The Computer Misuse Act: Analysis

Computer Law and Intellectual Property Coursework

Introduction

The new world of computer technology is of no exception that in every improvement that civilization has made, there have been the dishonest and the greedy who quickly learn how to exploit the advantage of the new breakthrough and committing cyber-crimes. This, however resulted in the need for an effective legislation over them, to control crime and misuse, leading to the creation of the Computer Misuse Act 1990 (CMA). The Act predominantly was aimed at protecting the integrity and security of the computer system. However the rapid development of technology has raised concerns as to whether the act remains effective and whether or not it fits the purpose it was originally designed. In considering these concerns we will have to examine the proposition of this statutory framework and as to what extent it has been successful in regulating such crime activities in the world of information technology.

The Computer Misuse Act

The CMA was introduced to aid in dealing problems caused by computer misuse, especially that of ‘hacking’ and ‘unauthorised access’. The most important case was R v Gold,[1] where hackers gained unauthorised access to files contained British Telecom Prestel Network by  “shoulder surfing” an engineer’s username and password.[2] They were prosecuted under the Forgery and Counterfeiting Act 1981 and received a relatively small penalty but could not be charged on the grounds of the use of recorded electronic information as it did not fall under the definition of ‘false instrument’ according to Section.8(1)(d).[3] The outcome of that case in particular, and the issues raised in previous cases such as Cox v Riley[4] and R v Whiteley,[5] concerning the difficulties in using the Criminal Damage Act 1971 where there was damage to intangible rather than tangible property led to increasing pressure for legislation to bring the criminal law up to date with technology.[6]

Section 1

The CMA mainly covered three types of offences and the first offence which was covered in Section 1of the Act is the ‘unauthorised access to computer material’[7] in other words, it was simply defining hacking. Early judicial interpretation of this section was somewhat curious. In R v Cropp,[8] where the defendant was charged with unauthorized access to a computer with intent to commit a further offence under section 2 of the CMA. His activities were traced and was charged but when he came to trial the defence counsel entered a plea of no case answered. The grounds for this claim were that in order to contravene section 1(1) and section 2(1) of the CMA, the prosecution had to establish that the defendant used one computer to gain access to another computer.[9] This was an unexpected outcome and had been assumed that unauthorised access meant any access which basically curb the jurisdiction of the CMA. Another case authority that breached section 1 of the Act was the case of Ellis v DPP.[10]  The legal question in this case was whether an ex-student’s use of a log-in terminal, knowing he was prohibited could be ‘unauthorised’ used under section 1. Lord Woolf CJ held that the access was still unauthorised and that the statutory provisions were ‘sufficiently wide’ to include the use made of the computers by the appellant.[11]  

Section 2

The second offence which the CMA covers is ‘unauthorised access with the intent to commit or facilitate commission of further offence’. The leading case of R v Bedworth[12] highlights the problem with Section 2 in proving ‘intent’ as the offender used addiction as his defence and said that he was not able to form any intent in committing the crime. However in criminal law, it is known that an addiction is not a defence to a criminal crime but the jury acquitted Bedworth as they believed he did not deserve heavy penalties. Bedworth’s acquittal has led to criticism of the Crown Prosecution Service’s (CPS) decision to charge the defendants under section 3 and not under section 1, while raising the controversy surrounding the CMA to a new level which seem unlikely to have a significant long term consequences with regards to viability of the addiction defence and question of intent.[13]

Section 3

The third offence however is ‘unauthorised modification of computer material’ which can be in any form such as corrupting computer programs, sending and introducing viruses or deliberate deletion of files or data. The heaviest sentence given under the Act was seen in the case of R v Vallor [14]in which the defendant was sent to prison for two years following three offences he committed.

Evaluation of the CMA

There has however been uncertainty in the courts as to what constitutes ‘unauthorised’ access in cases where insider hackers such as employees are allowed or required to access the computer for a particular reason. According to Section 17(5) of CMA, it has been specified that if the defendant was not entitled to access for such purpose and had no consent, then the entry is unauthorised. The key early case was DPP v Bignell[15] where two police officers accessed information from the Police National Computer (PNC) for their own personal use.  The Crown Court decision was upheld. The defendants had only requested another to obtain information by using the computer. The computer operator himself did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed.[16] Extracting data from computer by a person who was otherwise generally authorised to use the computer, but in this case for an unauthorised purpose, does not constitute the offence of unlawful access. The purpose of the Act was to criminalise the breaking into or hacking of computer systems to preserve the ‘integrity of computer systems’. The defendants were characterised as persons who had ‘control access’ (using the word ‘control’ as a noun) ‘of the kind in question’.[17] However in the case of R v Bow Street Magistrates’ Court and Allison,[18]  the House of Lords considered whether an employee could commit an offence of securing ‘unauthorised access’ to a computer contrary to section 1. It was held that the employee clearly came within the provisions of section 1 as she intentionally caused a computer to give her entry to data which she knew was not authorised to enter. Their Lordship made it clear that an employee would only be guilty of an offence if the employer clearly defined the limits of the employee’s authority to access a program or data.[19]

Besides this, in the case of R v Cuthbert,[20] where a computer consultant was found guilty of gaining unauthorised access to website collecting donations for tsunami victims even though the judge hearing the case accepted that he meant to cause no harm. The defence team argued that he had merely ‘knocked on the door’ of the site, addressing that he had the skills to break into if he wanted. Judge Purdy accepted that Cuthbert had not intended to cause any damage plus pointed out that there was no case law in this area.[21] The cases of R v Ashley Mitchell and R v Curzon also created confusion. This led to criticisms from the media and other critics requesting for change.

The All Party Internet Group’s recommendations were accepted by the government which then made section 1 a triable either way offence, thus making amendment from section 35 of the Police and Justice Act 2006 (PJA)[22]. Section 1 is thus an indictable offence and the maximum penalty was increased from six months to twelve months imprisonment on summary conviction or two years on indictment which makes the offence extraditable.[23]  There was debate for increasing the sentencing tariff to 3 years so that it can be considered a serious crime and thereby have a deterrent effect.[24]

Apart from this, Section 37 of the PJA has placed into the CMA a new offence of ‘making, supplying or obtaining articles for use of computer misuse offences’.[25] This meets the requirements of hacker’s tools and this measure has caused most controversy. This raised concern in the technology community as to how distinction is to be drawn between lawful and unlawful use of such tools. The mens rea requirement for the supplying offence within the section looked flawed.[26] People can attract liability where they supply or offer to supply such articles either intending them to be used to commit or to assist in the commission of, an offence under section 1 or 3 or believing it likely they will be so used.

In other words mere belief is sufficient, however this lead to difficulties in deciding cases and lack of clarity. The Earl of Northesk a parliamentarian with real knowledge of computer and cyberspatial issues, called for its removal on the grounds that it was unnecessary and precariously wide but to no avail.[27]

Moving on to Section 3 of the CMA which it was formulated to prohibit the creation and distribution of viruses under the idea that they cause ‘unauthorised modification’. The Act did prove somewhat more successful in addressing misuse relating to viruses. In R v Pile[28] also known as the ‘Black Baron’, was the first and prominent case where the author of computer viruses was prosecuted in England and Wales.  He wrote two computer viruses, Pathogen and Queeg, named after expressions used in the British Sci-Fi comedy “Red Dwarf”, and it was claimed that an unnamed company had suffered half a million pounds worth of damage as a result of his act.[29] He pleaded guilty to 11 offenses under the CMA and  Judge Jeremy Griggs sentenced him to 18 months imprisonment.[30]

However, a few years since the CMA was established, the internet had begun to change to worldwide network whereby all computers could communicate which caused a radical change in computer misuse, thus calling for vital reasons to develop legislation in a technologically neutral manner. Section 3 has also been applied to ‘mail bombing’ attacks. These occur when the attackers send huge volume of email in attempt to overflow the mailbox or overwhelm the server. These are known as Denial of Service (DoS) attacks which poses a more potent threat. In R v Lennon,[31] a gap in the law was confirmed as it was successfully argued that an email bombardment conducted by the disgruntled accused against the company from which he had recently been dismissed. However the attack could not be addressed under section 3 as the receiving system was designed to handle such e-mail messages and therefore could be regarded as authorised.[32] On Appeal, decision was reversed and the legal clarity remained elusive. There were uncertainties in Lennon’s case, leaving doubts as to whether actual modification under section 3 is made in relation to DoS attacks.[33]

The second case is that of Gary McKinnon,[34] who allegedly hacked into and damaged several military computers in the US which as a result the US government successfully sought extradition. He admitted that he had accessed the computers and claimed it was for a search of a suppressed evidence of UFOs, at the same time pleaded that he did not cause harm to the computers which he accessed. However, he could have been convicted of an unauthorised access under section 1 of the Act if the argument was succeeded.[35] Therefore the new legislation was introduced in Section 36 of PJA 2006 which added a new amendment to the CMA that criminalized anything that could impair the operation or access of any computer or program.[36] Like the 1990 Act, it was only a crime if there was the requisite intent and knowledge. Intentionally launching a distributed denial of service (DDoS) program is illegal but becoming infected with a virus that launches a DDoS attack is not, as it is because the section 3 originally enacted, required the accused  to carry out an act of unauthorised  modification of the contents of the computer.[37] Thus raising both practical and legal problems. In practice it meant that it was very difficult to prosecute for DoS or DDoS attacks and legally the UK was failing in its duties under the Council of Europe Convention on Cybercrime.[38]

Now neither erasure nor modification of data are required to attract criminal liability. The new improved section 3 offence shifts focus from ‘contents of computer’ to ‘in relation to targeted computer’.[39] A more radical change was seen when the section which was initially set to criminalize intentional impairment, added alternative forms of mens rea which allows a person to be charged/criminalized  even if was committed in a reckless state of mind.[40] Although this increased the scope of the act, it was still unclear what test for recklessness will be applied in relation to criminal damage. The scope of digital criminal damage was however clarified by the introduction of Section 10(5) into the Criminal Damage Act 1971 which specifies that criminal damage to any computer and computer storage has not occurred unless the damage impairs its physical condition[41]. The subjective concept of impairment could cause problems as causal linkage to the accused present real evidential difficulties.

Additionally, the Serious Crime Act 2015 (SCA) however came into force to bring the CMA up to date and to reflect the modern reality of cybercrime as an international, borderless phenomena with far reaching consequences for anyone and any place. Section 41 of the SCA inserted new section into the CMA which was Section 3ZA[42] that requires an act causing or creating a significant risk, a serious damage to human welfare in any place, to the environment in any place , to the economy of any country or to the national security of any country.[43] This legal framework appears to be fit but there were significant underreporting of cybercrimes.[44] The SCA also amended section 3A in order to criminalize the so called hacking tools. This seemed very straightforward but in fact it was very controversial because this offence made it difficult as most of the tools are of dual use which were widely used by computer professionals and security researchers. Therefore, this section could only be of limited use and only be used alongside charges under ss.1-3.[45]

Conclusion

I conclude that the ever increasing reliance on computers in today’s society will more likely serve both as target and tool for those whose motives might be regarded as criminal. There are a number of problems with the Computer Misuse Act 1990 and that it has by no means provided a complete answer to problems of unauthorized access to computer whether by hackers or by the spread of software viruses. In its most basic form, the Computer Misuse Act did not criminalise other objectionable things one can do with a computer. This means that the Act had to be revised a number of times, each time refining and expanding its rules. But despite the flaws it had, I am of the opinion that ever since the amendments made by the PJA 2006 and SCA 2015 the Computer Misuse Act has been to a certain extent successful in prosecuting cybercrime cases, regulating it and its existence may be viewed as a useful safeguard against computer criminal activities.                                                        

Bibliography

Books

• Andrew Murray, Information Technology Law’, The Law and Society (3^rd Edition) Oxford University Press.

Table of Statutes

• Computer Misuse Act 1990
• Serious Crime Act 2015
• Criminal Damage Act 1971
• Police and Justice Act 2006
• Forgery and Counterfeiting Act 1981

Table of Cases

• R v Gold and Schifreen CACD [1987] QB 1116.
• Cox v Riley [1986] QBD
• R v Whiteley [1991] 93 CAR 25
• R v Cropp [1991]
• Ellis v DPP [2001] EWHC 362
• R v Bedworth [1991]
• R v Simon Vallor [2003] EWCA Crim 2288
• R v Bignell [1998] 1 Cr App R8
• R v Bow Street Magistrates’ Court and Allison (AP) Ex parte Government of the United States of America [Allison] [2002] 2 AC 216
• R v Cutberth [2005]
• R v Pile [1995]
• DPP v Lennon [2006] EWHC 1201

Online Articles

1. Macewan NF, The Computer Misuse Act 1990: lesson from its past and predictions for its future,< http://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf
2. Stefan Frederick Fafinski, ‘Computer Use  and Misuse: The constellation of control’,< http://etheses.whiterose.ac.uk/2273/1/Fafinski_S_Law__PhD_2008.pdf
3. Andrew Charlesworth, Legislating against Computer Misuse: The Trials and Tribulations of the UK Computer Misuse Act 1990 < http://classic.austlii.edu.au/au/journals/JlLawInfoSci/1993/7.html
4. John Oates, Tsunami Hacker Convictedhttps://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted
5. https://www.cps.gov.uk/legal-guidance/computer-misuse-act-1990
6. The Law Commission, Criminal Law Computer Misuse http://www.bailii.org/ew/other/EWLC/1989/186.pdf

---

[1] R v Gold and Schifreen CACD [1987] QB 1116.

[2] Ibid.

[3] Forgery and Counterfeiting Act 1981

[4] Cox v Riley [1986] QBD

[5] R v Whiteley [1991] 93 CAR 25

[6] Criminal Damage Act 1971

[7]Computer Misuse Act 1990. Section 1

[8] R v Cropp [1991]

[9] Ibid.

[10] Ellis v DPP [2001] EWHC 362

[11] ibid

[12] R v Bedworth [1991]

[13] Andrew Charlesworth, Legislating against Computer Misuse: The Trials and Tribulations of the UK Computer Misuse Act 1990 < http://classic.austlii.edu.au/au/journals/JlLawInfoSci/1993/7.html> accessed 28^th April 2018

[14] R v Simon Vallor [2003] EWCA Crim 2288

[15] R v Bignell [1998] 1 Cr App R8

[16] Ibid.

[17] Ibid.

[18] R v Bow Street Magistrates’ Court and Allison (AP) Ex parte Government of the United States of America [Allison] [2002] 2 AC 216

[19] Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd edition) Oxford University Press. p.366

[20] R v Cutberth [2005]

[21] John Oates, Tsunami Hacker Convictedhttps://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted accessed 27^th April 2018.

[22] “Revision of the Computer Misuse Act”; Report of an Inquiry by the All Party Internet Group < https://www.cl.cam.ac.uk/~rnc1/APIG-report-cma.pdf> accessed 26^th April 2018

[23] Ibid.

[24] Ibid.

[25] Police and Justice Act 2006, Section 37.

[26]Stefan Frederick Fafinski, ‘Computer Use  and Misuse: The constellation of control’,< http://etheses.whiterose.ac.uk/2273/1/Fafinski_S_Law__PhD_2008.pdf> accessed 27^th April 2018.

[27] Ibid.

[28] R v Pile [1995].

[29] Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd edition) Oxford University Press. p.376

[30] Ibid.

[31] DPP v Lennon [2006] EWHC 1201.

[32] Ibid.

[33] Ibid.

[34] Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd edition) Oxford University Press. p.369

[35] Ibid.p369-372.

[36] Police and Justice Act 2006, Section 36.

[37] Andrew Murray, Information Technology Law ‘The Law and Society’, (3rd edition) Oxford University Press.p378

[38] Ibid.

[39] Macewan NF, The Computer Misuse Act 1990: lesson from its past and predictions for its future,< http://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf> accessed 26^th April 2018.

[40] Ibid.

[41] Criminal Damage Act 1971, s.10(5).

[42] Computer Misuse Act 1990, section 3ZA.

[43] Ibid.

[44] Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd edition) Oxford University Press. p.383

[45] Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd edition) Oxford University Press. p.385