Computer Misuse Bill

April 30, 2005

Two things of interest happened in Parliament on the 5th April. The first was the Prime Minister’s announcement of the date of the 2005 general election; the second was the first reading of Derek Wyatt MP’s Computer Misuse Act 1990 (Amendment) Bill, a ten minute rule bill which seeks (as its name would suggest) to amend the Computer Misuse Act 1990 (CMA). Whilst it would be fair to say that the former was perhaps the higher profile of the two, to many IT lawyers the latter is of equal importance and Shelley Hill examines the Bill’s proposals.

Derek Wyatt MP is Chair of the All Party Parliamentary Internet Group (APIG) which last year released its report on the CMA. The report concluded that whilst the CMA had stood the test of time better in many respects than some believed, there should nonetheless be a specific denial of service attack (DoS) offence added to the Act and the maximum penalty for s 1 offences (unauthorised access to computer material) should be increased to either two or five years’ imprisonment. The Computer Misuse Act 1990 (Amendment) Bill seeks to enact both of these recommendations.

It is thought that the CMA may have been drafted sufficiently widely for it to be used to prosecute those who commit distributed denial service of attacks (DDoS). This is because the third-party machines being used to mount the attack are the subject of unauthorised access (and possibly unauthorised modification). However, this did not stop Aaron Caffrey being acquitted of a DDoS attack on the Port of Houston‘s computer last year, when he mounted a defence of Trojan infection.

However, whether the CMA covers more simple DoS attacks originating from one machine only is more doubtful; the machine being attacked is not necessarily accessed or modified (some say that the attack constitutes a modification, others do not). The Bill therefore seeks to insert ss 2A and 2B into the CMA to address this confusion.

The Bill also increases the penalty for s 1 offences to two years, which would bring domestic legislation into line with the European cybercrime convention. It would also, crucially, make the offence extraditable. Making s 1 offences indictable would also allow prosecutions for attempting to commit a s 1 offence. Interestingly, if the maximum penalty were raised to five years the offence would also then be an arrestable one (as offences under ss 2 and 3 of the CMA are), which would make it easier to obtain search warrants under the Police and Criminal Evidence Act 1984, but the Bill does not seek to go that far at this stage.

There are those that doubt the Bill’s value. The original Computer Misuse (Amendment) Bill presented by Lord Northesk in 2002 was regarded by some as being drafted too widely, in that it criminalised behaviour ordinarily regarded as lawful as well as that which it was designed to prohibit. However, the National Hi-Tech Crime Unit (NHTCU) has said that the increase in sentencing powers will do little to deter hackers and that the prosecution instead of other offences relating to fraud, theft or extortion will always be of more use to them because of their greater penalties. Alan Lawson of the Butler Group is also reported (,39024655,39129265,00.htm) as saying that a marginal increase in the sentencing powers will not be enough to deter hardened criminals.

However, it is clear that some action is required. The NHTCU reports that electronic crime cost UK companies an estimated £2.45 billion last year, and stories abound that online betting Web sites are regularly being threatened with DoS attacks shortly before major sporting events which will only be prevented by the payment of a ransom.

This is, however, an argument which muddies the waters. As it is universally agreed, even by groups that support cyber action, that some activity should constitute a criminal offence, the law needs to be clearer. The acquittal of Aaron Caffrey indicated that the law is far from clear – with the prosecution of Matthew Anderson commencing in Elgin Sheriff’s Court recently, the state can ill afford to send another message to potential DoS perpetrators that the law is unable or unwilling to convict them. The NHTCU has acknowledged that the problem in many cases is not prosecuting the perpetrators but catching them. However, surely the power to extradite offenders can only be of assistance here. Although the sentencing provisions of the Bill may not wholly deter potential criminals, it will assist in catching them and bringing them to justice.

Unfortunately, this Bill will never proceed to the next stage. Although the bill passed its first reading and was ordered to be read for a second time on 15 April, The Prime Minister announced shortly afterwards that the general election would be held on 5 May and Parliament would therefore be dissolved on 11 April. In any case, 10-minute-rule Bills rarely make the statute books and are more often than not used to bring an issue to Parliament’s attention with the hope that it will win government support. Hopefully, once the election is over, the new government will pick up this particular ball and run with it, but only time will tell. Meanwhile, it will be worth keeping an eye on proceedings in the Elgin Sheriff’s Court to see whether the CMA can be successfully used to prosecute DoS offenders.

Shelley Hill is an assistant solicitor in the technology and innovation unit of Robert Muckle Solicitors, a commercial law firm based in Newcastle upon Tyne. Although she undertakes all aspects of IP and IT work, her particular interest lies in e-commerce work and legal issues surrounding the Internet.