The Computer Misuse Act 1990 (CMA) is the main legislation that criminalises unauthorised access to computer systems and data, and the damaging or destroying of these. The intention behind the Act is protecting the integrity and security of computer systems and data through criminalising access to them which has not been authorised by the owner of the system or data.
In May 2021, the Home Secretary announced a review of the CMA and following an initial call for information, carried out a consultation in early 2023, making three key proposals:
- The first was a proposal to develop a new power to allow law enforcement agencies to take control of domains and internet protocol addresses where these are being used by criminals to support a wide range of criminality, including fraud and computer misuse. The government recognises that a significant amount is done under voluntary arrangements to tackle the misuse of domain names, and would not want to see these arrangements undermined. However, it believes that there is a need to ensure that where such arrangements are unavailable, law enforcement agencies have the power to take action.
- The second proposal was for a power to allow law enforcement agency to require the preservation of computer data to allow that law enforcement agency to determine whether the data would be needed in an investigation, the power would not allow the law enforcement agency to seize the data, but would allow it to be preserved in case needed.
- The third proposal was about whether a power should be created that would allow action to be taken against a person possessing or using data obtained by another person through an offence under the Act, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place.
The Home Office has now issued its response to that consultation.
Extra-territorial provisions
Over two thirds of the respondents who commented on extra-territorial provisions agreed that given the cross-border and international nature of offences in many cases, attention should be given to ensuring, so far as possible, that CMA legislation will have extra-territorial reach and that the Act’s territorial provisions should be clarified and expanded. Several respondents also supported clarification on defining the concept of what constitutes “significant links” to the UK. One respondent suggested that extraterritorial reach could be similar to what is available under data protection legislation where the legislation applies to activities affecting UK data subjects, whether or not the activity occurs in the UK.
Defences
Some respondents expressed a view that the Act currently prevents consumer groups, cyber security professionals and researchers from undertaking a legitimate public interest activity to keep UK consumers safe, and would support the introduction of a defence to the offences under the Act. Furthermore, several respondents highlighted that the introduction of a new offence for possessing or using illegally obtained data could inadvertently criminalise legitimate cybersecurity work, and would, if implemented, require a statutory defence of its own, demonstrating that the Act’s offences and defences cannot be considered in isolation. Despite this, several respondents also agreed that any introduction of a statutory defence for vulnerability and threat intelligence research must continue to enable the effective investigation and prosecution of criminals, should respect system owners’ rights and should not provide cover for offensive cyber activity (that is, “hack back”).
Sentencing
Many of the respondents who commented on sentencing suggested that the maximum sentences stated for CMA offences currently in place are too low, including that the maximum sentences should be increased to afford judges a wider scale upon which to assess an offence. Additionally, there was support for the consideration of other options for younger offenders, rather than prosecution.
Conclusion and next steps
Domain and IP address takedown and seizure
The Home Office has been working with a range of public and private sector partners to carry out more work in this area. There are significant considerations, including the impact on the current successful voluntary arrangements, suitable safeguards and thresholds, and definitions of relevant organisations. A significant body of work has taken place, and this work will continue to be able to legislate at the earliest possible opportunity.
Power to preserve data
Despite broad support, the government is aware that several organisations were concerned that data storage is costly and that any long-term data storage requirements would affect organisation’s finances. It plans to engage with private and public sector organisations to suitable understand further impacts and look to mitigate them effectively if possible before considering for legislation.
Data copying
The consultation identified potentially adverse impacts that would result if the possession or use of data obtained through an offence under the Act were criminalised. There is a significant amount of positive work, such as victim awareness, that takes place because of a public and private sector organisations identifying and using data that has been made available via a CMA offence. The government believes that there is significant further work that needs to be done on this proposal to ensure mitigation of any of that positive work. It plans to undertake that work and provide further legislative solutions soon.
