fbpx
Wikipedia

Computer Misuse Act 1990

April 06, 2024

The Computer Misuse Act 1990 (c. 18) is an act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063. Critics of the bill[who?] complained that it was introduced hastily, was poorly thought out, and that intention was often difficult to prove, with the bill inadequately differentiating "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime".[1] Several amendments have been passed to keep the Act up to date.

Computer Misuse Act 1990
Act of Parliament
Long titleAn Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
Citation1990 c. 18
Introduced byMichael Colvin
Territorial extent 
  • England and Wales
  • Scotland
  • Northern Ireland
Dates
Royal assent29 June 1990
Commencement29 August 1990
Other legislation
Amended by
Status: Amended
Text of statute as originally enacted
Revised text of statute as amended

R v Gold & Schifreen edit

Robert Schifreen and Stephen Gold, using conventional home computers and modems in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel interactive viewdata service. While at a trade show, Schifreen, by doing what latterly became known as shoulder surfing, had observed the password of a Prestel engineer.[citation needed] The engineer's username was 22222222 and the password used was 1234.[2][3] This later gave rise to accusations that British Telecom (BT) had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip.

Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.

Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed that the Forgery and Counterfeiting Act had been misapplied to their conduct. They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords. In 1988, the Lords upheld the acquittal.[4] Lord Justice Brandon said:

We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt[5] to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.

The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission and its counterpart in Scotland both considered the matter. The Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the English Law Commission believed a new law was necessary.

Since the case, both defendants have written extensively about IT matters. Gold, who detailed the entire case at some length in The Hacker's Handbook, has presented at conferences alongside the arresting officers in the case.[6]

Further information: DPP v Lennon

The Computer Misuse Act edit

Based on the ELC's recommendations, a private member's bill was introduced by Conservative MP Michael Colvin. The bill, supported by the government, came into effect in 1990. Sections 1-3 of the Act introduced three criminal offences:[7][full citation needed]

  1. unauthorised access to computer material, punishable by twelve months' imprisonment (or six months in Scotland) and/or a fine "not exceeding level 5 on the standard scale" (since 2015, unlimited);[8]
  2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by twelve months/maximum fine (or six months in Scotland) on summary conviction and/or five years/fine on indictment;[9]
  3. unauthorised modification of computer material, punishable by twelve months/maximum fine (or six months in Scotland) on summary conviction and/or ten years/fine on indictment;[10]

(For other offences see § The amendments below)

The sections 2 and 3 offences are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The basic section 1 offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access. Hackers who program their computers to search through password permutations are therefore liable, even if their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised. Thus, using another person's username or identifier (ID) and password without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail, online chat, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. Looking over a user's shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation emitted by VDUs ("electronic eavesdropping") is outside the scope of this offence.

The §§2–3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be arrestable, and so include all the major common law and statutory offences of fraud and dishonesty). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit theft, or to obtain confidential information for blackmail or extortion. Thus, the §1 offence is committed as soon as the unauthorised access is attempted, and the §2 offence overtakes liability as soon as specific access is made for the criminal purpose. The §3 offence is specifically aimed at those who write and circulate a computer virus or worm, whether on a LAN or across networks. Similarly, using phishing techniques or a Trojan horse to obtain identity data or to acquire any other data from an unauthorised source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004, John Thornley pleaded guilty to four offences under §3, having mounted an attack on a rival site, and introduced a Trojan horse to bring it down on several occasions, but it was recognized that the wording of the offence needed to be clarified to confirm that all forms of denial of service attack are included.[citation needed]

Implications for industry practices edit

Although the Act ostensibly targets those who wish to gain unauthorised access to computer systems for various purposes, its implications on previously relatively widespread or well-known industry practices such as the "time-locking" of software have been described in various computing industry publications. Time-locking is the practice of disabling functionality or whole programs in order to ensure that software, potentially delivered on condition of further payment, will "expire" and thus no longer function. In one featured case, a "developer of bespoke systems in the Midlands" activated a time lock on a piece of software over a dispute with a client about an unpaid bill. The client reported this to the police who charged the programmer under Section 3 of the Act, with the outcome being a conviction by a magistrates court, with a conditional discharge given by the magistrate meaning that no punishment was applied on condition that the programmer did not re-offend.[11]

Latest situation edit

Schedule 1 Part II of the Criminal Justice (Terrorism and Conspiracy) Act 1998 ('Conspiracy') amended Section 8 (relevance of external law), Section 9(2)(b) (British citizenship immaterial: conspiracy) and Section 16 (application to Northern Ireland).[12]

In 2004, the All-Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the Computer Misuse Act 1990 (Amendment) Bill which sought to amend the CMA to comply with the European Convention on Cyber Crime.[13] Under its terms, the maximum sentence of imprisonment for breaching the Act changed from six months to two years. It also sought to explicitly criminalise denial-of-service attacks and other crimes facilitated by denial-of-service. The Bill did not receive Royal Assent because Parliament was prorogued.

Sections 35 to 38 of the Police and Justice Act 2006 contain amendments to the Computer Misuse Act 1990.

Section 37 ("Making, supplying or obtaining articles for use in computer misuse offences") inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.

After the News International phone hacking scandal in 2011, there were discussions about amending the law to define "smart" phones (i.e. those with Internet browsers and other connectivity features) as computers under the Act.[citation needed] Such an amendment might also introduce a new offence of "making information available with intent", i.e. publicly disclosing a password for someone's phone or computer so that others can access it illegally.[14][failed verification]

In 2015, the Act was further amended by Part 2 sections 41 to 44 (plus others) of the Serious Crime Act 2015.[15]

The amendments edit

The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006[16] are

  • Section 35. Unauthorised access to computer material, punishable by up to two years in prison or a fine or both.[17]
  • Section 36. Unauthorised acts with intent to impair operation of computer, etc. punishable by up to ten years in prison or a fine or both.[18]
  • Section 37. Making, supplying or obtaining articles for use in computer misuse offences, punishable by up to two years in prison or a fine or both.[19]
  • Section 38. Transitional and saving provision.[20]

The amendments to the Computer Misuse Act 1990 by Part 2 of the Serious Crime Act 2015.[15] are

  • Section 41 (new Section 3ZA of the Computer Misuse Act 1990). Unauthorised acts causing, or creating risk of, serious damage – punishable by up to 14 years in prison or a fine or both, possible life imprisonment where human welfare or national security were endangered.[21]
  • Section 42. Obtaining articles for purposes relating to computer misuse – amendments to Section 3A.[22]
  • Section 43. Territorial scope of computer misuse - amendments to Sections 4, 5 and 10 making the primary territorial scope the United Kingdom but can be worldwide especially if the perpetrator (or conspirators) is British and broke local law.[23]
  • Section 44. Savings – covers seizure and enactment amendments to Sections 10 and 16.[24]
  • Section 47. Serious Crime Prevention Orders: meaning of "Serious Offence" - adds Computer Misuse to list of serious crimes in the Serious Crime Act 2007 including being grounds for compulsory winding up of a company.[25]
  • Section 86. Transition and savings provisions – requires Sections 42 and 43 to be brought into force before they can be used.[26]
  • Schedule 1. Amendments to Serious Crimes Act 2007: Scotland – similar changes to Scottish law.[27]
  • Schedule 4. Minor and consequential amendments – changes Computer Misuse Act 1990 and the Armed Forces Act 2006.[28]

Application to the NHS edit

In April 2020, Matt Hancock issued directions giving GCHQ temporary powers over National Health Service information systems until the end of 2020 for the purposes of the Act to support and maintain the security of any network and information system which supports, directly or indirectly, the provision of NHS services or public health services intended to address COVID-19.[29]

Reform edit

In May 2021, UK Home Secretary Priti Patel announced the formal review of the Computer Misuse Act.[30] She also launched a Call for Information on the Act that seeks views on whether there is activity causing harm in the area covered by the Act that is not adequately covered by the offences, including whether the legislation is fit for use following the technological advances since the CMA was introduced, and any other suggestions on how the legislative response to cyber crime could be strengthened.[31]

The review of the Act follows growing calls, in recent year, for a complete government review of the Computer Misuse Act, in order to bring about new reforms.

In November 2019, Dame Lynne Owens, Director General of the National Crime Agency (NCA), warned that "the Computer Misuse Act went through Parliament at a time when cyber wasn't the tool that it is now is to enable all sorts of crimes like fraud" and talked about plans to introduce reforms to make sure the law was "fit for purpose in the modern age".[citation needed]

In January 2020, the Criminal Law Reform Now Network (CLRNN) published a comprehensive report highlighting the Act's shortcomings and making detailed recommendations for reform.[32]

In the same month, the CyberUp Campaign was established with the intention of lobbying the UK government to "update and upgrade" the Act. The Campaign's launch was covered by The Guardian in an article that echoed the call for "urgent reform".[33] The CyberUp Campaign is made up of a wide coalition of supportive bodies from within the cyber security industry, including the large cyber consultancies NCC Group and F-Secure and the cyber industry trade body TechUK. In November 2020, the campaign gained the backing of the Confederation of British Industry.

The coalition was formed based on the shared view that an update of the UK's cyber crime legislation is necessary to protect national security and to increase economic growth for the UK cyber security industry. The Campaign refers to Section 1 of the Act, "prohibiting unauthorised access to computers", stating that it inadvertently criminalises a large amount of cyber security and threat intelligence research and investigation which is frequently conducted by UK cyber security professionals.

The Campaign has called for two key amendments:

  1. Amend the law to allow cyber security and threat intelligence researchers acting in the public interest to explain and justify their actions and to allow the detection or prevention of crime.
  2. Create a set of clear legal definitions to ensure that cyber security and threat intelligence researchers who reasonably believe they have authorisation to act can legitimately do so.

On 29 June 2020, to celebrate the Act's 30th birthday, the CyberUp Campaign wrote an open letter to the prime minister on behalf of a number of cyber security industry figures to highlight the Act's outdatedness in a time of rapid digital advancement. This was published in The Daily Telegraph, with the headline "Cyber security experts say they are being prevented from stopping computer fraud".[34][verification needed]

In July 2020, the Intelligence and Security Committee of Parliament, responsible for oversight of the UK intelligence services, published the Intelligence and Security Committee Russia report and recommended that "the Computer Misuse Act should be updated to reflect modern use of personal electronic devices". While the government response to the report said that the Act was regularly reviewed to determine the benefits of legislative change, the Shadow Foreign Secretary, Lisa Nandy, highlighted in January 2021 that no progress had been made towards implementing the recommendation.

In November 2020, the CyberUp Campaign and TechUK published a new report[35][unreliable source?] on the Computer Misuse Act, which was the first piece of work to quantify and analyse the views of the wider UK security community. The report found that 80 per cent of cyber security professionals have worried about breaking the law when researching vulnerabilities or investigating cyber threat actors. Furthermore, 91 per cent of businesses that responded to the report’s survey suggested they had been put at a competitive disadvantage by the Act, and that reform would allow their organisation to reap significant productivity improvements, growth and resilience benefits. The report recommended that the government consider implementing the two above amendments.

See also edit

References edit

  • Neil MacEwan, "The Computer Misuse Act 1990: lessons from its past and predictions for its future" (2008), Criminal Law Review 955.
  • Stefan Fafinski, Computer Misuse: Response, Regulation and the Law (Cullomption, Willan 2009)
  • Yaman Akdeniz, Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses! (1996) 3 Web JCLI [2] including reference to the case of Christopher Pile (aka 'the Black Baron') in November 1995.
  • Derek Wyatt,

Notes edit

  1. ^ IISS Global Perspectives – Power in Cyberspace. Q&A with Nigel Inkster, Director, Transnational Threats and Political Risk, IISS. 18 January 2011.
  2. ^ Lee, Mark (Autumn 2014). "Lecture 2: Legal Perspectives" (PDF). School of Computer Science. Professional Computing. University of Birmingham. p. 13. Retrieved 19 May 2017.
  3. ^ Murray, Andrew (2016). Information Technology Law: The Law and Society (3rd ed.). Oxford University Press. p. 358. ISBN 978-0-19-873246-4. Retrieved 19 May 2017.
  4. ^ HL 21 April 1988, [1988] AC 1063 summary at [1]
  5. ^ Here Lord Brandon alludes to the classical myth of Procrustes, who would stretch his victims (or cut off their legs) in order to fit a bed for which they were ill suited.
  6. ^ Leyden, John (13 January 2015). "'80s hacker turned journo, IT crime ace Steve Gold logs off". The Register. Retrieved 14 January 2015.
  7. ^ Computer Misuse Act 1990, s1 - s3
  8. ^ "Computer Misuse Act 1990; 1990 c. 18 Computer misuse offences Section 1". legislation.gov.uk. Retrieved 2 May 2019.
  9. ^ "Computer Misuse Act 1990, section 2". www.legislation.gov.uk. from the original on 26 September 2010. Retrieved 14 June 2021.
  10. ^ "Computer Misuse Act 1990, section 3". www.legislation.gov.uk. from the original on 26 September 2010. Retrieved 14 June 2021.
  11. ^ Naylor, Chris (July 1994). "Locked up". Personal Computer World. pp. 470–471.
  12. ^ "Criminal Justice (Terrorism and Conspiracy) Act 1998 Schedule 1". legislation.gov.uk. The National Archives. Retrieved 24 March 2015.
  13. ^ "Full list".
  14. ^ "House of Commons - Privilege: Hacking of Members' mobile phones - Standards and Privileges Committee".
  15. ^ a b "Serious Crime Act of 2015" (PDF). UK Government. Retrieved 30 December 2015.
  16. ^ "Police and Justice Act 2006". www.legislation.gov.uk. from the original on 26 September 2010. Retrieved 14 June 2021.
  17. ^ "Police and Justice Act 2006, section 35". www.legislation.gov.uk. from the original on 29 October 2010. Retrieved 14 June 2021.
  18. ^ "Police and Justice Act 2006, section 36". www.legislation.gov.uk. from the original on 31 October 2010. Retrieved 14 June 2021.
  19. ^ "Police and Justice Act 2006, section 37". www.legislation.gov.uk. from the original on 29 October 2010. Retrieved 14 June 2021.
  20. ^ Police and Justice Act 2006, section 38
  21. ^ "Serious Crime Act 2015, section 41". www.legislation.gov.uk. from the original on 13 July 2015. Retrieved 14 June 2021.
  22. ^ "Serious Crime Act 2015, section 42". www.legislation.gov.uk. from the original on 5 February 2016. Retrieved 14 June 2021.
  23. ^ "Serious Crime Act 2015, section 43". www.legislation.gov.uk. from the original on 10 July 2016. Retrieved 14 June 2021.
  24. ^ "Serious Crime Act 2015, section 44". www.legislation.gov.uk. from the original on 21 June 2016. Retrieved 14 June 2021.
  25. ^ "Serious Crime Act 2015, section 47". www.legislation.gov.uk. from the original on 28 March 2016. Retrieved 14 June 2021.
  26. ^ "Serious Crime Act 2015, section 86". www.legislation.gov.uk. from the original on 6 January 2016. Retrieved 14 June 2021.
  27. ^ "Serious Crime Act 2015, schedule 1". www.legislation.gov.uk. from the original on 11 September 2016. Retrieved 14 June 2021.
  28. ^ "Serious Crime Act 2015, section 4". www.legislation.gov.uk. from the original on 4 May 2015. Retrieved 14 June 2021.
  29. ^ Carding, Nick (29 April 2020). "Hancock grants GCHQ powers over NHS IT systems". Health Service Journal. Retrieved 8 June 2020.
  30. ^ "Home Secretary Priti Patel speech to CyberUK Conference". GOV.UK. 11 May 2021. from the original on 11 May 2021. Retrieved 15 June 2021.
  31. ^ "Computer Misuse Act 1990: call for information". GOV.UK. 11 May 2021. from the original on 11 May 2021. Retrieved 15 June 2021.
  32. ^ "Reforming the Computer Misuse Act 1990". CLRNN. from the original on 18 January 2021. Retrieved 15 June 2021.
  33. ^ Bowcott, Owen (22 January 2020). "Cybercrime laws need urgent reform to protect UK, says report". The Guardian. Retrieved 22 January 2021.
  34. ^ Bowcott, Owen (29 June 2020). "Cyber security experts say they are being prevented from stopping computer fraud because criminals have to let them access machines". The Daily Telegraph. Retrieved 22 January 2021.
  35. ^ "4 out of 5 cyber security professionals worry about breaking the law when defending UK, report finds". CyberUp Campaign. from the original on 19 November 2020. Retrieved 23 January 2021.

External links edit

 
Wikisource has original text related to this article:
Computer Misuse Act 1990
  • The Internet Crime Forum
  • EURIM – IPPR E-Crime Study
  • Wording of the failed 2004 amendment bill
  • Amendments to the Computer Misuse Act 1990 covered by the Open Rights Group
  • A list of Computer Misuse Act cases compiled by Michael J L Turner

April 06, 2024
computer, misuse, 1990, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged, removed, find, sources, news, newspapers, books, scholar, jstor, jan. This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Computer Misuse Act 1990 news newspapers books scholar JSTOR January 2009 Learn how and when to remove this template message The Computer Misuse Act 1990 c 18 is an act of the Parliament of the United Kingdom introduced partly in response to the decision in R v Gold amp Schifreen 1988 1 AC 1063 Critics of the bill who complained that it was introduced hastily was poorly thought out and that intention was often difficult to prove with the bill inadequately differentiating joyriding hackers like Gold and Schifreen from serious computer criminals The Act has nonetheless become a model from which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws as it is seen as a robust and flexible piece of legislation in terms of dealing with cybercrime 1 Several amendments have been passed to keep the Act up to date Computer Misuse Act 1990Act of ParliamentUnited Kingdom ParliamentLong titleAn Act to make provision for securing computer material against unauthorised access or modification and for connected purposes Citation1990 c 18Introduced byMichael ColvinTerritorial extent England and WalesScotlandNorthern IrelandDatesRoyal assent29 June 1990Commencement29 August 1990Other legislationAmended byCriminal Justice and Public Order Act 1994Criminal Justice Terrorism and Conspiracy Act 1998Police and Justice Act 2006Serious Crime Act 2015Status AmendedText of statute as originally enactedRevised text of statute as amended Contents 1 R v Gold amp Schifreen 2 The Computer Misuse Act 3 Implications for industry practices 4 Latest situation 4 1 The amendments 5 Application to the NHS 6 Reform 7 See also 8 References 9 Notes 10 External linksR v Gold amp Schifreen editRobert Schifreen and Stephen Gold using conventional home computers and modems in late 1984 and early 1985 gained unauthorised access to British Telecom s Prestel interactive viewdata service While at a trade show Schifreen by doing what latterly became known as shoulder surfing had observed the password of a Prestel engineer citation needed The engineer s username was 22222222 and the password used was 1234 2 3 This later gave rise to accusations that British Telecom BT had not taken security seriously Armed with this information the pair explored the system even gaining access to the personal message box of Prince Philip Prestel installed monitors on the suspect accounts and passed information thus obtained to the police The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a false instrument namely the internal condition of BT s equipment after it had processed Gold s eavesdropped password Tried at Southwark Crown Court they were convicted on specimen charges five against Schifreen four against Gold and fined respectively 750 and 600 Although the fines imposed were modest they elected to appeal to the Criminal Division of the Court of Appeal Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits and claimed that the Forgery and Counterfeiting Act had been misapplied to their conduct They were acquitted by the Lord Justice Lane but the prosecution appealed to the House of Lords In 1988 the Lords upheld the acquittal 4 Lord Justice Brandon said We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case The submissions at the close of the prosecution case should have succeeded It is a conclusion which we reach without regret The Procrustean attempt 5 to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated The appellants conduct amounted in essence as already stated to dishonestly gaining access to the relevant Prestel data bank by a trick That is not a criminal offence If it is thought desirable to make it so that is a matter for the legislature rather than the courts The Law Lords ruling led many legal scholars to believe that hacking was not unlawful as the law then stood The English Law Commission and its counterpart in Scotland both considered the matter The Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the common law related to deception but the English Law Commission believed a new law was necessary Since the case both defendants have written extensively about IT matters Gold who detailed the entire case at some length in The Hacker s Handbook has presented at conferences alongside the arresting officers in the case 6 Further information DPP v LennonThe Computer Misuse Act editBased on the ELC s recommendations a private member s bill was introduced by Conservative MP Michael Colvin The bill supported by the government came into effect in 1990 Sections 1 3 of the Act introduced three criminal offences 7 full citation needed unauthorised access to computer material punishable by twelve months imprisonment or six months in Scotland and or a fine not exceeding level 5 on the standard scale since 2015 unlimited 8 unauthorised access with intent to commit or facilitate commission of further offences punishable by twelve months maximum fine or six months in Scotland on summary conviction and or five years fine on indictment 9 unauthorised modification of computer material punishable by twelve months maximum fine or six months in Scotland on summary conviction and or ten years fine on indictment 10 For other offences see The amendments below The sections 2 and 3 offences are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer The basic section 1 offence is to attempt or achieve access to a computer or the data it stores by inducing a computer to perform any function with intent to secure access Hackers who program their computers to search through password permutations are therefore liable even if their attempts to log on are rejected by the target computer The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised Thus using another person s username or identifier ID and password without proper authority to access data or a program or to alter delete copy or move a program or data or simply to output a program or data to a screen or printer or to impersonate that other person using e mail online chat web or other services constitute the offence Even if the initial access is authorised subsequent exploration if there is a hierarchy of privileges in the system may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed Looking over a user s shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation emitted by VDUs electronic eavesdropping is outside the scope of this offence The 2 3 offences are aggravated offences requiring a specific intent to commit another offence for these purposes the other offences are to be arrestable and so include all the major common law and statutory offences of fraud and dishonesty So a hacker who obtains access to a system intending to transfer money or shares intends to commit theft or to obtain confidential information for blackmail or extortion Thus the 1 offence is committed as soon as the unauthorised access is attempted and the 2 offence overtakes liability as soon as specific access is made for the criminal purpose The 3 offence is specifically aimed at those who write and circulate a computer virus or worm whether on a LAN or across networks Similarly using phishing techniques or a Trojan horse to obtain identity data or to acquire any other data from an unauthorised source or modifying the operating system files or some aspect of the computer s functions to interfere with its operation or prevent access to any data including the destruction of files or deliberately generating code to cause a complete system malfunction are all criminal modifications In 2004 John Thornley pleaded guilty to four offences under 3 having mounted an attack on a rival site and introduced a Trojan horse to bring it down on several occasions but it was recognized that the wording of the offence needed to be clarified to confirm that all forms of denial of service attack are included citation needed Implications for industry practices editAlthough the Act ostensibly targets those who wish to gain unauthorised access to computer systems for various purposes its implications on previously relatively widespread or well known industry practices such as the time locking of software have been described in various computing industry publications Time locking is the practice of disabling functionality or whole programs in order to ensure that software potentially delivered on condition of further payment will expire and thus no longer function In one featured case a developer of bespoke systems in the Midlands activated a time lock on a piece of software over a dispute with a client about an unpaid bill The client reported this to the police who charged the programmer under Section 3 of the Act with the outcome being a conviction by a magistrates court with a conditional discharge given by the magistrate meaning that no punishment was applied on condition that the programmer did not re offend 11 Latest situation editSchedule 1 Part II of the Criminal Justice Terrorism and Conspiracy Act 1998 Conspiracy amended Section 8 relevance of external law Section 9 2 b British citizenship immaterial conspiracy and Section 16 application to Northern Ireland 12 In 2004 the All Party Internet Group published its review of the law and highlighted areas for development Their recommendations led to the drafting of the Computer Misuse Act 1990 Amendment Bill which sought to amend the CMA to comply with the European Convention on Cyber Crime 13 Under its terms the maximum sentence of imprisonment for breaching the Act changed from six months to two years It also sought to explicitly criminalise denial of service attacks and other crimes facilitated by denial of service The Bill did not receive Royal Assent because Parliament was prorogued Sections 35 to 38 of the Police and Justice Act 2006 contain amendments to the Computer Misuse Act 1990 Section 37 Making supplying or obtaining articles for use in computer misuse offences inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals as many of their tools can be used by criminals in addition to their legitimate purposes and thus fall under section 3A After the News International phone hacking scandal in 2011 there were discussions about amending the law to define smart phones i e those with Internet browsers and other connectivity features as computers under the Act citation needed Such an amendment might also introduce a new offence of making information available with intent i e publicly disclosing a password for someone s phone or computer so that others can access it illegally 14 failed verification In 2015 the Act was further amended by Part 2 sections 41 to 44 plus others of the Serious Crime Act 2015 15 The amendments edit The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006 16 are Section 35 Unauthorised access to computer material punishable by up to two years in prison or a fine or both 17 Section 36 Unauthorised acts with intent to impair operation of computer etc punishable by up to ten years in prison or a fine or both 18 Section 37 Making supplying or obtaining articles for use in computer misuse offences punishable by up to two years in prison or a fine or both 19 Section 38 Transitional and saving provision 20 The amendments to the Computer Misuse Act 1990 by Part 2 of the Serious Crime Act 2015 15 are Section 41 new Section 3ZA of the Computer Misuse Act 1990 Unauthorised acts causing or creating risk of serious damage punishable by up to 14 years in prison or a fine or both possible life imprisonment where human welfare or national security were endangered 21 Section 42 Obtaining articles for purposes relating to computer misuse amendments to Section 3A 22 Section 43 Territorial scope of computer misuse amendments to Sections 4 5 and 10 making the primary territorial scope the United Kingdom but can be worldwide especially if the perpetrator or conspirators is British and broke local law 23 Section 44 Savings covers seizure and enactment amendments to Sections 10 and 16 24 Section 47 Serious Crime Prevention Orders meaning of Serious Offence adds Computer Misuse to list of serious crimes in the Serious Crime Act 2007 including being grounds for compulsory winding up of a company 25 Section 86 Transition and savings provisions requires Sections 42 and 43 to be brought into force before they can be used 26 Schedule 1 Amendments to Serious Crimes Act 2007 Scotland similar changes to Scottish law 27 Schedule 4 Minor and consequential amendments changes Computer Misuse Act 1990 and the Armed Forces Act 2006 28 Application to the NHS editIn April 2020 Matt Hancock issued directions giving GCHQ temporary powers over National Health Service information systems until the end of 2020 for the purposes of the Act to support and maintain the security of any network and information system which supports directly or indirectly the provision of NHS services or public health services intended to address COVID 19 29 Reform editIn May 2021 UK Home Secretary Priti Patel announced the formal review of the Computer Misuse Act 30 She also launched a Call for Information on the Act that seeks views on whether there is activity causing harm in the area covered by the Act that is not adequately covered by the offences including whether the legislation is fit for use following the technological advances since the CMA was introduced and any other suggestions on how the legislative response to cyber crime could be strengthened 31 The review of the Act follows growing calls in recent year for a complete government review of the Computer Misuse Act in order to bring about new reforms In November 2019 Dame Lynne Owens Director General of the National Crime Agency NCA warned that the Computer Misuse Act went through Parliament at a time when cyber wasn t the tool that it is now is to enable all sorts of crimes like fraud and talked about plans to introduce reforms to make sure the law was fit for purpose in the modern age citation needed In January 2020 the Criminal Law Reform Now Network CLRNN published a comprehensive report highlighting the Act s shortcomings and making detailed recommendations for reform 32 In the same month the CyberUp Campaign was established with the intention of lobbying the UK government to update and upgrade the Act The Campaign s launch was covered by The Guardian in an article that echoed the call for urgent reform 33 The CyberUp Campaign is made up of a wide coalition of supportive bodies from within the cyber security industry including the large cyber consultancies NCC Group and F Secure and the cyber industry trade body TechUK In November 2020 the campaign gained the backing of the Confederation of British Industry The coalition was formed based on the shared view that an update of the UK s cyber crime legislation is necessary to protect national security and to increase economic growth for the UK cyber security industry The Campaign refers to Section 1 of the Act prohibiting unauthorised access to computers stating that it inadvertently criminalises a large amount of cyber security and threat intelligence research and investigation which is frequently conducted by UK cyber security professionals The Campaign has called for two key amendments Amend the law to allow cyber security and threat intelligence researchers acting in the public interest to explain and justify their actions and to allow the detection or prevention of crime Create a set of clear legal definitions to ensure that cyber security and threat intelligence researchers who reasonably believe they have authorisation to act can legitimately do so On 29 June 2020 to celebrate the Act s 30th birthday the CyberUp Campaign wrote an open letter to the prime minister on behalf of a number of cyber security industry figures to highlight the Act s outdatedness in a time of rapid digital advancement This was published in The Daily Telegraph with the headline Cyber security experts say they are being prevented from stopping computer fraud 34 verification needed In July 2020 the Intelligence and Security Committee of Parliament responsible for oversight of the UK intelligence services published the Intelligence and Security Committee Russia report and recommended that the Computer Misuse Act should be updated to reflect modern use of personal electronic devices While the government response to the report said that the Act was regularly reviewed to determine the benefits of legislative change the Shadow Foreign Secretary Lisa Nandy highlighted in January 2021 that no progress had been made towards implementing the recommendation In November 2020 the CyberUp Campaign and TechUK published a new report 35 unreliable source on the Computer Misuse Act which was the first piece of work to quantify and analyse the views of the wider UK security community The report found that 80 per cent of cyber security professionals have worried about breaking the law when researching vulnerabilities or investigating cyber threat actors Furthermore 91 per cent of businesses that responded to the report s survey suggested they had been put at a competitive disadvantage by the Act and that reform would allow their organisation to reap significant productivity improvements growth and resilience benefits The report recommended that the government consider implementing the two above amendments See also editComputer crime Internet fraud Data Protection Act 1998References editNeil MacEwan The Computer Misuse Act 1990 lessons from its past and predictions for its future 2008 Criminal Law Review 955 Stefan Fafinski Computer Misuse Response Regulation and the Law Cullomption Willan 2009 Yaman Akdeniz Section 3 of the Computer Misuse Act 1990 an Antidote for Computer Viruses 1996 3 Web JCLI 2 including reference to the case of Christopher Pile aka the Black Baron in November 1995 Derek Wyatt Computer Misuse Act amendment speech The Law Lords rulingNotes edit IISS Global Perspectives Power in Cyberspace Q amp A with Nigel Inkster Director Transnational Threats and Political Risk IISS 18 January 2011 Lee Mark Autumn 2014 Lecture 2 Legal Perspectives PDF School of Computer Science Professional Computing University of Birmingham p 13 Retrieved 19 May 2017 Murray Andrew 2016 Information Technology Law The Law and Society 3rd ed Oxford University Press p 358 ISBN 978 0 19 873246 4 Retrieved 19 May 2017 HL 21 April 1988 1988 AC 1063 summary at 1 Here Lord Brandon alludes to the classical myth of Procrustes who would stretch his victims or cut off their legs in order to fit a bed for which they were ill suited Leyden John 13 January 2015 80s hacker turned journo IT crime ace Steve Gold logs off The Register Retrieved 14 January 2015 Computer Misuse Act 1990 s1 s3 Computer Misuse Act 1990 1990 c 18 Computer misuse offences Section 1 legislation gov uk Retrieved 2 May 2019 Computer Misuse Act 1990 section 2 www legislation gov uk Archived from the original on 26 September 2010 Retrieved 14 June 2021 Computer Misuse Act 1990 section 3 www legislation gov uk Archived from the original on 26 September 2010 Retrieved 14 June 2021 Naylor Chris July 1994 Locked up Personal Computer World pp 470 471 Criminal Justice Terrorism and Conspiracy Act 1998 Schedule 1 legislation gov uk The National Archives Retrieved 24 March 2015 Full list House of Commons Privilege Hacking of Members mobile phones Standards and Privileges Committee a b Serious Crime Act of 2015 PDF UK Government Retrieved 30 December 2015 Police and Justice Act 2006 www legislation gov uk Archived from the original on 26 September 2010 Retrieved 14 June 2021 Police and Justice Act 2006 section 35 www legislation gov uk Archived from the original on 29 October 2010 Retrieved 14 June 2021 Police and Justice Act 2006 section 36 www legislation gov uk Archived from the original on 31 October 2010 Retrieved 14 June 2021 Police and Justice Act 2006 section 37 www legislation gov uk Archived from the original on 29 October 2010 Retrieved 14 June 2021 Police and Justice Act 2006 section 38 Serious Crime Act 2015 section 41 www legislation gov uk Archived from the original on 13 July 2015 Retrieved 14 June 2021 Serious Crime Act 2015 section 42 www legislation gov uk Archived from the original on 5 February 2016 Retrieved 14 June 2021 Serious Crime Act 2015 section 43 www legislation gov uk Archived from the original on 10 July 2016 Retrieved 14 June 2021 Serious Crime Act 2015 section 44 www legislation gov uk Archived from the original on 21 June 2016 Retrieved 14 June 2021 Serious Crime Act 2015 section 47 www legislation gov uk Archived from the original on 28 March 2016 Retrieved 14 June 2021 Serious Crime Act 2015 section 86 www legislation gov uk Archived from the original on 6 January 2016 Retrieved 14 June 2021 Serious Crime Act 2015 schedule 1 www legislation gov uk Archived from the original on 11 September 2016 Retrieved 14 June 2021 Serious Crime Act 2015 section 4 www legislation gov uk Archived from the original on 4 May 2015 Retrieved 14 June 2021 Carding Nick 29 April 2020 Hancock grants GCHQ powers over NHS IT systems Health Service Journal Retrieved 8 June 2020 Home Secretary Priti Patel speech to CyberUK Conference GOV UK 11 May 2021 Archived from the original on 11 May 2021 Retrieved 15 June 2021 Computer Misuse Act 1990 call for information GOV UK 11 May 2021 Archived from the original on 11 May 2021 Retrieved 15 June 2021 Reforming the Computer Misuse Act 1990 CLRNN Archived from the original on 18 January 2021 Retrieved 15 June 2021 Bowcott Owen 22 January 2020 Cybercrime laws need urgent reform to protect UK says report The Guardian Retrieved 22 January 2021 Bowcott Owen 29 June 2020 Cyber security experts say they are being prevented from stopping computer fraud because criminals have to let them access machines The Daily Telegraph Retrieved 22 January 2021 4 out of 5 cyber security professionals worry about breaking the law when defending UK report finds CyberUp Campaign Archived from the original on 19 November 2020 Retrieved 23 January 2021 External links edit nbsp Wikisource has original text related to this article Computer Misuse Act 1990 The Internet Crime Forum EURIM IPPR E Crime Study Wording of the failed 2004 amendment bill Amendments to the Computer Misuse Act 1990 covered by the Open Rights Group A list of Computer Misuse Act cases compiled by Michael J L Turner Retrieved from https en wikipedia org w index php title Computer Misuse Act 1990 amp oldid 1206025105, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.