The Computer Misuse Act 1990
By Neil Harrison LL.B. (Hons)
No matter what the topic of conversation is, there seems to be an Act of Parliament that has been dreamt up in an attempt to regulate it. Vehicles have the Road Traffic Act, people have the Public Order Act and there was even an Act of Parliament that demanded that all Hackney Carriages, or taxis as they are now known, must carry a bale of hay and a sack of oats. Fortunately this was repealed in 1976. As times and technology has moved on, it was only a matter of time before the computer would attract the attention of the Upper and Lower Houses of the Palace of Westminster. I am of course talking about the Computer Misuse Act 1990.
Introduced in 1988
The Computer Misuse Act 1990 is an Act of the United Kingdom Parliament and was introduced partly in response to the decision in the legal case of R v Gold & Schifreen. This was a case from 1988.
Robert Schifreen and Stephen Gold where both at a trade show, when Robert Schifreen looked over the shoulder of a Prestel engineer. He noticed that he had typed in the username of 22222222 and the password of 1234. This practice would later be called shoulder surfing. When the two returned to their homes, they used conventional home computers and gained unauthorised access to British Telecom’s Prestel interactive viewdata service. With the username and password, the two explored the BT system, and even gained access to the personal message box of HRH Prince Philip.
The relative ease with which they obtained the information led to accusations that British Telecom did not take its security seriously enough.
Prestel then installed monitors on the suspect accounts and passed this information on to the police. Robert Schifreen and Stephen Gold were charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding British Telecom by manufacturing a “false instrument”, in other words, the internal condition of British Telecoms equipment after it had processed Gold’s stolen password. The two were tried at Southwark Crown Court in London and were convicted on specimen charges, five against Schifreen, four against Gold and were fined, respectively, £750 and £600.
These fines were pretty modest but the pair still elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting Act had been misapplied to their conduct.
Robert Schifreen and Stephen Gold were acquitted by the Lord Justice Lane, but the prosecution appealed to the House of Lords. The Lords upheld the acquittal. Lord David Brennan said:
“We have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants’ conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.”
The Law Lords’ ruling in this case led many legal scholars to believe that hacking was not unlawful as the law then interpreted it. The English Law Commission and its counterpart in Scotland both considered the issue. The Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the common law related to deception, but the English Law Commission believed a new law was needed to ensure no more Hackers would be able to slip through the net.
Since the Prestel case, both Robert Schifreen and Stephen Gold have gone to write about IT matters on a regular basis and, in the case of Stephen Gold, he actually presents at conferences alongside the arresting officers in the case.
Critics of the Computer Misuse bill complained that it had been introduced too hastily and was rather poorly thought out. Critics claim that the mens rea element, in short, the intention, was often very difficult to prove, and that the bill didn’t differentiate “joyriding” hackers like Schifreen and Gold from serious computer criminals. However, The Computer Misuse Act has become a model from which several other countries, including Canada and the Republic of Ireland, have drawn inspiration when drafting their own information security laws, as it is seen as a robust and flexible piece of legislation in terms of dealing with computer crime or cybercrime as it is generally referred to.
The Computer Misuse Act was a Private Member’s Bill and was introduced by the Conservative MP Michael Colvin. The bill, which was supported by the government, came into effect in 1990. Sections 1-3 of the Act brought about three criminal offences:
Section 1 Computer Misuse Act 1990 states:
1) A person is guilty of an offence if –
(a) He causes a computer to perform any function with intent to secure access to any program or data held on a computer;
(b) The access he intends to secure is unauthorised; and
(c) He knows at the time when he causes the computer to perform the function that this is the case.
Section 2 Computer Misuse Act 1990 states:
2) A person is guilty of an offence if – He commits an offence under section 1 above (‘the unauthorised access offence’) with intent –
(a) To commit an offence to which this section applies; or
(b) To facilitate the commission of such an offence (whether by himself or by any other person).
Section 3 Computer Misuse Act 1990 states:
3) The intent need not be directed at –
(a) Any particular computer;
(b) Any particular program or data or a program or data of any particular kind; or
(c) Any particular modification or a modification of any particular kind.
Sections 2 – 3 are intended to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from hindering access to data stored in a computer. The basic offence is to attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access.
Hackers who program their computers to search through password permutations are therefore liable under this act, even though all their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access they are attempting is unauthorised. Therefore, using someone else’s username and password without their authority to access data or a program, or to alter, delete, copy or move such a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using e-mail, online chat, web or other services, constitute the offence. Even if the initial access is authorised, subsequent exploration, if there is a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. It should be noted that looking over another person’s shoulder or using electronic equipment to monitor the electromagnetic radiation emitted by VDUs, otherwise known as electronic eavesdropping, is outside the scope of this offence.
Sections 2 – 3 are aggravated offences. Essentially this means they require a specific intent to commit another offence and these other offences are to be arrestable, and so include all the major common law and statutory offences of fraud and dishonesty. Therefore a hacker, who obtains access to a system intending to transfer money or shares, intends to commit theft, or to obtain confidential information for the purposes of extortion. So, the section 1 offence is committed as soon as the unauthorised access is attempted, and the section 2 offence overtakes liability as soon as specific access is made for the criminal purpose. The section 3 offence is specifically aimed at those who write and circulate a computer virus, whether on a Local Area Network (LAN), or across networks.
Or: The Favourite Grammatical Conjunction of the Legislature!
The legislature do love to use long, complex words and confusing sentences! However, the rather simple word “or” performs a very important role in any legislation as it allows the law to cover all the intricacies that must be covered and ensure that no lacunae exist that could be exploited. There is nothing worse than an Act of Parliament getting through all the processes from the initial bill to the Royal Assent, only to discover that one or more loopholes have been left present.
With the previous statement in mind, here goes with a typically wordy and “or” riddled description of part of this Act. Using phishing methods or a Trojan horse to secure identity data or to acquire any other sort of data from any unauthorised source, or even modifying the operating system files or some aspect of the computer’s functions so as to interfere with its operation or to prevent access to any data, including the destruction of files therein, or deliberately generating code to cause a complete system malfunction, are all now seen as criminal “modifications”.
In 2004, the defendant in a case surrounding the Computer Misuse Act pleaded guilty to four offences under section 3. He had mounted an attack on a rival website, and introduced a Trojan horse to bring it down on more than a few occasions, but it is now recognized that the wording of the offence should be clarified to confirm that all forms of denial of service attack are included.
Implications of the Act for Industry Practices
Although the Computer Misuse Act apparently targets those who wish to gain unauthorised access to computer systems for criminal purposes, its implications on previously widespread industry practices such as the “time locking” of software have been described in various computing industry publications. Time locking is the practice of disabling the functionality of computer programs in order to ensure that software, potentially delivered on condition of further payment, will expire and no longer function. It has also been feared that all manner of computer products, or products that are controlled by a computer program, could be given a sort of expiry date by unscrupulous manufacturers. Imagine the problem if your new computer or tablet only worked for a year before the time lock programme kicked in and rendered the unit useless.
It’s pretty fair to assume that if you sign up for a 3 month free trial on a virus scan piece of software, you give your consent that at the expiry of that trial period, the software will cease to operate. How could this be an unauthorised modification to a computer program when you have agreed to the terms of the provider?
The Latest Situation of the Act
In 2004, the All Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the Computer Misuse Act 1990 (Amendment) Bill which sought to amend the Computer Misuse Act to comply with the European Convention on Cyber Crime. Under its terms, the maximum sentence of imprisonment for breaching the Act changed from six months to two years. It also attempted to explicitly criminalise denial of service attacks and other crimes facilitated by such a denial of service attack. The Bill did not receive Royal Assent and therefore did not become law because the Parliamentary session was discontinued.
Having said that, sections 35 to 38 of the Police and Justice Act 2006 contains amendments to the Computer Misuse Act 1990.
Section 37 deals with making, supplying or obtaining articles for use in computer misuse offences, and adds a new section 3A into the 1990 Act and has drawn quite a lot of criticism from IT professionals, as many of their tools can be used by criminals in addition to their legitimate purposes, and thus fall under section 3A.
Following the phone hacking cases in 2011, there are now discussions about amending the law to define “smart” phones with Internet browsers and other connectivity features as computers under this Act. This amendment may also introduce a new offence of making information available with intent, such as publicly disclosing a password for someone’s phone or computer so that others can access it illegally.
The Amendments to the Act
The amendments to the Computer Misuse Act 1990 by Part 5 of the Police and Justice Act 2006 are:
Section 35. Unauthorised access to computer material
Section 36. Unauthorised acts with intent to impair operation of computer
Section 37. Making, supplying or obtaining articles for use in computer misuse offences
Section 38. Transitional and saving provision