The Computer Misuse Act: Analysis

Computer Law and Intellectual Property Coursework

Introduction

The new world of computer technology is of no exception that in every improvement that civilization has made, there have been the dishonest and the greedy who quickly learn how to exploit the advantage of the new breakthrough and committing cyber-crimes. This, however resulted in the need for an effective legislation over them, to control crime and misuse, leading to the creation of the Computer Misuse Act 1990 (CMA). The Act predominantly was aimed at protecting the integrity and security of the computer system. However the rapid development of technology has raised concerns as to whether the act remains effective and whether or not it fits the purpose it was originally designed. In considering these concerns we will have to examine the proposition of this statutory framework and as to what extent it has been successful in regulating such crime activities in the world of information technology.

The
Computer Misuse Act

The
CMA was introduced to aid in dealing problems caused by computer misuse, especially
that of ‘hacking’ and ‘unauthorised access’. The most important case was R v
Gold,[1]
where hackers gained unauthorised access to files contained British Telecom
Prestel Network by  “shoulder surfing” an
engineer’s username and password.[2] They were prosecuted under
the Forgery and Counterfeiting Act 1981
and received a relatively small penalty but could not be charged on the grounds
of the use of recorded electronic information as it did not fall under the
definition of ‘false instrument’ according to Section.8(1)(d).[3]
The outcome of that case in particular, and the issues raised in previous
cases such as Cox v Riley[4] and R v
Whiteley,[5]
concerning the difficulties in using the Criminal
Damage Act 1971 where there was damage to intangible rather than tangible
property led to increasing pressure for legislation to bring the criminal law
up to date with technology.[6]

Section
1

The
CMA mainly covered three types of offences and the first offence which was
covered in Section 1of the Act is the ‘unauthorised access to computer material’[7]
in other words, it was simply defining hacking. Early judicial interpretation
of this section was somewhat curious. In R v Cropp,[8] where the defendant was
charged with unauthorized access to a computer with intent to commit a further
offence under section 2 of the CMA.
His activities were traced and was charged but when he came to trial the
defence counsel entered a plea of no case answered. The grounds for this claim
were that in order to contravene section
1(1) and section 2(1) of the
CMA, the prosecution had to establish that the defendant used one computer to
gain access to another computer.[9] This was an unexpected
outcome and had been assumed that unauthorised access meant any access which
basically curb the jurisdiction of the CMA. Another case authority that breached
section 1 of the Act was the case of Ellis v DPP.[10]  The legal question in this case was whether an
ex-student’s use of a log-in terminal, knowing he was prohibited could be
‘unauthorised’ used under section 1.
Lord Woolf CJ held that the access
was still unauthorised and that the statutory provisions were ‘sufficiently
wide’ to include the use made of the computers by the appellant.[11]  

Section
2

The
second offence which the CMA covers is ‘unauthorised
access with the intent to commit or facilitate commission of further offence’.
The leading case of R v Bedworth[12]
highlights the problem with Section 2
in proving ‘intent’ as the offender used addiction as his defence and said that
he was not able to form any intent in committing the crime. However in criminal
law, it is known that an addiction is not a defence to a criminal crime but the
jury acquitted Bedworth as they believed he did not deserve heavy penalties. Bedworth’s acquittal has led to criticism of the Crown
Prosecution Service’s (CPS) decision to charge the defendants under section 3
and not under section 1, while raising the controversy surrounding the CMA to a
new level which seem unlikely to have a significant long term consequences with
regards to viability of the addiction defence and question of intent.[13]

Section 3

The
third offence however is ‘unauthorised modification of computer material’ which
can be in any form such as corrupting computer programs, sending and
introducing viruses or deliberate deletion of files or data. The heaviest
sentence given under the Act was seen in the case of R v Vallor [14]in which the defendant was
sent to prison for two years following three offences he committed.

Evaluation
of the CMA

There
has however been uncertainty in the courts as to what constitutes
‘unauthorised’ access in cases where insider hackers such as employees are
allowed or required to access the computer for a particular reason. According
to Section 17(5) of CMA, it has been
specified that if the defendant was not entitled to access for such purpose and
had no consent, then the entry is unauthorised. The key early case was DPP v
Bignell[15]
where two police officers accessed information from the Police National Computer
(PNC) for their own personal use.  The
Crown Court decision was upheld. The defendants had only requested another to
obtain information by using the computer. The computer operator himself did not
exceed his authority. His authority permitted him to access the data on the
computer for the purpose of responding to requests made to him in proper form
by police officers. No offence had been committed.[16]
Extracting data from computer by a person who was otherwise generally
authorised to use the computer, but in this case for an unauthorised purpose,
does not constitute the offence of unlawful access. The purpose of the Act was
to criminalise the breaking into or hacking of computer systems to preserve the
‘integrity of computer systems’. The defendants were characterised as persons
who had ‘control access’ (using the word ‘control’ as a noun) ‘of the kind in
question’.[17] However in the
case of R v Bow Street Magistrates’ Court and Allison,[18]
 the House of Lords considered
whether an employee could commit an offence of securing ‘unauthorised access’
to a computer contrary to section 1. It was held that the employee clearly came
within the provisions of section 1 as she intentionally caused a computer to
give her entry to data which she knew was not authorised to enter. Their
Lordship made it clear that an employee would only be guilty of an offence if
the employer clearly defined the limits of the employee’s authority to access a
program or data.[19]

Besides
this, in the case of R v Cuthbert,[20] where a computer
consultant was found guilty of gaining unauthorised access to website
collecting donations for tsunami victims even though the judge hearing the case
accepted that he meant to cause no harm. The defence team argued that he had
merely ‘knocked on the door’ of the site, addressing that he had the skills to
break into if he wanted. Judge Purdy accepted that Cuthbert had not intended to
cause any damage plus pointed out that there was no case law in this area.[21] The cases of R v
Ashley Mitchell and R v Curzon also created confusion. This
led to criticisms from the media and other critics requesting for change.

The
All Party Internet Group’s recommendations were accepted by the government
which then made section 1 a triable either way offence, thus making amendment
from section 35 of the Police and
Justice Act 2006 (PJA)[22].
Section 1 is thus an indictable offence and the maximum penalty was
increased from six months to twelve months imprisonment on summary conviction
or two years on indictment which makes the offence extraditable.[23]  There was debate for increasing the sentencing
tariff to 3 years so that it can be considered a serious crime and thereby have
a deterrent effect.[24]

Apart
from this, Section 37 of the PJA has
placed into the CMA a new offence of ‘making, supplying or obtaining articles
for use of computer misuse offences’.[25] This meets the
requirements of hacker’s tools and this measure has caused most controversy.
This raised concern in the technology community as to how distinction is to be
drawn between lawful and unlawful use of such tools. The mens rea requirement for the supplying offence within the section
looked flawed.[26]
People can attract liability where they supply or offer to supply such articles
either intending them to be used to commit or to assist in the commission of,
an offence under section 1 or 3 or believing it likely they will be so used.

In
other words mere belief is sufficient, however this lead to difficulties in
deciding cases and lack of clarity. The Earl of Northesk a parliamentarian with
real knowledge of computer and cyberspatial issues, called for its removal on
the grounds that it was unnecessary and precariously wide but to no avail.[27]

Moving
on to Section 3 of the CMA which it
was formulated to prohibit the creation and distribution of viruses under the
idea that they cause ‘unauthorised modification’. The Act did prove somewhat
more successful in addressing misuse relating to viruses. In R v
Pile[28]
also known as the ‘Black Baron’, was
the first and prominent case where the author of computer viruses was
prosecuted in England and Wales.  He wrote two computer viruses, Pathogen and
Queeg, named after expressions used in the British Sci-Fi comedy “Red
Dwarf”, and it was claimed that an unnamed company had suffered half a million
pounds worth of damage as a result of his act.[29] He
pleaded guilty to 11 offenses under the CMA and  Judge Jeremy Griggs sentenced him to 18 months
imprisonment.[30]

However,
a few years since the CMA was established, the internet had begun to change to
worldwide network whereby all computers could communicate which caused a
radical change in computer misuse, thus calling for vital reasons to develop
legislation in a technologically neutral manner. Section 3 has also been applied to ‘mail bombing’ attacks. These
occur when the attackers send huge volume of email in attempt to overflow the
mailbox or overwhelm the server. These are known as Denial of Service (DoS) attacks which poses a more potent threat. In
R
v Lennon,[31] a gap in the law was
confirmed as it was successfully argued that an email bombardment conducted by
the disgruntled accused against the company from which he had recently been
dismissed. However the attack could not be addressed under section 3 as the
receiving system was designed to handle such e-mail messages and therefore
could be regarded as authorised.[32] On Appeal, decision was
reversed and the legal clarity remained elusive. There were uncertainties in
Lennon’s case, leaving doubts as to whether actual modification under section 3
is made in relation to DoS attacks.[33]

The
second case is that of Gary McKinnon,[34] who allegedly hacked into
and damaged several military computers in the US which as a result the US
government successfully sought extradition. He admitted that he had accessed
the computers and claimed it was for a search of a suppressed evidence of UFOs,
at the same time pleaded that he did not cause harm to the computers which he
accessed. However, he could have been convicted of an unauthorised access under
section 1 of the Act if the argument was succeeded.[35] Therefore the new
legislation was introduced in Section 36
of PJA 2006 which added a new amendment to the CMA that criminalized
anything that could impair the operation or access of any computer or program.[36] Like the 1990 Act, it was
only a crime if there was the requisite intent and knowledge. Intentionally
launching a distributed denial of service
(DDoS) program is illegal but becoming infected with a virus that launches
a DDoS attack is not, as it is because the section 3 originally enacted,
required the accused  to carry out an act
of unauthorised  modification of the
contents of the computer.[37] Thus raising both
practical and legal problems. In practice it meant that it was very difficult
to prosecute for DoS or DDoS attacks and legally the UK was failing in its
duties under the Council of Europe Convention on Cybercrime.[38]

Now
neither erasure nor modification of data are required to attract criminal
liability. The new improved section 3
offence shifts focus from ‘contents of computer’ to ‘in relation to targeted
computer’.[39]
A more radical change was seen when the section which was initially set to
criminalize intentional impairment, added alternative forms of mens rea which allows a person to be
charged/criminalized  even if was committed
in a reckless state of mind.[40] Although this increased
the scope of the act, it was still unclear what test for recklessness will be
applied in relation to criminal damage. The scope of digital criminal damage
was however clarified by the introduction of Section 10(5) into the
Criminal Damage Act 1971 which specifies that criminal damage to any
computer and computer storage has not occurred unless the damage impairs its
physical condition[41]. The subjective concept
of impairment could cause problems as causal linkage to the accused present
real evidential difficulties.

Additionally,
the Serious Crime Act 2015 (SCA)
however came into force to bring the CMA up to date and to reflect the modern
reality of cybercrime as an international, borderless phenomena with far
reaching consequences for anyone and any place. Section 41 of the SCA inserted
new section into the CMA which was Section
3ZA[42]
that requires an act causing or creating a significant risk, a serious damage
to human welfare in any place, to the environment in any place , to the economy
of any country or to the national security of any country.[43] This legal framework
appears to be fit but there were significant underreporting of cybercrimes.[44] The SCA also amended section 3A
in order to criminalize the so called hacking tools. This seemed very
straightforward but in fact it was very controversial because this offence made
it difficult as most of the tools are of dual use which were widely used by
computer professionals and security researchers. Therefore, this section could
only be of limited use and only be used alongside charges under ss.1-3.[45]

Conclusion

I conclude
that the ever increasing reliance on computers in today’s society will more likely serve both as target and tool
for those whose motives might be regarded as criminal. There are a number of
problems with the Computer Misuse Act 1990 and that it has by no means provided
a complete answer to problems of unauthorized access to computer whether by
hackers or by the spread of software viruses. In its most basic form,
the Computer Misuse Act did not criminalise other objectionable things one can
do with a computer. This means that the Act had to be revised a number of
times, each time refining and expanding its rules. But despite the flaws it had, I am of the opinion that ever since the
amendments made by the PJA 2006 and SCA 2015 the Computer Misuse Act has been to a certain extent
successful in prosecuting cybercrime cases, regulating it and its existence may
be viewed as a useful safeguard against computer criminal activities.                                                        

Bibliography

Books

• Andrew
  Murray, Information Technology Law’, The Law and Society (3^rd
  Edition) Oxford University Press.

Table of Statutes

• Computer
  Misuse Act 1990
• Serious
  Crime Act 2015
• Criminal
  Damage Act 1971
• Police
  and Justice Act 2006
• Forgery
  and Counterfeiting Act 1981

Table of Cases

• R v Gold and Schifreen CACD [1987] QB 1116.
• Cox v Riley [1986] QBD
• R v Whiteley [1991] 93 CAR 25
• R v Cropp [1991]
• Ellis v DPP [2001] EWHC 362
• R v Bedworth [1991]
• R v Simon Vallor [2003] EWCA Crim 2288
• R v Bignell [1998] 1 Cr App R8
• R v Bow Street Magistrates’ Court and Allison
  (AP) Ex parte Government of the United States of America [Allison] [2002] 2 AC
  216
• R v Cutberth [2005]
• R v Pile [1995]
• DPP v Lennon [2006] EWHC 1201

Online Articles

1. Macewan NF, The Computer Misuse Act 1990:
   lesson from its past and predictions for its future,< http://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf
2. Stefan Frederick Fafinski, ‘Computer
   Use  and Misuse: The constellation of
   control’,< http://etheses.whiterose.ac.uk/2273/1/Fafinski_S_Law__PhD_2008.pdf
3. Andrew Charlesworth, Legislating against
   Computer Misuse: The Trials and Tribulations of the UK Computer Misuse Act 1990
   < http://classic.austlii.edu.au/au/journals/JlLawInfoSci/1993/7.html
4. John Oates, Tsunami Hacker Convictedhttps://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted
5. https://www.cps.gov.uk/legal-guidance/computer-misuse-act-1990
6. The Law Commission, Criminal Law Computer
   Misuse http://www.bailii.org/ew/other/EWLC/1989/186.pdf

[1] R
v Gold and Schifreen CACD [1987] QB 1116.

[2]
Ibid.

[3]
Forgery and Counterfeiting Act 1981

[4]
Cox v Riley [1986] QBD

[5] R
v Whiteley [1991] 93 CAR 25

[6]
Criminal Damage Act 1971

[7]Computer
Misuse Act 1990. Section 1

[8] R
v Cropp [1991]

[9]
Ibid.

[10]
Ellis v DPP [2001] EWHC 362

[11]
ibid

[12] R
v Bedworth [1991]

[13]
Andrew Charlesworth, Legislating against Computer Misuse: The Trials and
Tribulations of the UK Computer Misuse Act 1990 < http://classic.austlii.edu.au/au/journals/JlLawInfoSci/1993/7.html>
accessed 28^th April 2018

[14] R
v Simon Vallor [2003] EWCA Crim 2288

[15] R
v Bignell [1998] 1 Cr App R8

[16]
Ibid.

[17]
Ibid.

[18] R
v Bow Street Magistrates’ Court and Allison (AP) Ex parte Government of the
United States of America [Allison] [2002] 2 AC 216

[19]
Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd
edition) Oxford University Press. p.366

[20] R
v Cutberth [2005]

[21]
John Oates, Tsunami Hacker Convictedhttps://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted
accessed 27^th April 2018.

[22]
“Revision of the Computer Misuse Act”; Report of an Inquiry by the All Party
Internet Group < https://www.cl.cam.ac.uk/~rnc1/APIG-report-cma.pdf>
accessed 26^th April 2018

[23]
Ibid.

[24]
Ibid.

[25]
Police and Justice Act 2006, Section 37.

[26]Stefan
Frederick Fafinski, ‘Computer Use  and
Misuse: The constellation of control’,< http://etheses.whiterose.ac.uk/2273/1/Fafinski_S_Law__PhD_2008.pdf>
accessed 27^th April 2018.

[27]
Ibid.

[28] R
v Pile [1995].

[29]
Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd
edition) Oxford University Press. p.376

[30]
Ibid.

[31]
DPP v Lennon [2006] EWHC 1201.

[32]
Ibid.

[33]
Ibid.

[34]
Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd
edition) Oxford University Press. p.369

[35]
Ibid.p369-372.

[36]
Police and Justice Act 2006, Section 36.

[37]
Andrew Murray, Information Technology Law ‘The Law and Society’, (3rd edition)
Oxford University Press.p378

[38]
Ibid.

[39]
Macewan NF, The Computer Misuse Act 1990: lesson from its past and predictions
for its future,< http://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf>
accessed 26^th April 2018.

[40]
Ibid.

[41]
Criminal Damage Act 1971, s.10(5).

[42]
Computer Misuse Act 1990, section 3ZA.

[43]
Ibid.

[44]
Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd
edition) Oxford University Press. p.383

[45]
Andrew Murray, ‘Information Technology Law’ The Law and the Society (3^rd
edition) Oxford University Press. p.385