Computer Misuse Act reform

The existing Computer Misuse Act in the UK was based on issues pursuing the hacking cases of the eighties.

Its primary principle is the concept of the "unauthorised access" and "unauthorised modification" to computers. It was updated by sections of the Police and Justice Act 2006.

Current Law

From a digital rights perspective, the current CMA suffers from some flaws. In an online world where many machines now provide open access to data - public web servers, for instance - it can be difficult to discriminate between what is authorised, and what is unauthorised access.

The Computer Misuse Act has generally protected the rights of those who wander into "unauthorised" areas by requiring not just unauthorised access, but also knowledge by the accused that such access was unauthorised. This has made it a hard law to prosecute under, which has led for some calls for reform.

Recommendations to amend or reform the CMA

ICF paper, 2003

Internet Crime Forum (1997-2005?) produced a paper in April 2003 recommending reform.

All Party Internet Group report, 2004

Computer Misuse Act 1990 (Amendment) Bill 2005

A bill to amend the CMA, following the All Party Internet Group report was introduced on 5th April 2005 by Derek Wyatt MP[1]. The 2005 general election was announced the same day, burying the bill.

Police and Justice Act 2006

The Police and Justice Act 2006 updates the CMA in several ways, including explicitly prohibiting denial-of-service attacks.

Serious and organised crime strategy 2013

The Serious and organised crime strategy published in 2013 states that the government will bring forward proposals to "amend the Computer Misuse Act 1990 to update existing offences to cover importing tools for cyber crime (such as data or programmes designed for unlawfully accessing a computer system)"[2] The government "will legislate as soon as the parliamentary timetable allows".[3]

Attacks Against Information Systems Directive

Amendments to the act are expected in 2014 to comply with the EU Attacks Against Information Systems Directive.[4]

Serious Crime Bill

The Serious Crime Bill announced in 2014 will amend the CMA likely to comply with the European directive.

Infosec company campaign

NCC Group, Orpheus Cyber, Context Information Security and Nettitude[5] wrote to the UK government in July 2019 to request CMA reform where methods of information and intelligence collection may be criminalised by the act.

"new legislation and reforming the Computer Misuse and Theft Acts so they are ‘fit for purpose in the modern age’;

NCA

It has been reported that the NCA is pushing for "new legislation and reforming the Computer Misuse and Theft Acts so they are ‘fit for purpose in the modern age’"[6]

Criminal Law Reform Now Network

The CLRNN, a means for academics and legal experts to research areas of the law they feel need improving, published a report in January 2020[7] recommending a public interest defence for cyber-threat intelligence professionals, academics and journalists[8][9].

CyberUp campaign

A new campaign, CyberUp, was launched in 2020 with the aim of CMA reform. Supporters include F-Secure, NCC Group, and techUK.


CMA Review 2021

A review of the CMA was announced[10] by the Home Secretary at an NCSC event in May 2021.

Cyber Security Strategy 2022

Announced in the Cyber Security Strategy for 2022:

We will review the Computer Misuse Act (CMA) and relevant powers to ensure that law enforcement agencies have the ability to investigate new and emerging threats from criminals and introduce more specialist prosecutors to deal with the increasing number of cyber cases.[11]

Sir Patrick Vallance review of digital technology regulation

We recommend amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals, and would have a catalytic effect on innovation in a sector with considerable growth potential.

Issues

DRM

Microsoft have also suggested that DRM be protected under a reformed Computer Misuse Act: so it would be possible for computer users to be prosecuted for "unauthorised access" to their own computer. (See para 18, Revision of the Computer Misuse Act: Report of an Inquiry by the All Party Internet Group).

Public interest defence

Press hacking enquiry campaigners Hacked Off are campaigning for a "public interest defence"[12][13] for several laws including the CMA.

Incidents where such a defence would have been applicable might have been the hacking of the emails of a man suspected of faking his own death[14], and where a BBC production bought access to a botnet as part of a story[15].

In October 2014 the Liberal Democrats accepted a policy proposal from Dr Evan Harris[16] that several laws such as Regulation of Investigatory Powers Act 2000 and the CMA be amended to protect journalists.[17]

Legitimate tool use

There's also a danger that any reform will include the prohibition of "hacking tools", which would have profound effects on code as speech, as well as handcuffing legitimate security professionals. Making supplying or obtaining articles for use in offence is prohibited in section 37 of the Police and Justice Act 2006.

Authorisation through Terms of Service

Computer users also have the right to defend their own systems against attack, and to research and investigate the networks in which they operate. This was part of problem with the Daniel Cuthbert case, where a user checking to see the validity of a website he was using was latter prosecuted for "unauthorised access".

The solution here is not reform, but establishing more clearly into case law the expectations of an experienced online user. The danger lies in blanket "terms of service" establishing minimal rights for Net users, against common practice.

Applicability of CMA for Pro-Rights Cases

  • Could the Act be interpreted to disallow invasive DRM such as the Sony Rootkit, as similar laws in the US have been? (Possibly for acts that took place before the EULA was clicked. Arguably for subsequent behaviour if insufficiently described by the EULA, or if the EULA is not seen as authorisation --dob 01:44, 22 January 2006 (GMT) )

References