The existing Computer Misuse Act in the UK was based on issues pursuing the hacking cases of the eighties.
Its primary principle is the concept of the "unauthorised access" and "unauthorised modification" to computers. It was updated by sections of the Police and Justice Act 2006.
From a digital rights perspective, the current CMA suffers from some flaws. In an online world where many machines now provide open access to data - public web servers, for instance - it can be difficult to discriminate between what is authorised, and what is unauthorised access.
The Computer Misuse Act has generally protected the rights of those who wander into "unauthorised" areas by requiring not just unauthorised access, but also knowledge by the accused that such access was unauthorised. This has made it a hard law to prosecute under, which has led for some calls for reform.
Recommendations to amend or reform the CMA
ICF paper, 2003
Internet Crime Forum (1997-2005?) produced a paper in April 2003 recommending reform.
All Party Internet Group report, 2004
- Revision of the Computer Misuse Act, APIG, June 2004
Computer Misuse Act 1990 (Amendment) Bill 2005
Police and Justice Act 2006
Serious and organised crime strategy 2013
The Serious and organised crime strategy published in 2013 states that the government will bring forward proposals to "amend the Computer Misuse Act 1990 to update existing offences to cover importing tools for cyber crime (such as data or programmes designed for unlawfully accessing a computer system)" The government "will legislate as soon as the parliamentary timetable allows".
Attacks Against Information Systems Directive
Serious Crime Bill
The Serious Crime Bill announced in 2014 will amend the CMA likely to comply with the European directive.
Infosec company campaign
NCC Group, Orpheus Cyber, Context Information Security and Nettitude wrote to the UK government in July 2019 to request CMA reform where methods of information and intelligence collection may be criminalised by the act.
"new legislation and reforming the Computer Misuse and Theft Acts so they are ‘fit for purpose in the modern age’;
Criminal Law Reform Now Network
The CLRNN, a means for academics and legal experts to research areas of the law they feel need improving, published a report in January 2020 recommending a public interest defence for cyber-threat intelligence professionals, academics and journalists.
A new campaign, CyberUp, was launched in 2020 with the aim of CMA reform. Supporters include F-Secure, NCC Group, and techUK.
CMA Review 2021
- Review of the Computer Misuse Act 1990 (follow on consultation in 2023)
Cyber Security Strategy 2022
Announced in the Cyber Security Strategy for 2022:
We will review the Computer Misuse Act (CMA) and relevant powers to ensure that law enforcement agencies have the ability to investigate new and emerging threats from criminals and introduce more specialist prosecutors to deal with the increasing number of cyber cases.
Sir Patrick Vallance review of digital technology regulation
- Pro-innovation Regulation of Technologies Review: Digital Technologies, published March 2023
We recommend amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals, and would have a catalytic effect on innovation in a sector with considerable growth potential.
Microsoft have also suggested that DRM be protected under a reformed Computer Misuse Act: so it would be possible for computer users to be prosecuted for "unauthorised access" to their own computer. (See para 18, Revision of the Computer Misuse Act: Report of an Inquiry by the All Party Internet Group).
Public interest defence
Incidents where such a defence would have been applicable might have been the hacking of the emails of a man suspected of faking his own death, and where a BBC production bought access to a botnet as part of a story.
- Greg Callus, 2012-04-05
In October 2014 the Liberal Democrats accepted a policy proposal from Dr Evan Harris that several laws such as Regulation of Investigatory Powers Act 2000 and the CMA be amended to protect journalists.
Legitimate tool use
There's also a danger that any reform will include the prohibition of "hacking tools", which would have profound effects on code as speech, as well as handcuffing legitimate security professionals. Making supplying or obtaining articles for use in offence is prohibited in section 37 of the Police and Justice Act 2006.
Authorisation through Terms of Service
Computer users also have the right to defend their own systems against attack, and to research and investigate the networks in which they operate. This was part of problem with the Daniel Cuthbert case, where a user checking to see the validity of a website he was using was latter prosecuted for "unauthorised access".
The solution here is not reform, but establishing more clearly into case law the expectations of an experienced online user. The danger lies in blanket "terms of service" establishing minimal rights for Net users, against common practice.
- Two Recent Computer Misuse Cases, Peter Sommer, 2006-01-16
Applicability of CMA for Pro-Rights Cases
- Could the Act be interpreted to disallow invasive DRM such as the Sony Rootkit, as similar laws in the US have been? (Possibly for acts that took place before the EULA was clicked. Arguably for subsequent behaviour if insufficiently described by the EULA, or if the EULA is not seen as authorisation --dob 01:44, 22 January 2006 (GMT) )
- Hansard, 2005-04-05
- Serious and organised crime strategy, GOV.UK, 2013-10-07
- Hansard, 2014-03-27
- Keynote Speech for the Internet Service Providers’ Association (ISPA) Annual Conference, GOV.UK, 2013-11-27
- Brit infosec firms urge PM Boris to reform the Computer Misuse Act, Register, July 2019
- Crimelords beware: 'Britain's FBI' set for huge new powers to foil County Lines drug gangs as its intelligence reveals 181,000 villians operating in 4,500 criminal organisations, Mail online, 2019-11-03
- Reforming the Computer Misuse Act 1990 - CLRNN
- Cybercrime laws need urgent reform to protect UK, says report, Guardian, 2020-01-22
- Academics call for UK's Computer Misuse Act 1990 to be reformed, The Register, 2020-01-22
- Home Secretary Priti Patel speech to CyberUK Conference, 2021-05-11, GOV.UK
- National Cyber Security Strategy 2022
- Hacked Off: Journalism and the public interest
- Hacked Off: Public Interest Defences
- Sky News admits hacking emails of 'canoe man', Guardian, 2012-04-05
- BBC botnet 'public interest' defence rubbished by top IT lawyer, Register, 2009-03-18
- Text of Evan Harris's speech at the Lib Dem Conference backing Public Interest Defences and RIPA safeguards for journalist sources, Oct 2014
- Law change to stop police spying on phone records of journalists becomes Liberal Democrat policy, 2014-10-06, PressGazzette