The 30-year-old Computer Misuse Act is not fit for purpose

March 29, 2020

Cast your mind back to 1990 and, chances are, you’ll remember a very different world. Sinead O’Connor was dominating the UK charts, Stefan Edberg defeated Boris Becker at Wimbledon and Mark Zuckerberg was just 6 years old. Perhaps most striking is how different our relationship with technology is now. Yet this was the year that the Computer Misuse Act we still have in force today was introduced.

Developed in the late 1980s, it was already starting to look out of date when I began my career in computer forensics in 1992. Proponents say its definitions have been sufficiently broad to capture the evolution of cybercrime – but I’m less and less convinced. Critics say it was introduced in haste and was poorly thought out. I disagree. When it was conceived it was fit for purpose – but the landscape has moved fast.

The history of computer misuse

The Act was drawn up after the failure to charge the hackers of Prestel – BT’s nascent email system at the time – and was designed to deal with hacking, unauthorised access to computer systems and intentionally spreading malicious software (malware), such as viruses. The focus on malware seems most out of step today – but the lack of specific wording for distributed denial of service attacks (DDoS) presented a more acute problem from 2000 onwards. It was in early February 2000, when “Mafiaboy” – a 15-year-old Canadian hacker – carried out what was thought to be the first DDoS attacks affecting commercial businesses (e-commerce sites) including Amazon and eBay.

In February 2002, the National Hi-Tech Crime Unit (the forerunner of the National Cyber Crime Unit of the National Crime Agency) expressed concerns to the government about the adequacy of the Computer Misuse Act for dealing with denial of service attacks. A denial-of-service attack occurs when legitimate users are prevented from accessing specific computer or IT resources. Denial-of-service (DoS) attacks typically overwhelm servers, systems or networks with traffic to make it difficult or impossible for users to access them. In 2003, the E-crime minister announced the government was to strengthen the Computer Misuse Act so that it could be used to prosecute perpetrators of these attacks.” The Act is technologically neutral”, she commented, “and its terms are deliberately undefined to provide flexibility for the courts in interpreting them widely. This does not mean there is not possible scope for improvement”.

By the time Peter Sommer examined the lessons to be taken from two recent prosecutions in the January 2006 edition of SCL, it was shown to be completely out of step with modern technology. 

By June 2014 in the Queen’s speech opening the final Parliamentary session before the 2015 General Election, the coalition government set out plans to “amend the Computer Misuse Act 1990 to ensure sentences for attacks on computer systems fully reflect the damage they cause”, using the Serious Crime Bill. But this was just tinkering around the edges of something that was 25 years out of date.

What does the current Act do?

At its core, the Computer Misuse Act 1990, with amendment bills in 1998, 2005 and 2008 (enacted in England and Wales, Scotland and Northern Ireland) currently covers three offences:

  1. Unauthorised access to computer material.
  2. Unauthorised access with intent to commit or facilitate commission of further offences.
  3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer.

The act has subsequently been amended twice, by the Police and Justice Act 2006 and by the Serious Crime Act 2015 – bringing a further offence of:

  • Unauthorised acts causing, or creating risk of, serious damage; and
  • Making, supplying or obtaining articles for use in offences under all four sections above.

The offence of Making, supplying etc. no longer requires intent due to the Serious Crime Act section 42 and this has introduced a further problem for those working in the cyber security field. The Serious Crime Act 2015 also amended the Computer Misuse Act 1990 to ensure sentences for attacks on computer systems fully reflected the damage they cause. 

In December 2018, a written parliamentary question asked whether an assessment would be made of the potential benefits of amending section 1 of the Computer Misuse Act 1990 to allow UK cyber security and threat intelligence researchers to protect organisations through the supply of threat intelligence. The Home Office said it keeps the Computer Misuse Act under regular review to determine any potential benefits and drawbacks of legislative change.

So what needs to change? 

There are several fundamental issues that need addressing in this ageing Act:

The Knowledge Gap

Overall, the Act it is just not working for cyber security practitioners, law enforcement officers, the Crown Prosecution Office and the Courts. Fundamentally Judges do not understand the issues. Southwark Crown Court is known as a specialist fraud centre dealing with the majority of the serious and major fraud cases in England and Wales, but the level of understanding of computer crime is just not good enough for a sufficient number of successful prosecutions. 

Changing nature of the threats

The types of crime the Act was originally designed to fight are actually decreasing – while new threats continue to grow. 

Crime statistics (the Crime Survey for England and Wales) show the biggest growth area reported to Action Fraud for the last reported year (to September 2019) is in hacking for extortion. This has nearly doubled from 2,147 to 4,133 over the year. Meanwhile figures for computer misuse and hacking cases have dropped – as have virus/malware reports. UK Finance also recorded an increase in Authorised Push Payment Frauds (often carried out by hacking into email accounts and systems) from £354m in 2018 (over 84,000 cases) to £413m (over 108,000 cases) for the rolling year ending June 2019.

This highlights part of the problem with the Act – the difference between using computers to commit fraud and the computer being the main part of the fraud.

Web-Scraping deemed lawful

The comparative law in the USA is the Computer Fraud and Abuse Act (CFAA) which was enacted in 1986 as an amendment to existing computer fraud law which had been included in the Comprehensive Crime Control Act of 1984. While it has been amended many times since to keep up with changes in crime, last September the U.S Appeals Court ruled that web scraping public sites does not violate the CFAA.

The court not only legalised the practice, but also outlawed competitors from removing information from public sites automatically. The court confirmed that the entry of a web scraper bot (like scanning for vulnerabilities) is not legally different from the entry of a browser (such as Mozilla Firefox, Microsoft Edge or Google Chrome). 

Many site owners try to put technical obstacles in the way of competitors who copy their non-copyright protected information e.g. ticket prices, product details, user profiles etc. Some sites consider they own this information and consider web scraping as “theft”. Legally in the US, this is now confirmed as not the case.

Perhaps this is a specific feature of American legislation. In this case, it was argued that technical measures to block web scraping interfere with contracts with customers who rely on this data. Legally this is called “malicious interference with a contract”, prohibited by American law. This could have implications for the UK law too.

Lack of protection for justified hacking

The Computer Misuse Act, as it stands, inadvertently criminalises a large proportion of cyber threat intelligence research and investigation by UK cyber security professionals. Cyber threat intelligence is work undertaken for defensive purposes and is the most important (and most neglected) part of Cyber Security today. Some of these threat intelligence activities require the scanning, interrogation and light touch interaction with compromised victims’ and criminals’ systems where owners have not, or are unlikely to, explicitly permit, or authorise, such access. As the Act prohibits unauthorised access to computers, this vital work is technically illegal.

Meanwhile, in the United States, a whole industry of US based vulnerability scanning companies has grown up with no equivalent UK based company prepared to take on the risk of prosecution. There is a need to reform the legislation to ensure UK companies are able to compete on a level international playing field. 

No scope for hacking-back

The scale of cybercrime is such that law enforcement bodies cannot investigate as many breaches to the depth that they would like. Should private bodies be permitted to defend themselves as an alternative? 

There is no scope currently for vigilante-style hacking-back. Any individual that sought to gain unauthorised access to an attacker’s system would themselves incur criminal liability. We are likely to see increasing pressure for the law to develop and define circumstances where a degree of fighting back is permitted. The “Active Cyber Defense Certainty Bill” was introduced to the US Congress in October 2017 and, in the unlikely event that it was passed, would give authorised individuals the legal authority to leave their network and try and establish the attribution of an attack, retrieve and destroy stolen files, monitor the behaviour of an attacker and disrupt a cyber attack as long as they did not damage others’ computers.

In conclusion, only a root and branch review of the Act can make it fit for purpose for today’s world. Relying on legislation from 30 years ago feels much like applying pony and trap speed restrictions on today’s cars. 

Peter Yapp, Cyber Partner at Schillings

Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.