Computer Misuse Act reform

The existing Computer Misuse Act in the UK was based on issues pursuing the hacking cases of the eighties.

Its primary principle is the concept of the "unauthorised access" and "unauthorised modification" to computers. It was updated by sections of the Police and Justice Act 2006.

Current Law

From a digital rights perspective, the current CMA suffers from some flaws. In an online world where many machines now provide open access to data - public web servers, for instance - it can be difficult to discriminate between what is authorised, and what is unauthorised access.

The Computer Misuse Act has generally protected the rights of those who wander into "unauthorised" areas by requiring not just unauthorised access, but also knowledge by the accused that such access was unauthorised. This has made it a hard law to prosecute under, which has led for some calls for reform.

Recommendations to amend or reform the CMA

ICF paper, 2003

Internet Crime Forum (1997-2005?) produced a paper in April 2003 recommending reform.

All Party Internet Group report, 2004

Computer Misuse Act 1990 (Amendment) Bill 2005

A bill to amend the CMA, following the All Party Internet Group report was introduced on 5th April 2005 by Derek Wyatt MP[1]. The 2005 general election was announced the same day, burying the bill.

Police and Justice Act 2006

The Police and Justice Act 2006 updates the CMA in several ways, including explicitly prohibiting denial-of-service attacks.

Serious and organised crime strategy 2013

The Serious and organised crime strategy published in 2013 states that the government will bring forward proposals to "amend the Computer Misuse Act 1990 to update existing offences to cover importing tools for cyber crime (such as data or programmes designed for unlawfully accessing a computer system)"[2] The government "will legislate as soon as the parliamentary timetable allows".[3]

Attacks Against Information Systems Directive

Amendments to the act are expected in 2014 to comply with the EU Attacks Against Information Systems Directive.[4]

Serious Crime Bill

The Serious Crime Bill announced in 2014 will amend the CMA likely to comply with the European directive.



Microsoft have also suggested that DRM be protected under a reformed Computer Misuse Act: so it would be possible for computer users to be prosecuted for "unauthorised access" to their own computer. (See para 18, Revision of the Computer Misuse Act: Report of an Inquiry by the All Party Internet Group).

Public interest defence

Press hacking enquiry campaigners Hacked Off are campaigning for a "public interest defence"[5][6] for several laws including the CMA.

Incidents where such a defence would have been applicable might have been the hacking of the emails of a man suspected of faking his own death[7], and where a BBC production bought access to a botnet as part of a story[8].

In October 2014 the Liberal Democrats accepted a policy proposal from Dr Evan Harris[9] that several laws such as Regulation of Investigatory Powers Act 2000 and the CMA be amended to protect journalists.[10]

Legitimate tool use

There's also a danger that any reform will include the prohibition of "hacking tools", which would have profound effects on code as speech, as well as handcuffing legitimate security professionals. Making supplying or obtaining articles for use in offence is prohibited in section 37 of the Police and Justice Act 2006.

Authorisation through Terms of Service

Computer users also have the right to defend their own systems against attack, and to research and investigate the networks in which they operate. This was part of problem with the Daniel Cuthbert case, where a user checking to see the validity of a website he was using was latter prosecuted for "unauthorised access".

The solution here is not reform, but establishing more clearly into case law the expectations of an experienced online user. The danger lies in blanket "terms of service" establishing minimal rights for Net users, against common practice.

Applicability of CMA for Pro-Rights Cases

  • Could the Act be interpreted to disallow invasive DRM such as the Sony Rootkit, as similar laws in the US have been? (Possibly for acts that took place before the EULA was clicked. Arguably for subsequent behaviour if insufficiently described by the EULA, or if the EULA is not seen as authorisation --dob 01:44, 22 January 2006 (GMT) )


  1. Hansard, 2005-04-05
  2. Serious and organised crime strategy, GOV.UK, 2013-10-07
  3. Hansard, 2014-03-27
  4. Keynote Speech for the Internet Service Providers’ Association (ISPA) Annual Conference, GOV.UK, 2013-11-27
  5. Hacked Off: Journalism and the public interest
  6. Hacked Off: Public Interest Defences
  7. Sky News admits hacking emails of 'canoe man', Guardian, 2012-04-05
  8. BBC botnet 'public interest' defence rubbished by top IT lawyer, Register, 2009-03-18
  9. Text of Evan Harris's speech at the Lib Dem Conference backing Public Interest Defences and RIPA safeguards for journalist sources, Oct 2014
  10. Law change to stop police spying on phone records of journalists becomes Liberal Democrat policy, 2014-10-06, PressGazzette