APIG proposes revisions to the Computer Misuse Act 1990

April 30, 2004

Further to my article surrounding the Aaron Caffrey case and the difficulties faced by the judiciary and jurors in applying the Computer Misuse Act 1990 to cases of denial of service attacks and virus infection (click here to access the article), it is perhaps timely that the All Parliamentary Internet Group is proposing to hold a public inquiry into the desirability of updating the CMA and to review its applicability to modern-day computer crime.

The CMA was introduced as a Private Members’ Bill and drew upon the conclusions of Law Commission Report No 186. Like the current review, this was initiated as a result of a number of cases where the law in force had failed adequately to deal with cases of criminal damage to software. The CMA introduced three new offences: unauthorised access to computer material (s 1), unauthorised access with intent to commit or facilitate the commission of further offences (s 2), and unauthorised modification of computer material (s 3).

In 2002 Lord Northesk attempted to extend the application of the Act by inserting a new clause 3A which attempted to deal with denial of service attacks. However his Bill failed to proceed through Parliament due to a lack of government support and ran out of parliamentary time. To quote him: “[it] received a generous, if somewhat lukewarm, response from the Minister concerned”.

It would seem that the topic is now however the subject of greater political interest. The APIG inquiry will focus on the following issues:

  • Whether the CMA is broad enough to cover the criminality encountered today
  • Whether the CMA’s generic definitions of computers and data have stood the test of time
  • Whether there are any loopholes in the Act which need to be closed
  • What revisions may be needed to meet the UK‘s international treaty obligations
  • Whether the level of penalties within the CMA is sufficient to deter today’s criminals.

The CMA was drafted broadly in an attempt to cover all computer crime which might be committed in the future. For instance, s 3 deals with the offence of ‘unauthorised modification of computer material’ and unauthorised modification is said to take place ‘if, by the operation of any function of the computer concerned or any other computer (a) any program or data held in the computer concerned is altered or erased; or (b) any program or data is added to its contents’.

However, does this deal with the spammer who bombards a computer with multiple e-mails or viruses or multiple pings which disable a system? He may not be, in the strict technological sense, altering or erasing data or adding any data to the computer. The Internet has only really risen to the fore since the CMA was enacted. By virtue of its enactment date, this is not an Act which envisaged the potential problems of cyberspace, and the language used in the Act is perhaps indicative of the aims of the legislation at the time.

Recent case law has suggested that there are certain loopholes in the Act which need to be closed, and various commentators have criticised the penalties handed out under the Act. There is perhaps a temptation to view computer crime as less serious than other forms of property damage; it is often seen as an apparently victimless crime which is of minor inconvenience to individuals only when their PC is affected.

In the case of R v Goulden, the judge said that the offender’s actions were at the ‘lowest end of seriousness’ and he was given a conditional discharge and fined £1,650. Similarly, in R v Whittaker the defendant was given a conditional discharge. As Susan Singleton says, these penalties do not facilitate the use of the 1990 Act as a deterrent. They also do not suggest to the public at large that the judiciary see this as serious crime. Damage is of course difficult to reduce to calculable terms in cases when staff time accounts for much of the work needed to correct the problems caused. As well as extending the maximum penalty (the current maximum is five years in prison for a s 3 offence), perhaps the judiciary should be encouraged to view these crimes in the same way that criminal damage is viewed?

It will be interesting to see what conclusions the APIG come to and whether proposals for change make it before Parliament. However, if there is any uncertainty as to whether the CMA applies to denial of service attacks, virus transmissions and other computer crime, clarification is vital.

Shelley Hill is a solicitor in the technology and innovation unit of Robert Muckle Solicitors, a commercial law firm based in Newcastle upon Tyne.