Everything about The Computer Misuse Act totally explained
The
Computer Misuse Act 1990 is an Act of the
UK Parliament. The Act's introduction followed the decision in
R v Gold (1988) 1 AC 1063, with the bill's critics charging that it was introduced hastily and was poorly thought out.
Intention, they said, was often difficult to prove, and that the bill inadequately differentiated "joyriding" crackers like Gold and Schifreen from serious computer criminals. The Act has nonetheless become a model upon which several other countries including
Canada and the
Republic of Ireland, have drawn inspiration when subsequently drafting their own information security laws. More generally, see
computer crimes and
internet fraud.
R v Gold & Schifreen
In
R v Gold & Schifreen, Robert Schifreen and Stephen Gold, using a conventional
home computer and
modem in late
1984 and early
1985, gained unauthorised access to
British Telecom's
Prestel interactive
viewdata service. While at a tradeshow, Gold had observed (doing what latterly became known as
shoulder surfing) the password of a Prestel engineer (the username was 22222222 and the password was 1234, giving rise to subsequent accusations that BT hadn't taken security seriously). Armed with this information, the pair explored the system, even gaining access to the personal message box of
Prince Philip. Prestel installed traps which monitored suspect accounts. Acting on information thus obtained, the defendants were arrested and charged under section 1 of the
Forgery and Counterfeiting Act 1981, with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried in the
Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted to obtain material gain from their exploits, and claimed the Counterfeiting Act had been misapplied to their conduct. They were acquitted by the Lord Justice Lane and the prosecution appealed to the
House of Lords in
1988 which affirmed the acquittal. Lord David Brennan said:
» "We have accordingly come to the conclusion that the language of the Act wasn't intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we wouldn't wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That isn't a criminal offence. If it's thought desirable to make it so, that's a matter for the legislature rather than the courts"
The Law Lords' ruling led many legal scholars to believe that hacking wasn't unlawful as the law then stood. The
English Law Commission and its counterpart in Scotland both considered the matter. The
Scottish Law Commission concluded that intrusion was adequately covered in Scotland under the
common law related to deception, but the ELC believed a new law was necessary.
The Computer Misuse Act
Based on the
ELC's recommendations, a
Private Member's Bill was introduced by
Conservative MP
Michael Colvin. The bill, supported by the government, came into effect in
1990. The Act introduces three criminal offences:
1(1) A person is guilty of an offence if:
» a) He/she causes a computer to perform any function with intent to secure access to any program or data held in a computer;
b) the access he/she intends to secure is unauthorized; and
» c) he/she knows at the time when he/she causes the computer to perform the function that this is the case.
1(2) the intent a person has to commit an offence under this section need not be directed at
» a) any particular program or data
b) a program or data of any particular kind; or
» c) a program or data held in any particular computer.
1(3) a person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six
Months or to a fine not exceeding level 5, on the standard scale or both.
2(1) a person is guilty of an offence under this section if he/she commits an offence under section 1 above ("the unauthorized access offence")
With intent
» a) to commit an offence to which this section applies; or
b) to facilitate the commission of such an offence (whether by himself/herself or by any other person) and the offence he/she intends to commit or facilitate is referred to below in this section as the further offence.
2(2) this section applies to offences
» a) for which the sentence is fixed by law; or
b) for which a person of twenty one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates Courts Act 1980).
2(5) a person guilty of an offence under this section shall be liable
» a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or both; and
b) on conviction on indictment, to imprisonment for a term not exceeding five years, or to a fine, or both.
3(1) A person is guilty of an offence if
» a) he/she does any act which causes the unauthorized modification of the contents of any computer; and
b) at the time when he/she does the act he/she has the requisite intent and the requisite knowledge.
3(2) for the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
» a) to impair the operation of any computer;
b) to prevent or hinder access to any program or data held in any computer; or
» c) to impair the operation of any such program or the reliability of any such data.
3(3) the intent need not be directed at
» a) any particular computer;
b) any particular program or data or a program or data of any particular kind; or
» c) any particular modification or a modification of any particular kind.
3(4) For the purpose of subsection 1b above, the requisite knowledge is knowledge that any modification he/she intends to cause is unauthorized.
3(5) it's immaterial for the purposes of this section whether an unauthorized modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.
The Act was created to criminalize unauthorized access to computer systems (the s1 offence) and to deter the more serious criminals from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer (the ss2 and 3 offences). The basic offence is to
attempt or achieve access to a computer or the data it stores, by inducing a computer to perform any function with intent to secure access.
Hackers that program their computers to search through password permutations are therefore liable, even though all their attempts to log on are rejected by the target computer. The only precondition to liability is that the hacker should be aware that the access attempted is unauthorized. Thus, using another person's
username or
identifier (ID) and
password without proper authority to access data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data to a screen or printer, or to impersonate that other person using
e-mail,
online chat, web or other services, constitute the offence. Even if the initial access is authorized, subsequent exploration if there's a hierarchy of privileges in the system, may lead to entry to parts of the system for which the requisite privileges are lacking and the offence will be committed. But looking over a user's shoulder or using sophisticated electronic equipment to monitor the
electromagnetic radiation emitted by
VDUs ("electronic eavesdropping") is outside the scope of this offence.
The ss2 and 3 offences are aggravated offences, requiring a specific intent to commit another offence (for these purposes, the other offences are to be
arrestable, and so include all the major
common law and
statutory offences of
fraud and
dishonesty). So a hacker who obtains access to a system intending to transfer money or shares, intends to commit
theft, or to obtain confidential information for
blackmail or
extortion. Thus, the s1 offence is committed as soon as the unauthorized access is attempted, and the s2 offence overtakes liability as soon as specific access is made for the criminal purpose. The s3 offence is specifically aimed at those who write and circulate a computer
virus (see
Simon Vallor) or
worm, whether on a
LAN or across
networks. Similarly, using
phishing techniques or a
Trojan to obtain identity data or to acquire any other data from an unauthorized source, or modifying the operating system files or some aspect of the computer's functions to interfere with its operation or prevent access to any data, including the destruction of files, or deliberately generating code to cause a complete system malfunction, are all criminal "modifications". In 2004 John Thornley pleaded guilty to four offences under s3 having mounted a hack attack on a rival site, and introduced a Trojan form of virus to bring it down on several occasions, but it's recognized that the wording of the offence should be clarified to confirm that all forms of
denial of service attack are included.
Latest situation
In
2004 the All Party Internet Group published its review of the law and highlighted areas for development. Their recommendations led to the drafting of the
Computer Misuse Act 1990 (Amendment) Bill. which sought to amend the CMA to comply with the European Convention on Cyber Crime
(External Link
). Under its terms, the maximum sentence of imprisonment for breaching the act changed from six months to two years. It also sought to explicitly criminalise
denial-of-service attacks and other crimes facilitated by denial-of-service. The Bill didn't receive
Royal Assent because Parliament was
prorogued.
Sections 35 to 38 of the
Police and Justice Act 2006 contains amendments to the Computer Misuse Act 1990.
Section 37 (entitled
Making, supplying or obtaining articles for use in computer misuse offences) inserts a new section 3A into the 1990 Act and has drawn considerable criticism.
Schifreen now works as a Web developer and trainer at a UK university. In 2006 his book, Defeating The Hacker, was published by John Wiley & Sons (ISBN 0470025557). Gold works as an independent computer security consultant.
Further Information
Get more info on 'Computer Misuse Act'.
|
External Link Exchanges
Do you know how hard it is to get a link from a large encyclopaedia? Well we're different and will prove it. To get a link from us just add the following HTML to your site on a relevant page:
<a href="http://computer_misuse_act_1990.totallyexplained.com">Computer Misuse Act 1990 Totally Explained</a>
Then simply click through this link from your web page. Our crawlers will verify your link, extract the title of your web page and instantly add a link back to it. If you like you can remove the words Totally Explained and embed the link in article text.
As long as your link remains in place, we'll keep our link to you right here. Please play fair - our crawlers are watching. Your site must be closely related to this one's topic. Any kind of spamming, dubious practises or removing the link will result in your link from us being dropped and, potentially, your whole site being banned. |
