Computer Misuse Act 1990

From Infogalactic: the planetary knowledge core
(Redirected from Computer Misuse Act)
Jump to: navigation, search
Computer Misuse Act 1990
Long title An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
Citation 1990 (c. 18)
Introduced by Michael Colvin
Territorial extent England and Wales; Scotland; Northern Ireland
Dates
Royal assent 29 June 1990
Commencement 29 August 1990
Other legislation
Amended by Criminal Justice and Public Order Act 1994, Criminal Justice (Terrorism and Conspiracy) Act 1998
Status: Amended
Text of statute as originally enacted
Revised text of statute as amended

The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063 (see below). Critics of the bill complained that it was introduced hastily and was poorly thought out.[who?] Intention, they said, was often difficult to prove, and that the bill inadequately differentiated "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime”.[1] Several amendments have been passed to keep the Act up to date.

R v Gold & Schifreen

Robert Schifreen and Stephen Gold, using conventional home computers and modems in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel interactive viewdata service. While at a trade show, Schifreen by doing what latterly became known as shoulder surfing, had observed the password of a Prestel engineer:[citation needed] the username was 22222222 and the password was 1234. This later gave rise to subsequent accusations that BT had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip.

Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.

Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting Act had been misapplied to their conduct. They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords. In 1988, the Lords upheld the acquittal.[2] Lord Justice Brandon said:

We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt[3] to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.

The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission (ELC) and its counterpart in Scotland both considered the matter. The Scottish Law Commission (SLC) concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the ELC believed a new law was necessary.

Since the case, both defendants have written extensively about IT matters. Gold, who detailed the entire case at some length in the Hacker's Handbook, has presented at conferences alongside the arresting officers in the case.[4]

The Computer Misuse Act

Based on the ELC's recommendations, a Private Member's Bill was introduced by Conservative MP Michael Colvin. The bill, supported by the government, came into effect in 1990. Sections 1-3 of the Act introduced three criminal offences:[5]

  1. unauthorised access to computer material, punishable by 12 months' imprisonment (or 6 months in Scotland) and/or a fine "not exceeding level 5 on the standard scale" (since 2015, unlimited);[6]
  2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by 12 months/maximum fine (or 6 months in Scotland) on summary conviction and/or 5 years/fine on indictment;[7]
  3. unauthorised modification of computer material, punishable by 12 months/maximum fine (or 6 months in Scotland) on summary conviction and/or 10 years/fine on indictment;[8]

§§2–3 They intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The basic offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access. Hackers who program their computers to search through password permutations are therefore liable, even though all their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised. Thus, using another person's username or identifier (ID) and password without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail, online chat, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. But looking over a user's shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation emitted by VDUs ("electronic eavesdropping") is outside the scope of this offence.

The §§2–3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be arrestable, and so include all the major common law and statutory offences of fraud and dishonesty). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit theft, or to obtain confidential information for blackmail or extortion. Thus, the §1 offence is committed as soon as the unauthorised access is attempted, and the §2 offence overtakes liability as soon as specific access is made for the criminal purpose. The §3 offence is specifically aimed at those who write and circulate a computer virus (see Simon Vallor) or worm, whether on a LAN or across networks. Similarly, using phishing techniques or a Trojan horse to obtain identity data or to acquire any other data from an unauthorised source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004, John Thornley pleaded guilty to four offences under §3, having mounted an attack on a rival site, and introduced a Trojan horse to bring it down on several occasions, but it was recognized that the wording of the offence needed to be clarified to confirm that all forms of denial of service attack are included.[citation needed]

Implications for industry practices

Although the Act ostensibly targets those who wish to gain unauthorised access to computer systems for various purposes, its implications on previously relatively widespread or well-known industry practices such as the "time-locking" of software have been described in various computing industry publications.[9] Time-locking is the practice of disabling functionality or whole programs in order to ensure that software, potentially delivered on condition of further payment, will "expire" and thus no longer function.

Latest situation

The Schedule 1 Part II 'Conspiracy' of the Criminal Justice (Terrorism and Conspiracy) Act 1998 amended Section 8 (relevance of external law), Section 9(2)(b) (British citizenship immaterial: conspiracy) and Section 16 (application to Northern Ireland). For text see reference.[10]

In 2004, the All-Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the Computer Misuse Act 1990 (Amendment) Bill which sought to amend the CMA to comply with the European Convention on Cyber Crime.[11] Under its terms, the maximum sentence of imprisonment for breaching the Act changed from six months to two years. It also sought to explicitly criminalise denial-of-service attacks and other crimes facilitated by denial-of-service. The Bill did not receive Royal Assent because Parliament was prorogued.

Sections 35 to 38 of the Police and Justice Act 2006 contains amendments to the Computer Misuse Act 1990.

Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.

After the News International phone hacking scandal in 2011, there are ongoing discussions about amending the law to define "smart" phones (i.e. those with Internet browsers and other connectivity features) as computers under the Act. This amendment may also introduce a new offence of making information available with intent, i.e. publicly disclosing a password for someone's phone or computer so that others can access it illegally.[12]

In 2015 the Act was further amended by Part 2 sections 41 to 44 (plus others) of the Serious Crime Act 2015[13]

The amendments

The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006[14] are

  • Section 35. Unauthorised access to computer material, punishable by up to 2 years in prison or a fine or both.[15]
  • Section 36. Unauthorised acts with intent to impair operation of computer, etc. punishable by up to 10 years in prison or a fine or both.[16]
  • Section 37. Making, supplying or obtaining articles for use in computer misuse offences, punishable by up to 2 years in prison or a fine or both.[17]
  • Section 38. Transitional and saving provision.[18]

The amendments to the Computer Misuse Act 1990 by Part 2 of the Serious Crime Act 2015[13] are

  • Section 41. (New Section 3ZA of the Computer Misuse Act 1990). Unauthorised acts causing, or creating risk of, serious damage - punishable by up to 14 years in prison or a fine or both, possible life imprisonment where human welfare or national security were endangered.[19]
  • Section 42. Obtaining articles for purposes relating to computer misuse - amendments to Section 3A.[20]
  • Section 43. Territorial scope of computer misuse - amendments to Sections 4, 5 and 10 making the primary territorial scope the United Kingdom but can be world wide especially if perpetrator (or conspirators) is British and broke local law.[21]
  • Section 44. Savings - covers seizure and enactment amendments to Sections 10 and 16.[22]
  • Section 47. Serious Crime Prevention Orders: meaning of "Serous Offence" - adds Computer Misuse to list of serious crimes in the Serious Crime Act 2007 including being grounds for compulsory winding up of a company.[23]
  • Section 86. Transition and savings provisions - requires Sections 42 and 43 to be brought into force before they can be used.[24]
  • Schedule 1. Amendments to Serious Crimes Act 2007: Scotland - similar changes to Scottish law.[25]
  • Schedule 4. Minor and consequential amendments - changes Computer Misuse Act 1990 and the Armed Forces Act 2006.[26]

See also

References

Notes

  1. IISS Global Perspectives – Power in Cyberspace. Q&A with Nigel Inkster, Director, Transnational Threats and Political Risk, IISS. 18 January 2011.
  2. HL 21 April 1988, [1988] AC 1063 summary at [1]
  3. Here Lord Brandon alludes to the classical myth of Procrustes, who would stretch his victims (or cut off their legs) in order to fit a bed for which they were ill suited.
  4. Lua error in package.lua at line 80: module 'strict' not found.
  5. Computer Misuse Act 1990, s1 - s3
  6. http://www.legislation.gov.uk/ukpga/1990/18/section/1
  7. http://www.legislation.gov.uk/ukpga/1990/18/section/2
  8. http://www.legislation.gov.uk/ukpga/1990/18/section/3
  9. Lua error in package.lua at line 80: module 'strict' not found.
  10. Lua error in package.lua at line 80: module 'strict' not found.
  11. http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
  12. http://www.publications.parliament.uk/pa/cm201011/cmselect/cmstnprv/628/62805.htm
  13. 13.0 13.1 Lua error in package.lua at line 80: module 'strict' not found.
  14. Police and Justice Act 2006
  15. Police and Justice Act 2006, section 35
  16. Police and Justice Act 2006, section 36
  17. Police and Justice Act 2006, section 37
  18. Police and Justice Act 2006, section 38
  19. Serious Crime Act 2015, Section 41
  20. Serious Crime Act 2015, Section 42
  21. Serious Crime Act 2015, Section 43
  22. Serious Crime Act 2015, Section 44
  23. Serious Crime Act 2015, Section 47
  24. Serious Crime Act 2015, Section 86
  25. Serious Crime Act 2015, Schedule 1
  26. Serious Crime Act 2015, Schedule 4

External links

Retrieved from "https://infogalactic.com/w/index.php?title=Computer_Misuse_Act_1990&oldid=4467352"