Short Title: | Computer Misuse Act 1990 |
Type: | Act |
Parliament: | United Kingdom Parliament |
Long Title: | An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes. |
Statute Book Chapter: | 1990 c. 18 |
Introduced By: | Michael Colvin |
Royal Assent: | 29 June 1990 |
Commencement: | 29 August 1990 |
Status: | Amended |
Original Text: | http://www.legislation.gov.uk/ukpga/1990/18/enacted |
Revised Text: | http://www.legislation.gov.uk/ukpga/1990/18 |
The Computer Misuse Act 1990 (c. 18) is an act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063. Critics of the bill complained that it was introduced hastily, was poorly thought out, and that intention was often difficult to prove, with the bill inadequately differentiating "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime".[1] Several amendments have been passed to keep the Act up to date.
Robert Schifreen and Stephen Gold, using conventional home computers and modems in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel interactive viewdata service. While at a trade show, Schifreen, by doing what latterly became known as shoulder surfing, had observed the password of a Prestel engineer. The engineer's username was 22222222 and the password used was 1234.[2] [3] This later gave rise to accusations that British Telecom (BT) had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip.
Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed that the Forgery and Counterfeiting Act had been misapplied to their conduct. They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords. In 1988, the Lords upheld the acquittal.[4] Lord Justice Brandon said:
The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission and its counterpart in Scotland both considered the matter. The Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the English Law Commission believed a new law was necessary.
Since the case, both defendants have written extensively about IT matters. Gold, who detailed the entire case at some length in The Hacker's Handbook, has presented at conferences alongside the arresting officers in the case.[5]
Based on the ELC's recommendations, a private member's bill was introduced by Conservative MP Michael Colvin. The bill, supported by the government, came into effect in 1990. Sections 1-3 of the Act introduced three criminal offences:[6]
(For other offences see § The amendments below)
The sections 2 and 3 offences are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The basic section 1 offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access. Hackers who program their computers to search through password permutations are therefore liable, even if their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised. Thus, using another person's username or identifier (ID) and password without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail, online chat, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. Looking over a user's shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation emitted by VDUs ("electronic eavesdropping") is outside the scope of this offence.
The §§2–3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be arrestable, and so include all the major common law and statutory offences of fraud and dishonesty). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit theft, or to obtain confidential information for blackmail or extortion. Thus, the §1 offence is committed as soon as the unauthorised access is attempted, and the §2 offence overtakes liability as soon as specific access is made for the criminal purpose. The §3 offence is specifically aimed at those who write and circulate a computer virus or worm, whether on a LAN or across networks. Similarly, using phishing techniques or a Trojan horse to obtain identity data or to acquire any other data from an unauthorised source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004, John Thornley pleaded guilty to four offences under §3, having mounted an attack on a rival site, and introduced a Trojan horse to bring it down on several occasions, but it was recognized that the wording of the offence needed to be clarified to confirm that all forms of denial of service attack are included.
Although the Act ostensibly targets those who wish to gain unauthorised access to computer systems for various purposes, its implications on previously relatively widespread or well-known industry practices such as the "time-locking" of software have been described in various computing industry publications. Time-locking is the practice of disabling functionality or whole programs in order to ensure that software, potentially delivered on condition of further payment, will "expire" and thus no longer function. In one featured case, a "developer of bespoke systems in the Midlands" activated a time lock on a piece of software over a dispute with a client about an unpaid bill. The client reported this to the police who charged the programmer under Section 3 of the Act, with the outcome being a conviction by a magistrates court, with a conditional discharge given by the magistrate meaning that no punishment was applied on condition that the programmer did not re-offend.[10]
Schedule 1 Part II of the Criminal Justice (Terrorism and Conspiracy) Act 1998 ('Conspiracy') amended Section 8 (relevance of external law), Section 9(2)(b) (British citizenship immaterial: conspiracy) and Section 16 (application to Northern Ireland).[11]
In 2004, the All-Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the Computer Misuse Act 1990 (Amendment) Bill which sought to amend the CMA to comply with the European Convention on Cyber Crime.[12] Under its terms, the maximum sentence of imprisonment for breaching the Act changed from six months to two years. It also sought to explicitly criminalise denial-of-service attacks and other crimes facilitated by denial-of-service. The Bill did not receive Royal Assent because Parliament was prorogued.
Sections 35 to 38 of the Police and Justice Act 2006 contain amendments to the Computer Misuse Act 1990.
Section 37 ("Making, supplying or obtaining articles for use in computer misuse offences") inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
After the News International phone hacking scandal in 2011, there were discussions about amending the law to define "smart" phones (i.e. those with Internet browsers and other connectivity features) as computers under the Act. Such an amendment might also introduce a new offence of "making information available with intent", i.e. publicly disclosing a password for someone's phone or computer so that others can access it illegally.[13]
In 2015, the Act was further amended by Part 2 sections 41 to 44 (plus others) of the Serious Crime Act 2015.[14]
The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006[15] are
The amendments to the Computer Misuse Act 1990 by Part 2 of the Serious Crime Act 2015.[14] are
In April 2020, Matt Hancock issued directions giving GCHQ temporary powers over National Health Service information systems until the end of 2020 for the purposes of the Act to support and maintain the security of any network and information system which supports, directly or indirectly, the provision of NHS services or public health services intended to address COVID-19.[28]
In May 2021, UK Home Secretary Priti Patel announced the formal review of the Computer Misuse Act.[29] She also launched a Call for Information on the Act that seeks views on whether there is activity causing harm in the area covered by the Act that is not adequately covered by the offences, including whether the legislation is fit for use following the technological advances since the CMA was introduced, and any other suggestions on how the legislative response to cyber crime could be strengthened.[30]
The review of the Act follows growing calls, in recent year, for a complete government review of the Computer Misuse Act, in order to bring about new reforms.
In November 2019, Dame Lynne Owens, Director General of the National Crime Agency (NCA), warned that "the Computer Misuse Act went through Parliament at a time when cyber wasn't the tool that it is now is to enable all sorts of crimes like fraud" and talked about plans to introduce reforms to make sure the law was "fit for purpose in the modern age".
In January 2020, the Criminal Law Reform Now Network (CLRNN) published a comprehensive report highlighting the Act's shortcomings and making detailed recommendations for reform.[31]
In the same month, the CyberUp Campaign was established with the intention of lobbying the UK government to "update and upgrade" the Act. The Campaign's launch was covered by The Guardian in an article that echoed the call for "urgent reform".[32] The CyberUp Campaign is made up of a wide coalition of supportive bodies from within the cyber security industry, including the large cyber consultancies NCC Group and F-Secure and the cyber industry trade body TechUK. In November 2020, the campaign gained the backing of the Confederation of British Industry.
The coalition was formed based on the shared view that an update of the UK's cyber crime legislation is necessary to protect national security and to increase economic growth for the UK cyber security industry. The Campaign refers to Section 1 of the Act, "prohibiting unauthorised access to computers", stating that it inadvertently criminalises a large amount of cyber security and threat intelligence research and investigation which is frequently conducted by UK cyber security professionals.
The Campaign has called for two key amendments:
On 29 June 2020, to celebrate the Act's 30th birthday, the CyberUp Campaign wrote an open letter to the prime minister on behalf of a number of cyber security industry figures to highlight the Act's outdatedness in a time of rapid digital advancement. This was published in The Daily Telegraph, with the headline "Cyber security experts say they are being prevented from stopping computer fraud".[33]
In July 2020, the Intelligence and Security Committee of Parliament, responsible for oversight of the UK intelligence services, published the Intelligence and Security Committee Russia report and recommended that "the Computer Misuse Act should be updated to reflect modern use of personal electronic devices". While the government response to the report said that the Act was regularly reviewed to determine the benefits of legislative change, the Shadow Foreign Secretary, Lisa Nandy, highlighted in January 2021 that no progress had been made towards implementing the recommendation.
In November 2020, the CyberUp Campaign and TechUK published a new report[34] on the Computer Misuse Act, which was the first piece of work to quantify and analyse the views of the wider UK security community. The report found that 80 per cent of cyber security professionals have worried about breaking the law when researching vulnerabilities or investigating cyber threat actors. Furthermore, 91 per cent of businesses that responded to the report’s survey suggested they had been put at a competitive disadvantage by the Act, and that reform would allow their organisation to reap significant productivity improvements, growth and resilience benefits. The report recommended that the government consider implementing the two above amendments.