilitate commission of further offenses."
Here's how the main part of this offense appears, at Section 2 of the Act:
This offense occurs when a person accesses a computer with the intention of committing a crime or enabling another person to commit a crime.
Examples include where a hacker accesses a computer in order to divert money to their account or the account of another unauthorized person (the secondary crime being theft) or to obtain compromising material about another person (blackmail).
The third offense under the Act is "unauthorized acts with intent to impair, or with recklessness as to impairing the operation of a computer."
Here's how the main part of this offense appears, at Section 3 of the Act:
This offense occurs where a person, without authorization, does something in relation to a computer with the intention to:
A person can also be guilty of this offense if they:
Cases prosecuted under this section may involve distributed denial of service (DDoS) attacks, where hackers flood a resource with web traffic in order to impair its functioning or prevent others from accessing it.
The fourth offense under the Act is "unauthorized acts causing, or creating risk of, serious damage."
This offense was added to the Act by a 2015 amendment.
Here's how the main part of this offense appears, at Section 3ZA of the Act:
This can be a very serious offense, carrying the threat of life imprisonment in the most serious cases (more information about penalties is provided below).
This offense covers damage to critical infrastructure such as power grids, communications networks, transport systems, etc. Such activities are intended to cause widespread harm and could occur as part of a terrorist or cyber warfare attack.
The fifth offense under the Act is "making, supplying or obtaining articles for use in an offense under Section 1, 3 or 3ZA" (what we've called "offenses 1, 3, and 4").
This offense was added to the Act by a 2006 amendment.
Here's how the main part of this offense appears, at Section 3ZA of the Act:
This offense covers the development, distribution, or obtaining of malware, password crackers, and other "hacker tools."
Such tools can be used by so-called "script kiddies," relatively inexperienced cybercriminals who use software created by others in order to obtain unauthorized access to, or cause damage to, a computer.
The "article" (program or data) must be "likely" to be used for hacking or other offenses. That is, the article doesn't need to have been developed in relation to a specific offense, but the developer must be shown to have believed that it would be used for such purposes.
All offenses listed in the Act, except offense four, are "either-way" offenses that could result in a "summary conviction" or an "indictment." Offense four is not triable "either way" and is only triable on indictment.
Whether a case is dealt with as a "summary trial" or a "trial on indictment" affects the maximum penalties available.
All criminal cases begin as "summary trials" at a magistrate's court, or, in Scotland, at a sheriff court with a single sheriff. Summary trials have lighter penalties, but they may be seen as less fair because they do not involve a jury.
A case may proceed to a "trial on indictment" if:
Trials on indictment are heard at the Crown Court or, in Scotland, at a sheriff court (but with a jury). They can result in more serious penalties.
For offenses one, two, three, and five, on summary conviction, the penalties can be:
Offense four is not eligible for a summary conviction.
For offense one, "unauthorized access to computer material," the penalties on indictment are:
For offense two, "unauthorized access with intent to commit or facilitate commission of further offenses," the penalties on indictment are:
For offense three, "unauthorized acts with intent to impair, or with recklessness as to impairing the operation of a computer," the penalties on indictment are:
For offense four, "unauthorized acts causing, or creating risk of, serious damage," the penalties on indictment are:
For offense five, "making, supplying or obtaining articles for use in an offense under Section 1, 3 or 3ZA," the penalties on indictment are:
In this overview of the Computer Misuse Act 1990, we've looked at the five criminal offenses punishable under the Act:
Defendants found guilty of any of these offenses can face fines and imprisonment.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.