Computer Misuse Act 1990
Encyclopedia
The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom
, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063 (see below). Critics of the bill complained that it was introduced hastily and was poorly thought out. Intention, they said, was often difficult to prove, and that the bill inadequately differentiated "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland
, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime”.
and Stephen Gold, using conventional home computer
s and modem
s in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel
interactive viewdata
service. While at a trade show, Schifreen by doing what latterly became known as shoulder surfing
, had observed the password of a Prestel engineer: the username was 22222222 and the password was 1234. This later gave rise to subsequent accusations that BT had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip
.
Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981
with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark
Crown Court
, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting Act had been misapplied to their conduct.
They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords
. In 1988, the Lords upheld the acquittal. Lord David Brennan said:
The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission (ELC) and its counterpart in Scotland both considered the matter. The Scottish Law Commission
concluded that intrusion was adequately covered in Scotland under the common law
related to deception, but the ELC believed a new law was necessary.
Since the case, both defendants have gone to write about IT matters extensively and, in the case of Gold, who detailed the entire case at some length in the Hacker's Handbook, actually presents at conferences alongside the arresting officers in the case.
was introduced by Conservative
MP Michael Colvin
. The bill, supported by the government, came into effect in 1990. Sections 1-3 of the Act introduced three criminal offences:
§§2–3 are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The basic offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access. Hackers
who program their computers to search through password permutations are therefore liable, even though all their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised. Thus, using another person's username or identifier
(ID) and password
without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail
, online chat
, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. But looking over a user's shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation
emitted by VDU
s ("electronic eavesdropping") is outside the scope of this offence.
The §§2–3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be arrest
able, and so include all the major common law
and statutory offences of fraud
and dishonesty
). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit theft
, or to obtain confidential information for blackmail
or extortion
. Thus, the §1 offence is committed as soon as the unauthorised access is attempted, and the §2 offence overtakes liability as soon as specific access is made for the criminal purpose. The §3 offence is specifically aimed at those who write and circulate a computer virus
(see Simon Vallor
) or worm
, whether on a LAN
or across networks
. Similarly, using phishing
techniques or a Trojan horse
to obtain identity data or to acquire any other data from an unauthorised source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004, John Thornley pleaded guilty to four offences under §3, having mounted an attack on a rival site, and introduced a Trojan horse to bring it down on several occasions, but it is recognized that the wording of the offence should be clarified to confirm that all forms of denial of service attack are included.
s and other crimes facilitated by denial-of-service. The Bill did not receive Royal Assent
because Parliament was prorogued.
Sections 35 to 38 of the Police and Justice Act 2006
contains amendments to the Computer Misuse Act 1990.
Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
After the infamous News International phone hacking scandal in 2011, there are ongoing discussions about amending the law to define "smart" phones (i.e. those with Internet browsers and other connectivity features) as computers under the Act. This amendment may also introduce a new offence of (making information available with intent) i.e. publicly disclosing a password for someone's phone or computer so that others can access it illegally.
Section 35. Unauthorised access to computer material
Section 36. Unauthorised acts with intent to impair operation of computer, etc
Section 37. Making, supplying or obtaining articles for use in computer misuse offences
Section 38. Transitional and saving provision
Parliament of the United Kingdom
The Parliament of the United Kingdom of Great Britain and Northern Ireland is the supreme legislative body in the United Kingdom, British Crown dependencies and British overseas territories, located in London...
, introduced partly in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063 (see below). Critics of the bill complained that it was introduced hastily and was poorly thought out. Intention, they said, was often difficult to prove, and that the bill inadequately differentiated "joyriding" hackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model from which several other countries, including Canada and the Republic of Ireland
Republic of Ireland
Ireland , described as the Republic of Ireland , is a sovereign state in Europe occupying approximately five-sixths of the island of the same name. Its capital is Dublin. Ireland, which had a population of 4.58 million in 2011, is a constitutional republic governed as a parliamentary democracy,...
, have drawn inspiration when subsequently drafting their own information security laws, as it is seen "as a robust and flexible piece of legislation in terms of dealing with cybercrime”.
R v Gold & Schifreen
Robert SchifreenRobert Schifreen
Robert Jonathan Schifreen was a UK-based computer hacker, magazine editor, and later became a computer security consultant. He was the first person charged with illegally accessing a computer system, but was acquitted because there was no such specific criminal offence at the time...
and Stephen Gold, using conventional home computer
Home computer
Home computers were a class of microcomputers entering the market in 1977, and becoming increasingly common during the 1980s. They were marketed to consumers as affordable and accessible computers that, for the first time, were intended for the use of a single nontechnical user...
s and modem
Modem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
s in late 1984 and early 1985, gained unauthorised access to British Telecom's Prestel
Prestel
Prestel , the brand name for the UK Post Office's Viewdata technology, was an interactive videotex system developed during the late 1970s and commercially launched in 1979...
interactive viewdata
Viewdata
Viewdata is a Videotex implementation. It is a type of information retrieval service in which a subscriber can access a remote database via a common carrier channel, request data and receive requested data on a video display over a separate channel. Samuel Fedida was credited as inventor of the...
service. While at a trade show, Schifreen by doing what latterly became known as shoulder surfing
Shoulder surfing (computer security)
In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information...
, had observed the password of a Prestel engineer: the username was 22222222 and the password was 1234. This later gave rise to subsequent accusations that BT had not taken security seriously. Armed with this information, the pair explored the system, even gaining access to the personal message box of Prince Philip
Prince Philip, Duke of Edinburgh
Prince Philip, Duke of Edinburgh is the husband of Elizabeth II. He is the United Kingdom's longest-serving consort and the oldest serving spouse of a reigning British monarch....
.
Prestel installed monitors on the suspect accounts and passed information thus obtained to the police. The pair were charged under section 1 of the Forgery and Counterfeiting Act 1981
Forgery and Counterfeiting Act 1981
The Forgery and Counterfeiting Act 1981 is an Act of the Parliament of the United Kingdom. It replaces the Forgery Act 1913, the Coinage Offences Act 1936 and parts of the Forgery Act 1861...
with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark
Southwark
Southwark is a district of south London, England, and the administrative headquarters of the London Borough of Southwark. Situated east of Charing Cross, it forms one of the oldest parts of London and fronts the River Thames to the north...
Crown Court
Crown Court
The Crown Court of England and Wales is, together with the High Court of Justice and the Court of Appeal, one of the constituent parts of the Senior Courts of England and Wales...
, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting Act had been misapplied to their conduct.
They were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords
Judicial functions of the House of Lords
The House of Lords, in addition to having a legislative function, historically also had a judicial function. It functioned as a court of first instance for the trials of peers, for impeachment cases, and as a court of last resort within the United Kingdom. In the latter case the House's...
. In 1988, the Lords upheld the acquittal. Lord David Brennan said:
- We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.
The Law Lords' ruling led many legal scholars to believe that hacking was not unlawful as the law then stood. The English Law Commission (ELC) and its counterpart in Scotland both considered the matter. The Scottish Law Commission
Scottish Law Commission
The Scottish Law Commission is Scottish advisory public body established by Parliament of the United Kingdom in 1965 to keep the law of Scotland under review and recommend necessary reforms to improve, simplify and update Scots law. It plays a leading role in developing the law for the people of...
concluded that intrusion was adequately covered in Scotland under the common law
Scots law
Scots law is the legal system of Scotland. It is considered a hybrid or mixed legal system as it traces its roots to a number of different historical sources. With English law and Northern Irish law it forms the legal system of the United Kingdom; it shares with the two other systems some...
related to deception, but the ELC believed a new law was necessary.
Since the case, both defendants have gone to write about IT matters extensively and, in the case of Gold, who detailed the entire case at some length in the Hacker's Handbook, actually presents at conferences alongside the arresting officers in the case.
The Computer Misuse Act
Based on the ELC's recommendations, a Private Member's BillPrivate Member's Bill
A member of parliament’s legislative motion, called a private member's bill or a member's bill in some parliaments, is a proposed law introduced by a member of a legislature. In most countries with a parliamentary system, most bills are proposed by the government, not by individual members of the...
was introduced by Conservative
Conservative Party (UK)
The Conservative Party, formally the Conservative and Unionist Party, is a centre-right political party in the United Kingdom that adheres to the philosophies of conservatism and British unionism. It is the largest political party in the UK, and is currently the largest single party in the House...
MP Michael Colvin
Michael Colvin
Michael Keith Beale Colvin was a politician in the United Kingdom. He was first elected as a Conservative Party Member of Parliament for Bristol North West in 1979...
. The bill, supported by the government, came into effect in 1990. Sections 1-3 of the Act introduced three criminal offences:
- unauthorised accessHackingHacking may refer to:* Computer hacking, including the following types of activity:** Hacker , activity within the computer programmer subculture** Hacker , to access computer networks, legally or otherwise...
to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scaleStandard scaleThe standard scale is a system whereby financial criminal penalties in legislation have maximum levels set against a standard scale. Then, when inflation makes it necessary to increase the levels of the fines the legislators need to modify only the scale rather than each individual piece of...
" (currently £5000); - unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictmentIndictmentAn indictment , in the common-law legal system, is a formal accusation that a person has committed a crime. In jurisdictions that maintain the concept of felonies, the serious criminal offence is a felony; jurisdictions that lack the concept of felonies often use that of an indictable offence—an...
; - unauthorised modification of computer material, subject to the same sentences as section 2 offences.
§§2–3 are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer. The basic offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access. Hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
who program their computers to search through password permutations are therefore liable, even though all their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorised. Thus, using another person's username or identifier
Identifier
An identifier is a name that identifies either a unique object or a unique class of objects, where the "object" or class may be an idea, physical [countable] object , or physical [noncountable] substance...
(ID) and password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, online chat
Online chat
Online chat may refer to any kind of communication over the Internet, that offers an instantaneous transmission of text-based messages from sender to receiver, hence the delay for visual access to the sent message shall not hamper the flow of communications in any of the directions...
, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. But looking over a user's shoulder or using sophisticated electronic equipment to monitor the electromagnetic radiation
Electromagnetic radiation
Electromagnetic radiation is a form of energy that exhibits wave-like behavior as it travels through space...
emitted by VDU
VDU
VDU may stand for:*Federation of Independents *Visual Display Unit*Vytauto Didžiojo Universitetas , in the city of Kaunas ....
s ("electronic eavesdropping") is outside the scope of this offence.
The §§2–3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be arrest
Arrest
An arrest is the act of depriving a person of his or her liberty usually in relation to the purported investigation and prevention of crime and presenting into the criminal justice system or harm to oneself or others...
able, and so include all the major common law
Common law
Common law is law developed by judges through decisions of courts and similar tribunals rather than through legislative statutes or executive branch action...
and statutory offences of fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
and dishonesty
Dishonesty
Dishonesty is a word which, in common usage, may be defined as the act or to act without honesty. It is used to describe a lack of probity, cheating, lying or being deliberately deceptive or a lack in integrity, knavishness, perfidiosity, corruption or treacherousness...
). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit theft
Theft
In common usage, theft is the illegal taking of another person's property without that person's permission or consent. The word is also used as an informal shorthand term for some crimes against property, such as burglary, embezzlement, larceny, looting, robbery, shoplifting and fraud...
, or to obtain confidential information for blackmail
Blackmail
In common usage, blackmail is a crime involving threats to reveal substantially true or false information about a person to the public, a family member, or associates unless a demand is met. It may be defined as coercion involving threats of physical harm, threat of criminal prosecution, or threats...
or extortion
Extortion
Extortion is a criminal offence which occurs when a person unlawfully obtains either money, property or services from a person, entity, or institution, through coercion. Refraining from doing harm is sometimes euphemistically called protection. Extortion is commonly practiced by organized crime...
. Thus, the §1 offence is committed as soon as the unauthorised access is attempted, and the §2 offence overtakes liability as soon as specific access is made for the criminal purpose. The §3 offence is specifically aimed at those who write and circulate a computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
(see Simon Vallor
Simon Vallor
Simon Vallor aka Gobo is a web designer from North Wales who, in December 2002, pleaded guilty to writing and distributing three computer viruses. On 21 January 2003 he was sentenced at Southwark Crown Court, London to a two-year custodial sentence. He pleaded guilty to spreading the viruses –...
) or worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, whether on a LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
or across networks
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. Similarly, using phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
techniques or a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
to obtain identity data or to acquire any other data from an unauthorised source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004, John Thornley pleaded guilty to four offences under §3, having mounted an attack on a rival site, and introduced a Trojan horse to bring it down on several occasions, but it is recognized that the wording of the offence should be clarified to confirm that all forms of denial of service attack are included.
Latest situation
In 2004, the All-Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the Computer Misuse Act 1990 (Amendment) Bill which sought to amend the CMA to comply with the European Convention on Cyber Crime http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm. Under its terms, the maximum sentence of imprisonment for breaching the Act changed from six months to two years. It also sought to explicitly criminalise denial-of-service attackDenial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
s and other crimes facilitated by denial-of-service. The Bill did not receive Royal Assent
Royal Assent
The granting of royal assent refers to the method by which any constitutional monarch formally approves and promulgates an act of his or her nation's parliament, thus making it a law...
because Parliament was prorogued.
Sections 35 to 38 of the Police and Justice Act 2006
Police and Justice Act 2006
The Police and Justice Act 2006 is an Act of the Parliament of the United Kingdom. As at August 2007 many of the provisions are not yet in force...
contains amendments to the Computer Misuse Act 1990.
Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
After the infamous News International phone hacking scandal in 2011, there are ongoing discussions about amending the law to define "smart" phones (i.e. those with Internet browsers and other connectivity features) as computers under the Act. This amendment may also introduce a new offence of (making information available with intent) i.e. publicly disclosing a password for someone's phone or computer so that others can access it illegally.
The amendments
The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006 areSection 35. Unauthorised access to computer material
Section 36. Unauthorised acts with intent to impair operation of computer, etc
Section 37. Making, supplying or obtaining articles for use in computer misuse offences
Section 38. Transitional and saving provision
External links
- The Internet Crime Forum
- EURIM – IPPR E-Crime Study http://www.eurim.org/consult/e-crime/dec03/ECS_WP6_web_031209.htm
- Wording of the failed 2004 amendment bill
- Amendments to the Computer Misuse Act 1990 covered by the Open Rights GroupOpen Rights GroupThe Open Rights Group is a UK-based organisation that works to preserve digital rights and freedoms by campaigning on digital rights issues, acting as a media clearinghouse service putting journalists in touch with experts, and by fostering a community of grassroots activists...
- A list of Computer Misuse Act cases compiled by Michael J L Turner
- Computer Misuse Act 1990, CrimeLine Wiki