Computer Misuse Act

2. Describe the origins and function of the Computer Misuse Act 1990. Evaluate the extent to which it is intended to serve as a deterrent to ‘hacking’.

The Computer Misuse Act (1990) was introduced to help deal with the problems caused by the misuse of computers and communication systems, especially that of ‘hacking’ and ‘unauthorised access.’ The Act introduced three offences; it is illegal for any unauthorised person to access programs or data, the unauthorised modification of that data, and having unauthorised access with further criminal intent. This essay will identify the reasons behind the Act’s introduction and shed led light on the forthcoming of the Act in dealing with misuse and hacking. I will identify with the use of cases, the protections covered in the Act and evaluate whether or not it has been an effective deterrent to hacking.

The most significant area of discussion is how to define ‘computer misuse’. Computers are tools and like any other tools can be used by people with intent of causing damage or carrying out some form of illegal activities. There are a number of ways in which computers can be used for crime. For e.g. real world crimes such as forgery, fraud, piracy, damaging or modifying computerised systems. Computers and the Internet are complex, but they function on a very narrow set of technical principles. This provides great flexibility, but makes it very difficult to legislate certain types of activity without affecting others and to categorise the misuse of any one of them.

The English Law Commission proposed new criminal offences for simple unauthorised access and for unauthorised modification of the contents of computers. They also identified ‘hacking’ as a more serious offence and proposed a two-tier structure of offences – simple ‘hacking’ and ‘hacking in pursuit of a further serious crime’. They concluded that ‘hacking’ or unauthorised access was sufficiently widespread to be a matter of major and legitimate concern to computer users. This was because of the actual losses and costs incurred by computer system owners whose systems had been breached.

Even though Computer Misuses were categorised by the Scottish and English Law Commissions, there were a number of significant problems. Most importantly there was no legislation in place which could cover all the offences made. This became clear with the case of R v Gold [1988]. The defendants were charged under the Forgery and Counterfeiting Act (1981), however they could not be charged on the grounds that the use of recorded electronic information did not fall under the definition of ‘false instrument’. Also at this time, hacking was not considered an offence and the hacker was relatively free to attempt to break into computer systems using intellect to bypass the various security measures. It became increasingly clear that hacking should be against the Law and that laws should be effective and enforceable. Hence it was brought to light that this was clearly an area where new and appropriate legislation was required. An act was required to make provision for securing computer material against unauthorised access or modification and for related purposes.

Before the Act was introduced, there was some confusion with jurisdiction since it is quite possible for the offender to be in one country, the relevant computer in another and the victim in a third. For example, when a person uses a computer in one country connected by a network to a computer in another country to commit a crime, it is hard to decide in which country this person is tried. The Appeal Court in 1985 indicated that if a person sent a message from London to divert funds from New York to his accounts in Geneva, the theft would not have taken place in London and so English courts would not have had jurisdiction to try the offender. The Computer Misuse Act corrects this by making it an offence to use a computer to commit a crime in another country and to commit a crime in this country from a computer in another country. Also in certain circumstances, where access occurs from abroad, it may be possible to bring in prosecution. This will require mutual co-operation in the enforcement of the laws.

The Computer Misuse Act covers three main offences. The first offence which is covered in section 1 of the Act is the ‘unauthorised access to computer material.’ Even if no damage is done, it remains an offence as accessing material without permission is illegal. The case of Ellis v DPP [2001] is a prime example of breaching the conditions in section 1 of the Act. The second offence is ‘unauthorised access with the intent to commit or facilitate commission of further offence.’ The case of R v Delamare [2003] is an example of breaching the conditions in section 2 of the Act. The third offence is the ‘unauthorised modification of computer material.’ This can be in the form of introducing viruses, corruption of programs or data and the deliberate deletion of files. One of the heaviest punishments given under the Act was during the case of R v Vallor [2003] in which the defendant was sentenced to two years of prison for each of the three offences he committed.

The Computer Misuse Act (1990) contains a number of significant flaws and has failed to provide a complete answer to problems of unauthorized access to computers whether by hackers, or by the spreading of software viruses. The case of R v Bedworth [1991] highlights the problem with Section 2 in proving ‘intent’, as the offender used addiction as his defence and said that he was not able to form any intent in committing the crime. Addiction is not a defence to a criminal crime; however the jury acquitted Bedworth as they believed he did not deserve heavy penalties. After this case there were calls to remove the need to show ‘intent’ from the Act. Another problem which can arise with the use of the Computer Misuse Act is the argument whether judges lack the specialist knowledge of computers to apply the law, and whether they tend to make inappropriate interpretations. This problem arose during the case of R v Cropp [1991] where the judge acquitted the defendant as he felt that an offence was only committed if one computer is used to obtain material stored on another computer.

The problems and limitations with the Computer Misuse Act do raise questions about the effectiveness on prosecuting offenders and the deterrence of ‘hackers’. The Act covers certain offences specific to the penetration, alteration and damage to computer systems. The definition of ‘computer crime’ in the Act is too broad as it states simply as ‘unauthorised access to computer material’. The Law itself was drafted very generally in the hope of ensuring enough scope so that the Law would not date, as computer technology developed. However, this means that the Act can sometimes be a rather ‘blunt instrument’ when policing computer crime. The Home Offices own statistics show that in spite of a high level of reported crimes , there have been only 33 prosecutions of which only 22 were sentenced and 7 jailed. In the case of DPP v Bignell [1998] an officer used the Police National Computer to obtain information for his own use. However the officer could not be prosecuted as his actions were not within the Act’s definition of ‘unauthorised access.’

I conclude that the ever increasing reliance on computers in today’s society will more likely serve both as target and tool for those whose motives might be regarded as criminal. There are a number of problems with the Computer Misuse Act 1990 and that it has by no means provided a complete answer to problems of unauthorized access to computer whether by hackers or by the spread of software viruses. The Government must develop improved methods when tracking hackers, as they sometimes do not use their own IP address. However, in spite of these problems, I am of the opinion that the Computer Misuse Act 1990 can be seen as a useful deterrent, and the knowledge of its existence may be viewed as a useful safeguard against criminal activities.

Evaluation

The Computer Misuse Act is highly useful in ensuring that peoples work and personal information is kept safe. However it can be difficult in finding a person to prosecute if the Act is breached due to the enormity of the Internet. For example, if someone hacked into someone else’s computer and looked at or altered information, then they would be charged with unauthord access or modification. However it can be hard to trace the hacker as they may not use their own IP address. Also if someone was attempting to access data without authorisation, then it would be difficult to prove this as the crime has not yet been committed.

I hope that in future, the government will implement new plans which will be able to reduce the activity of these happenings. Much money is lost by businesses by this law, and can be prevented by simple measures. It will serve as a further warning not to disobey this law.