Computer Misuse Act

11 Key excerpts on "Computer Misuse Act"

• 

  eBook - ePub

  Security and Crime Prevention in Libraries

  • Michael Chaney, Alan F. MacDougall(Authors)
  • 2019(Publication Date)
  • Routledge

    (Publisher)

  There are also the more generalised problems of terrorism which are tending to increase in a society where more and more groups seem to emerge with a grievance that they are unable or unwilling to articulate by more rational means. Allied to this is the problem of hoaxers and sensation seekers whose aim is mainly to cause disruption rather than damage. Many managers will have experienced bomb hoaxes which have involved the troublesome and costly evacuation of buildings and shutdown of systems.

  THE Computer Misuse Act 1990

  Mention was made earlier of the Computer Misuse Act 1990 as a recent component in the endeavour to combat IT crime and misuse. Whereas in the past legal sanctions for misuses relied on conventional approaches such as theft, trespass, and the like (which were sometimes difficult to establish) the new Act prescribes specifically for IT related wrongdoing. The Act defines three criminal offences for misusing computers:

  - unauthorised access to computer material (s. 1) - unauthorised access with intent to commit or facilitate commission of further offences (s. 2) - causing unauthorised modification of the contents of any computer (s. 3)

  A person commits the unauthorised access offence if ‘he causes a computer to perform any function with intent to secure access to any program or data held in any computer’ (s. 1(a)) and that ‘the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that this is the case’ (ss. 1(b) and (c)).

  The offence attracts a liability of imprisonment for up to six months and/or a fine of up to £2000 (s. 1(3)). Furthermore, the target of the offence need not be a specific programme or data or a particular machine (ss. 2(a), (b) and (c)).

  The second offence of unauthorised access with intent to commit or facilitate commission of further offences is clearly more serious and the maximum penalties available increase to five years imprisonment and/ or an unlimited fine (ss. 3(5) (a) and (b)). It is immaterial whether the further offence is to be committed on the same or any future occasion as the unauthorised access offence (s. 3 (3)). Moreover, a person may be guilty of the offence even though it may be impossible to commit the further offence intended (s. 3(4)).

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Practical Data Security

  • John Gordon(Author)
  • 2019(Publication Date)
  • Routledge

    (Publisher)

  In addition, the UN Congress called for mutual assistance on criminal matters and an investment in research and analysis to find new ways to deal with computer crime.

  The economic stakes are large. If mutual understanding and harmonisation are not achieved, data havens will result and barriers will be erected which will thwart the free flow of information. Barriers could result in companies being unable to export their goods and services to countries which have lower degrees of legal protection for computers than their own (a threat which is perceived as extremely serious by the EC in its quest to establish the Single Market) and in governments restricting data flow between their country and others which have less-developed laws, especially in the area of Data Protection.

  10.6 Other Issues Not Directly or Obviously Addressed by the Computer Misuse Act

  10.6.1 Interaction with the Data Protection Act 1984

  The words ‘unauthorised’ and ‘access’ found in section 1(b) of the CMA also can be found in Schedule 1 of the Data Protection Act 1984 which urges data holders to take ‘appropriate security measures…against unauthorised access to, or alteration, disclosure or destruction of, personal data’.

  10.6.2 Bulletin boards

  The use of bulletin boards as a means of dealing in passwords and giving advice on how to hack into any given system constitutes an offence under the Computer Misuse Act.

  10.6.3 Misuse of computer time and services

  Since it is not a criminal offence to use your firm’s electric typewriter for personal business (although I am sure many office managers would like to make it one!), why should the use of the firm’s computers for the same purpose be made into an offence? Hence, the absence of such an offence from the UK statute. However, it is not inconceivable that some activities would fall under the CMA, e.g. accessing the firm’s copy of Word Perfect without authorisation (hacking) or using up a substantial amount of processing power and thereby causing corruption to stored data (unauthorised modification to data).

  10.6.4 Fraud

  Fraud has proven to be a difficult issue for legislators in all jurisdictions. Under most definitions, fraud turns on the deceit of the human mind. Since it is not (yet) possible to deceive a machine, fraud in itself is not an actionable offence under computer crime statutes. However, there is clearly a recognition of the link between unauthorised access and fraud, a link which the Law Commission addressed.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Cybersecurity Law

  • Jeff Kosseff(Author)
  • 2017(Publication Date)
  • Wiley

    (Publisher)

  Some prosecutors, plaintiffs, and courts have adopted particularly broad views of these anti-hacking laws. Many of these statutes prohibit not only traditional unauthorized access but the unauthorized use or transfer of information, or circumvention of access controls. Indeed, the laws often present barriers to cybersecurity researchers who are seeking to identify software bugs and other flaws in order to help companies improve the security of their products and services. At the same time, companies that often are the victims of hacking argue that the laws are not strong enough to deter the worst behavior. Anti-hacking legislation is particularly a concern for companies that experience widespread theft of their trade secrets and other confidential information.

  In short, there is little agreement about the scope and reach of computer hacking laws. For that reason, many of the laws discussed in this chapter are still controversial, and a number of key political players have long called for significant amendments to the laws.

  5.1 Computer Fraud and Abuse Act

  The Computer Fraud and Abuse Act is the primary U.S. federal statute that prohibits and penalizes certain forms of computer hacking. The statute imposes both criminal and civil penalties for actions taken by an individual who either lacks authorization to access a computer or exceeds authorized access to that computer.

  5.1.1 Origins of the CFAA

  Congress passed the CFAA due to a growing concern about computers becoming increasingly networked and subject to unauthorized access, compromising sensitive data such as credit card numbers. The modern version of the CFAA is based on a 1986 amendment to a 1984 law, the Counterfeit Access Device and Computer Fraud and Abuse Act, which was focused primarily on hacking financial institutions and the federal government. Rather than only addressing particular types of sensitive information, Congress chose to regulate the method by which people access all information without proper authorization. As the 1984 House Judiciary Committee Report accompanying the initial bill noted, experts testified in committee hearings “that we need to shift attention in our statutes from concepts such as ‘tangible property’ and credit and debit instruments to concepts of ‘information’ and ‘access to information.’”1

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Computer Misuse

  Response, Regulation and the Law

  • Stefan Fafinski(Author)
  • 2013(Publication Date)
  • Willan

    (Publisher)

  13

  13 Police Officer 1.

  What would be the point in going to the police? They're not going to recover our data. Even if there's a miracle and they do catch whoever's done it, we'll still be out of pocket. Locking someone up won't help us.14

  14 User 3.

  It seems therefore that the 1990 Act has not been greatly exercised in comparison to the growth of the problem of computer misuse. In order to explore why this might be the case, the next section will consider the ways in which it is has been applied and examine whether the Act presents particular interpretative challenges for the court.

  Interpretation of the Computer Misuse Act 199015

  15 See also Fafinski, S., ‘Access denied: computer misuse in an era of technological change’ (2006) 70 Journal of Criminal Law 424.

  Section 1 — The basic hacking offence

  Early judicial interpretation of this section was somewhat curious. In R v. Cropp,16 the defendant visited his former employer and obtained a 70 per cent discount on goods by entering the discount on the computerised till part way through a transaction, while the sales assistant was absent in the storeroom checking details of the serial number of the goods in question. This resulted in an invoice for £204.60 plus VAT instead of the correct sum of £710.96 plus VAT. Cropp was charged under section 2(1) of the 1990 Act, allegedly having secured unauthorised access to a computer in contravention of section 1(1) of the 1990 Act with intent to commit the further offence of false accounting.17

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Handbook of Internet Crime

  • Yvonne Jewkes, Majid Yar(Authors)
  • 2013(Publication Date)
  • Willan

    (Publisher)

  Chapter 19 ) concentrates on the UK in order to trace the emergence of laws focused upon computer misuse, culminating in the passing of the landmark Computer Misuse Act (CMA) of 1990. He points out that, prior to the 1980s, computers were largely specialist technological devices used for a narrowly defined range of commercial and scientific applications. There was, during this period, little or no sense that computer use entailed specific problems of security or criminal conduct, and this was mirrored in the conspicuous absence of laws related to computerised systems. The 1980s constituted a watershed in both respects, as the development of low-cost and increasingly powerful semi-conductor technology fuelled a massive computer boom. Increasingly sophisticated devices, offering an ever-widening array of applications, became more and more commonplace in both the home and workplace. In tandem with these changes, business users of computer systems began to report incidences of misuse, often perpetrated by technologically literate employees, while popular press reportage presented dramatic tales about the risks presented by computer ‘hacking’. Yet, as Wasik argues, the legal establishment in the UK was profoundly divided over the need for any additional legal innovations to address computer-related offences, with some going so far as to dismiss wholesale the idea that computer crimes represented anything new or distinctive. The ‘sceptics’ claimed that computer-related offences could be adequately prosecuted under existing laws covering criminal damage, theft, fraud, and suchlike. This view was sustained, at least initially, by the Law Commissions of Scotland and of England. However, the pressure for change built inexorably as a number of criminal convictions for computer-related offences were quashed upon appeal, highlighting clearly the gaps and ambiguities in existing criminal law when applied to the domain of computers. The Law Commission of England was charged with producing a report on the matter, and its recommendations were subsequently used as the basis of the provisions of the 1990 Act. The Act made it a criminal offence to attempt ‘unauthorised access’ to a computer system, whether undertaken as an end in itself or with intent to commit a further offence. It also prohibited the unauthorised modification of a computer system, such that this would interfere with its normal operation. Taken together, these provisions effectively covered a wide range of computer-related offences, including those commonly adduced by terms such as ‘hacking’, ‘viruses’, ‘malware’ and ‘denial of service attacks’. In this way, the CMA effectively anticipated many of the high-profile computer crime problems that came to the forefront as the networked technologies of the Internet and World Wide Web rose to prominence in the course of the 1990s.

  Building on the developments explored by Wasik in the first chapter of this Part of the Handbook, Lilian Edwards, Judith Rauhofer and Majid Yar trace and evaluate further legal innovations in the UK, discussing primarily offences occurring in the online environment (Chapter 20 ). They address both substantive laws aimed at curtailing online offences, and laws that regulate the policing of computer-related crimes. With respect to the former, they focus upon two areas that have arguably generated the most intense concern, namely pornography/obscenity and terrorism-related offences. As noted elsewhere in the Handbook, pornography (especially child pornography) is often identified by legislators, users and law enforcement officials as one of the most urgent and serious crime problems of the Internet era (see Chapters 16 and 17 by Bryce and Quayle, this volume). Edwards et al.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Cyberterrorism: The Legal And Enforcement Issues

  The Legal and Enforcement Issues

  • Pardis Moslemzadeh Tehrani(Author)
  • 2017(Publication Date)
  • WSPC (EUROPE)

    (Publisher)

  158 This Act emphasises the point that impairment will be caused but it does not matter that the conduct is either intentional or reckless. It can be used in several situations; for instance, when a user intentionally causes the deletion of a program or data held on a computer and the question of how this conduct happened is not important. Other instances may be when the offence is committed when the data is added to a computer, or a computer is infected by a virus or the offence may be committed with a logic bomb or by adding a program to the computer system with the intent to cause inconvenience to the computer user. In fact, according to Section 3(5) of Computer Misuse Act, it is not important whether a modification is permanent or temporary. Furthermore, it does not require the degree of impairment to be either substantial or significant.

  According to Section 3(3) of the Computer Misuse Act, if a person creates a computer virus and sends it out into the world with the intent of infecting other computers, the offence is committed. In the case of Christopher Pile, aka “the Black Baron”, he created a virus on the internet. Every computer that downloaded this program was infected. The impairment caused by the virus was estimated at US$500,000 and he was convicted under the Act and sentenced to 18 months’ imprisonment. Therefore, the Computer Misuse Act can be used against those who intentionally cause a computer to be infected. It is difficult for the prosecutor to prove the intent of the perpetrator. Notably, the government and the National High Technology Crime Unit (HTCU) believe that Section 3 covers DoS attacks.

  One of the most significant issues which arises regarding unauthorised access is the DoS attack offence. This type of attack can be launched against commercial websites and is simultaneously a tool for cyber attackers to launch their cyber terrorist attacks. The UK has one of the highest proportions of “bot-infected” computers, because of the rapid take-up of broadband activity. The perpetrators of these activities mostly use computers called “zombie computers” or “botnets” that act under the control of the perpetrator without the real owner’s knowledge. Most cyber terrorists launch DoS attacks as seen in previously mentioned cases in this book. The Computer Misuse Act attempts to cover this kind of offense. Section 3 of the Act is able to address all such activities, and such activities have the necessary intent to cause modification or impairment. In the original Section 3, such offences were not considered under this Act. But after a case which happened in 2005, where a teenage boy carried out a DoS attack against his former employer using a specialist email bomb, Judge Grant at Wimbledon Magistrates’ Court in November 2005, stated:

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Policing Digital Crime

  • Robin Bryant(Author)
  • 2016(Publication Date)
  • Routledge

    (Publisher)

  Chapter 4Law and Digital Crime Ed Day with Robin Bryant

  Introduction

  Between 2006 and 2010 there were only 90 convictions in the UK under the Computer Misuse Act 1990 (total derived from data given in Hansard, 2012). Further, the number of convictions per year actually fell between 2006 and 2010 (from 25 to 10, ibid.). Yet it seems inconceivable that this small absolute number and relative decline is the result of fewer ‘computer crimes’ being committed. Part of the explanation for this apparent paradox is that many of the crimes within the UK that occur online, or with other digital characteristics, are prosecuted under alternative legislation such as the Fraud Act 2006. For example, hacking is covered explicitly by the Computer Misuse Act 1990 (CMA), and although it might be involved in enacting extortion (for example), it is the extortion that is likely to be prosecuted as this will carry the heavier penalty on conviction.

  Deciding how to make best use of the inevitably limited resources for tackling digital crime is a key aspect of a pertinent debate. It is estimated that the amount spent on defending against cybercrime (for example the cost of anti-virus software) is far higher than the amount spent on policing cybercrime (the actual apprehension and prosecution of offenders). However, research suggests that a small number of criminal networks are responsible for a large number of cybercrime incidents, so the money might be better spent on targeting these groups rather than trying to defend against the incidents in the first instance. If this is the case then legislation will have key role to play in the efficient policing of digital crime, and it is vital that the legislation be appropriate, reasonable and logically targeted.

  Many difficulties arise when using legislation for targeting crimes committed in rapidly changing technical contexts, not least of which is that it is difficult for the details of new legislation to keep pace with technological change. In addition the multi-jurisdictional nature of much digital crime presents additional challenges, as does the fact that legislation has to exist within complex political systems, for example the UK must follow European Union directives when creating legislation to combat much cybercrime. There are also debates on the necessary extent and the nature of such regulation. Many argue that there is too much legislation (Wilson, 2010) but others insist that more laws are required to protect individuals, e-commerce and society. Regulation of course may have unintended effects, for example on privacy (Busch, 2012), and this further colours the debate on how far cyberspace should be regulated.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  A Socio-Legal Study of Hacking

  Breaking and Remaking Law and Technology

  • Michael Anthony C. Dizon(Author)
  • 2017(Publication Date)
  • Routledge

    (Publisher)

  There is no question that the criminalization and prosecution of malicious activities and destructive cyber attacks on computer systems and data are proper under the law. However, due to the vagueness and excessive breadth of the law, the crime of illegal access strikes at the heart of hacking since it broadly prohibits access to and use of computer systems and data and it does not provide adequate exemptions or qualifications for creative and benign forms of hacking. 67 As previously mentioned, free and open access to information and technology and being able to use them in new, innovative and unexpected ways are conditions and goals of hacking. 68 But, since hackers can, legally speaking, only enter or access a computer or system that they own or have authority or permission to use (otherwise they may be subject to criminal prosecution), their present and future practices, activities and projects are severely inhibited. 69 The far-reaching impact of the crime of illegal access on makers and hacktivists is all the more apparent when viewed in light of the six common acts of hacking. Under computer crime laws, hackers are generally forbidden by default to explore or break a computer system without permission even if the aim is to learn how it works. As a consequence, they cannot create new technologies or produce innovations that they can share with others. Furthermore, and here’s the rub, by not being able to hack and test a computer system, hackers cannot make it more secure, which ironically is one of the prime objectives of computer crime laws. 70 Expecting or requiring hackers to seek or obtain prior permission from system owners before they can creatively explore a system is unrealistic given that it is not in their character to ask for permission first before accessing or using technology

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Information Technology Law

  • Uta Kohl, Andrew Charlesworth(Authors)
  • 2016(Publication Date)
  • Routledge

    (Publisher)

  178

  Prosecutions and penalties

  Significant problems of detection have bedevilled apprehension of computer criminals throughout the history of the enforcement of the CMA and the statute does not appear to have had conspicuous success in deterring or apprehending computer criminals. Although there have been some high-profile cases, the total number of prosecutions under the Act has been relatively small.179 There may be many reasons for this; prosecution of computer crime may not be a priority; police forces may lack relevant expertise; it can be difficult to track down and locate the alleged offenders; the offenders can easily be in a different jurisdiction. Even where there have been prosecutions, in the UK, at least, these have not often attracted severe penalties although it appears that s 3 offences are possibly treated more seriously than s 1 ‘hacking’ offences – the criminal ‘intent’ and the damage in the former presumably being more obvious in relation to the introduction of malware than in cases of hacking.

  In Pile , the first case using CMA, s 3 following its introduction, a custodial sentence of 18 months was imposed. Many virulent virus programs have since been unleashed on the world’s computer networks causing damage estimated at many billions of dollars. The originators of some of the more high-profile attacks have been detected, although not necessarily apprehended. The creator of the ‘Melissa’ virus, the major effect of which was to cause infected computers to send emails containing an infected attachment to the first 50 names in the user’s computer address book, was prosecuted in the USA under 18 USC § 1030 and sentenced to 20 months’ imprisonment, together with a fine of US$5,000.180 On the other hand, although Filipino ex-computer science student Onel de Guzman was identified as the creator of the ILOVEYOU virus referred to at the beginning of this section, there were no appropriate charges that could be brought against him in the Philippines181 and, as there was no Filipino computer crime statute at the time, neither could he be extradited to stand trial elsewhere.182 The writer of the Anna Kournikova virus voluntarily confessed, and was charged and convicted in the Netherlands; two people have appeared in court in connection with the Blaster worm;183 and in the UK, a man was jailed for two years for releasing viruses onto the internet. In the unsuccessful appeal against sentence in the latter case, Penry-Davey remarked that ‘criminal conduct of this kind has the capacity to cause disruption, consternation and even economic loss on an unimagined scale’,184

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Living With Hacktivism

  From Conflict to Symbiosis

  • Vasileios Karagiannopoulos(Author)
  • 2018(Publication Date)
  • Palgrave Macmillan

    (Publisher)

  106 The strict calculating philosophy that permeates cybercrime legislation thus renders the traditional route of applying the cybercrime legal regime to acts that are not meant to cause damage and loss as their primary goal problematic, since hacktivists would easily be charged with felonies and the ensuing high penalties from those charges.

  A relatively similar inclusive and increasingly punitive rationale is followed in the UK. The analogous UK provision is Section 3 of the CMA, providing that whoever knowingly performs any unauthorised act in relation to a computer with the intention to impair the operation of any computer, prevent or hinder access to any program or data held in any computer, impair the operation of programs or reliability of data or enable such actions107 could incur penalties of imprisonment of up to ten years and/or fine on indictment, while up to a year and/or fine on a summary conviction (6 months in Scotland).108 Section 3(3) also broadens the scope of the offence by criminalising the recklessness of the offender regarding the realisation of these impairing/damaging effects.

  The Serious Crime Act 2015 recently introduced through Section 41 a new addition to the CMA (Section 3ZA) meant to deal with more serious unauthorised acts that cause, or create a risk of, serious damage. The act is meant to explicitly criminalise acts that could have an impact on national security and critical infrastructures of a state, such as transportation, water, and electricity supply or healthcare. In relation to hacktivism, the act involves the causing of significant risk of serious damage to human welfare, which is further defined to include disruption of a system of communication. In fact, according to Section 4, it is immaterial whether the unauthorised act causes that damage directly. Mens rea also extends to recklessness

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Electronic and Mobile Commerce Law

  An Analysis of Trade, Finance, Media and Cybercrime in the Digital Age

  • Charles Wild, Stuart Weinstein, Neil MacEwan, Neal Geach(Authors)
  • 2011(Publication Date)
  • University Of Hertfordshire Press

    (Publisher)

  488 . Section 15(1).

  489 . D. Ormerod, Smith and Hogan Criminal Law, 12th edn (Oxford, 2008), p. 718.

  490 . Section 113(2).

  491 . Wall, Cybercrime, op. cit., p. 52.

  492 . Often, such activities are directed towards further criminal ends, such as fraud and blackmail.

  493 . As amended by ss. 35-38 of the Police and Justice Act 2006. Although the PJA 2006 received Royal Assent on 8 November 2006, ss. 35-38 did not come into force until 1 October 2008 (via the Police and Justice Act 2006 (Commencement No. 9) Order 2008). Note also that the Serious Crime Act 2007 amended ss. 35 and 36 PJA 2006 by removing from them the offences of enabling unauthorised access to computer material, and enabling acts with intent to impair the operation of a computer etc. - see ss. 61(1), (2) and (3) SCA 2007, respectively. Also, having abolished the common law offence of Incitement (see s. 59), the SCA 2007 removed all references to offences of incitement from the Computer Misuse Act 1990 - see ss. 6(3), 7(4), 8(3) and 9(2)(d) SCA 2007.

  494 . Note that the term has been applied somewhat variably to a range of both legal and illegal activities concerning computer systems etc. See further, P.A. Taylor, ‘Hackers - Cyberpunks or Microserfs?’, in Thomas and Loader, Cybercrime, op. cit., p. 36. See also, Yar, Cybercrime and Society, op. cit., p. 22.

  495 . C. Tapper, ‘“Computer Crime”: Scotch Mist?’, (1987) 4 Criminal Law Review 19.

  496 . 29 August 1990.

  497 . For further discussion of this conceptual basis, forming part of a detailed critical analysis of the CMA, see N. MacEwan, ‘The Computer Misuse Act 1990: Lessons from its Past and Predictions for its Future’, (2008) Criminal Law Review 955.

  498 . Sc Law Com No. 106 (1987).

  499 . Law Com No. 186 (1989).

  500 . [1988] 1 AC 1063.

  501 . Albeit, a relatively unsophisticated one. They surreptitiously noted and memorised a BT engineer’s password as he entered it when demonstrating the Prestel

  Sign up to read

  Learn more about book