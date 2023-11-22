The Home Office consulted on amendments to the Computer Misuse act in early 2023.
The Computer Misuse Act 1990 (CMA) is the main legislation that criminalises unauthorised access to computer systems and data, and the damaging or destroying of these. The intention behind the Act is protecting the integrity and security of computer systems and data through criminalising access to them which has not been authorised by the owner of the system or data.
In May 2021, the Home Secretary announced a review of the CMA and following an initial call for information, carried out a consultation in early 2023, making three key proposals:
The Home Office has now issued its response to that consultation.
Extra-territorial provisions
Over two thirds of the respondents who commented on extra-territorial provisions agreed that given the cross-border and international nature of offences in many cases, attention should be given to ensuring, so far as possible, that CMA legislation will have extra-territorial reach and that the Act's territorial provisions should be clarified and expanded. Several respondents also supported clarification on defining the concept of what constitutes "significant links" to the UK. One respondent suggested that extraterritorial reach could be similar to what is available under data protection legislation where the legislation applies to activities affecting UK data subjects, whether or not the activity occurs in the UK.
Defences
Some respondents expressed a view that the Act currently prevents consumer groups, cyber security professionals and researchers from undertaking a legitimate public interest activity to keep UK consumers safe, and would support the introduction of a defence to the offences under the Act. Furthermore, several respondents highlighted that the introduction of a new offence for possessing or using illegally obtained data could inadvertently criminalise legitimate cybersecurity work, and would, if implemented, require a statutory defence of its own, demonstrating that the Act's offences and defences cannot be considered in isolation. Despite this, several respondents also agreed that any introduction of a statutory defence for vulnerability and threat intelligence research must continue to enable the effective investigation and prosecution of criminals, should respect system owners' rights and should not provide cover for offensive cyber activity (that is, "hack back").
Sentencing
Many of the respondents who commented on sentencing suggested that the maximum sentences stated for CMA offences currently in place are too low, including that the maximum sentences should be increased to afford judges a wider scale upon which to assess an offence. Additionally, there was support for the consideration of other options for younger offenders, rather than prosecution.
Conclusion and next steps
Domain and IP address takedown and seizure
The Home Office has been working with a range of public and private sector partners to carry out more work in this area. There are significant considerations, including the impact on the current successful voluntary arrangements, suitable safeguards and thresholds, and definitions of relevant organisations. A significant body of work has taken place, and this work will continue to be able to legislate at the earliest possible opportunity.
Power to preserve data
Despite broad support, the government is aware that several organisations were concerned that data storage is costly and that any long-term data storage requirements would affect organisation's finances. It plans to engage with private and public sector organisations to suitable understand further impacts and look to mitigate them effectively if possible before considering for legislation.
Data copying
The consultation identified potentially adverse impacts that would result if the possession or use of data obtained through an offence under the Act were criminalised. There is a significant amount of positive work, such as victim awareness, that takes place because of a public and private sector organisations identifying and using data that has been made available via a CMA offence. The government believes that there is significant further work that needs to be done on this proposal to ensure mitigation of any of that positive work. It plans to undertake that work and provide further legislative solutions soon.
Published: 2023-11-22T10:30:00