The Computer Misuse Act 1990: Lessons from its past and predictions for its future

Criminal Law Review

Volumn , Issue 12, 2008, Pages 955-967

  MacEwan, Neil ^a  

^a UNIVERSITY OF SALFORD   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 58049152718     PISSN: 0011135X     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Review

References (136)

1. May 1, 2002, April 5, 2005 and July 12, 2005.
2. Via ss.35-38 of the Police and Justice Act 2006. Although the PJA 2006 received Royal Assent on November 8, 2006, ss.35-38 did not come into force until October 1, 2008 (via The Police and Justice Act 2006 (commencement No.9) Order 2008). Note also that the Serious Crime Act (SCA) 2007 has amended PJA 2006 ss.35 and 36 by removing from them the offences of enabling unauthorised access to computer material, and enabling acts with intent to impair the operation of a computer etc.-see SCA 2007s.61(l), (2) and (3), respectively. Also, having abolished the common law offence of incitement (see s.59), the SCA 2007 has removed all references to offences of incitement from the CMA 1990-see SCA 2007 ss.6(3), 7(4), 8(3) and 9(2)(d).
3. The basic hacking offence in s. 1.
4. Ins.3.
5. Whiteley (1991) 93 Cr. App. R. 25.
6. See Confederation of British Industry, "Submission to the Law Commission on Working Paper No. 110 on Computer Misuse-The CBI Submission Pan II" (1990) 6(2) Computer Law and Security Report 23, 24.
7. See also Law Commission Working Paper No. l10, Computer Misuse (1988), para.3.62.
8. See R. Brown, "Computer-related Crime Under Commonwealth Law, and the Draft Federal Criminal Code" (1986) 10 Criminal Law Journal 377;
9. C. Tapper, '"Computer Crime': Scotch Mist?" [1987] Crim. L.R. 4; Law Commission Working Paper No.l 10, Computer Misuse (1988), para. 1.4; H. Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702;
10. D. Bainbridge, "Computer Misuse: What should the law do?" (1989) 133 S.J. 466.
11. In 1994/95.
12. This term has several meanings, but in this context is used to connote activities done in pursuit of unauthorised access to computer programs or data.
13. R. Wacks, Personal Information, Privacy and the Law (1988).
14. M. Wasik, "Law Reform Proposals on Computer Misuse" [1989] Crim. L.R. 257, 260.
15. Tapper, '"Computer Crime': Scotch Mist?" [1987] Crim. L.R. 4, 19.
16. Malone v Commissioner of Police of the Metropolis [1979] Ch. 344 and Oxford v Moss (1978) 68 Cr. App. R. 183, respectively.
17. O. Bowcott, "New hacking law 'too hard to enforce'", Guardian, August 29, 1990, p.2; Wasik, "Law Reform Proposals on Computer Misuse" [1989] Crim. L.R. 257, 260.
18. A. Christie, "Should the Law of Theft extend to Information?" (2005) 69(4) J. Crim. L. 349;
19. E. Wilding, "Hacked Off' (2006) 156 N.L.J. 753.
20. Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702, 703.
21. Bowcott, "New hacking law 'too hard to enforce'", Guardian, August 29, 1990, p.2; B. Napier, "An end to hacking?" (1989) 133 S.J. 1554.
22. Law Com. No.186, Computer Misuse. Cm.819 (1989), para.2.13.
23. Law Com. No.186, Computer Misuse. Cm.819 (1989), para.2.28.
24. D. Bainbridge, "Hacking-The Unauthorised Access of Computer Systems: The Legal Implications" (1989) 52 M.L.R. 236;
25. Bowcott, "New hacking law 'too hard to enforce'", Guardian, August 29, 1990, p.2.
26. The original CMA s.3 offence of "unauthorised modification" has now made way for the new s.3 offence of "unauthorised impairment", inserted via PJA 2006 s.36.
27. CMAss.l(l)(b),2(l) and 3(l)(a).
28. CMA ss.l7(5)(a) and (b), and 17(8)(a) and (b).
29. Law Com. No.186, Computer Misuse. Cm.819 (1989), para.3.35.
30. DPP v Bignell [1998] 1 Cr. App. R. 1.
31. At the very least, because it was stipulated in a manual which had been issued to them.
32. [1998] Crim. L.R. 54.
33. R. v Bow Street Magistrates' Court Ex p. Allison [2000] 2 A.C. 216.
34. M. Wasik, "Hacking, Viruses and Fraud" in Y. Akdeniz, C. Walker and D. Wall (eds), The Internet, Law and Society (2000), p.277.
35. I. Walden, Computer Crimes and Digital Investigations (2007), p. 166.
36. D. Ormerod (ed.), Smith and Hogan: Criminal Law, 11th edn (2005), p. 167.
37. Bonnett, unreported, November 3, 1995, Newcastle under Lyme Magistrates' Court.
38. Farquarson, unreported, December 9, 1993, Croydon Magistrates' Court.
39. Cropp, unreported, case note at (1991) 7 C.L.S.R. 168.
40. Attorney-General's Reference (No. 1 of 1991) [1993] Q.B. 94.
41. Bedworth, unreported, May 21, 1993, Southwark Crown Court.
42. C. Christian, "Down and Out in Cyberspace" (1993) 90 L.S. Gaz. 2.
43. Gold, Schifreen [1987] Q.B. 1116.
44. Y. Akdeniz, Encyclopedia of E-Commerce Law (2005), para.15.007.
45. See, e.g. "Canadian Teen Charged in Web site attack released", CNN.com, April 19, 2000, http://edition.cnn.com/2000/TECH/computing/ 04/19/dos.investtgation/index.html [Accessed September 21, 2008].
46. By malware which has been delivered either by spam email or via "drive-by downloads".
47. See the biannual Symantec Threat Report 2006, cited in "Denial-of-service hacking soars", BBC News, March 9, 2006, http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/4787474.stm [Accessed September 21, 2008].
48. e.g. threatened attacks against online betting websites in the lead-up to the Grand National race (http://www.timesonline.co.uk/tol/news/ articlel027674.ece [Accessed October 13, 2008]) and the Cheltenham Festival (http://www.theregister.co.uk/2004/03/17/online-extortionists-target- cheltenham [Accessed September 21, 2008]) in February and March 2004, respectively.
49. See, e.g. Hacktivists' attempt to disrupt ECHELON (the international electronic communications surveillance network) on Jam Echelon Day (October 21, 1999)-
50. see C. Oakes, "Monitor This, Echelon", at http://www.wired. com/politics/law/news/1999/10/32039 [Accessed September 21, 2008].
51. See, e.g. the recent allegations of the Estonian Government that Russian authorities were responsible for a wave of attacks upon their websites, designed to make the Baltic State's systems crash and paralyse its infrastructure-see http://www.timesonline.co.uk/tol/news/world/article1803847.ece [Accessed September 21, 2008].
52. All Party Internet Group Report, Revision of the Computer Misuse Act (June 2004), p. 10 (http://www. apcomms. org. uk).
53. Lennon, unreported, November 2, 2005, Wimbledon Magistrates' Court.
54. An example of a DoS attack.
55. Using a mail-bombing program named Avalanche, which he had downloaded from the internet.
56. T. Espinger, "Teenager cleared of email attack charge", ZDNet News, November 2, 2005 (http://news.zdnet.co.uk/security/0, 1000000189,39235359,00.htm [Accessed October 13, 2008]).
57. T. Espinger, "Denial of Service attacks are a legal 'grey area'", ZDNet News, November 2, 2005 (hap://news.zdnet.co.uk/ security/0,1000000189,39235148,00.htm [Accessed October 13, 2008]);
58. See also M. Whipp, "Computer Misuse Act crumbles as DoS attacker walks free", PC PRO News, November 3, 2005 (http:llwww.pcpro.co. uk/newsl79505/computer-misuse-act-crumbles-as-dos-attacker-walks-free.html [Accessed September 21, 2008].
59. DPP v Lennon [2006] EWHC 1201.
60. See M. Levi, Regulating Fraud (1987), p.136;
61. APIG Report, Revision of the Computer Misuse Act (2004), p.10;
62. National Hi-Tech Crime Unit 2005 Survey at http://www.nhtcu.org; CSI/FBI 2004 Survey at http://i.cmpnet.com/gocsi/dbarea/pdfs/fbi/FBI2004. pdf [Accessed October 13, 2008].
63. See also D.S. Wall, "Mapping out cybercrimes in a cyberspatial surveillant assemblage" in F. Webster and K. Ball (eds), The Intensification of Surveillance: Crime, Terrorism and Warfare in the Information Age (2003), pp. 112-136.
64. See Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702;
65. M. May, "How Hacking Law Could Weaken Security", The Times, April 20, 1989, p.32; Department of Trade and Industry Report, Dealing with Computer Misuse (2002).
66. Y. Akdeniz, "Section 3 of the Computer Misuse Act 1990: An Antidote for Computer Viruses!" (1996) 3 Web J.C.L.I. 7, http://webjcli.ncl.ac. uk/1996/issue3/akdeniz3.html [Accessed September 21, 2008].
67. Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702.
68. Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702.
69. Akdeniz, "Section 3 of the Computer Misuse Act 1990" (1996) 3 Web J.C.L.I. 6.
70. M. Wasik, "Conference Review: CBI Conference on Combating Computer Crime-Increasing Computer Security" (1989) 4(5) C.L.S.R. 4.
71. See B. Napier, "An end to hacking?" (1989) 133 S.J. 1554, 1556;
72. I. Lloyd et al., "Computer Misuse: The Law Commission Report-Report on a seminar at Westminster with Emma Nicholson MP on 23 October 1989" (1990) 5(5) C.L.S.R. 9, 10.
73. See M. May, "Call to arms against the computer virus", The Times, October 12, 1989, p.34;
74. M. Wasik, "Law Reform Proposals on Computer Misuse" [1989] Crim. L.R. 257; E. Wilding, "Hacked Off' (2006) 156 N.L.J. 753.
75. e.g. s.12 of the Regulation of Investigatory Powers Act 2000, and the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 (SI 2002/1931).
76. See, e.g. Cornwall, "Hacking away at computer law reform" (1988) 138 N.L.J. 702; A. Charlesworth, "Addiction and hacking" (1993) 143 N.L.J. 540; APIG Report, Revision of the Computer Misuse Act (June 2004), p.10.
77. Now subsumed within the Serious Organised Crime Agency (SOCA).
78. APIG Report, Revision of the Computer Misuse Act (June 2004), p. 15.
79. Note that these data are on the principal offence basis-see http://www.apcomms.org.uk/apig/archive/activities-2004/computer-misuse- inquiry/computer-misuse-inquiry-written-evidence/Home-Office---CMA-regional- stats.xls [Accessed September 21, 2008];
80. see also http://www.mams.salford.ac.uklmamslpl?s=17&pid=69 [Accessed September 21, 2008].
81. In all courts.
82. See D. Rowland and E. Macdonald, Information Technology Law, 5th edn (2005), p.447;
83. See also APIG Report, Revision of the Computer Misuse Act (June 2004), paras 100-107.
84. Law Com. No.186, Computer Misuse. Cm.819 (1989), para.2.23.
85. Law Com. No.186, Computer Misuse. Cm.819 (1989), paras 2.24-2.25.
86. B. Napier, "Update on the CMA 1990" [1994] J.B.L. 522, 527.
87. See, e.g. A. Flanagan, "The Law and Computer Crime: Reading the Script of Reform" (2005) 13 I.J.L. &I.T. 98.
88. APIG Report, Revision of the Computer Misuse Act (June 2004), para.89.
89. Examples include the Melissa Virus (1999), the Sobig F Virus (2003) and the Sasser Worm (2004).
90. See, e.g. APIG Report, Revision of the Computer Misuse Act (June 2004), para.91.
91. M. Wasik, Crime and the Computer (1991), p.66.
92. See, generally, D. Miers, Responses to Victimisation (1978).
93. See, generally, H. Edelhertz, The Nature, Impact and Prosecution of White-Collar Crime (1970).
94. L. Lessig, Code and other laws of cyberspace (1999), p. 123.
95. Wilding, "Hacked Off" (2006) 156 N.L.J. 753.
96. Wilding, "Hacked Off' (2006) 156 N.L.J. 753.
97. D.S. Wall, "What are Cybercrimes?" (2005) 58 Criminal Justice Matters 20.
98. Through its 10 point Action Plan for Combating "Hi-Tech Crime'-see http://news.bbc.co.uk/1/hi/sci/tech/38671.stm [Accessed September 21, 2008].
99. Through its Convention on Cybercrime-see http://www.conventions.coe. int/Treaty/en/ Treaties/Html/185.htm [Accessed September 21, 2008].
100. Through its Framework Decision 2005/222/JHA on attacks against information systems-see http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=CELEX:32005F0222:EN: HTML [Accessed September 21, 2008].
101. The maximum term of imprisonment on summary conviction has been raised to 12 months, and been set at 2 years on indictment-see the new s.1(3) of the CMA 1990, as amended by s.35 of the PJA 2006. However, at the time of writing (October 2008), s. 154(1) of the Criminal Justice Act 2003 has not yet come into force. This renders later, statutory references to 12 months' maximum sentences in the magistrates' courts (such as this one in the amended CMA) ineffective. Consequently, for now, the maximum term of imprisonment on summary conviction for ss.1, 2, 3 and 3A CMA offences remains at six months-see s.38(6) of the PJA 2006.
102. Art.6.
103. See http://www.conventions.coe.int/Treaty/en/Treaties/Html/185.htm [Accessed September 21, 2008]
104. See http://eur-lex. europa. eu/LexUriServ/LexUriServ. do?uri=CELEX:32005F0222:EN:HTML [Accessed September 21, 2008].
105. Which can be temporary-s.3(3)(c).
106. Walden, Computer Crimes and Digital Investigations (2007), p. 181.
107. See Art.5.
108. See Art.3.
109. See the new CMA s.3(3), as inserted by PJA 2006 s.36.
110. As inserted by PJA 2006 s.37.
111. APIG Report, Revision of the Computer Misuse Act (June 2004).
112. APIG Report, Revision of the Computer Misuse Act (June 2004), para. 75.
113. S. Fafmski, "Hacked Off' (2006) 150 S.J. 560, 561.
114. See s.3A.
115. See Art.6.
116. Including software-s.3A(3).
117. APIG Report, Revision of the Computer Misuse Act (June 2004).
118. Ethical hackers who seek, and then expose, computer and network security weaknesses.
119. Walden, Computer Crimes and Digital Investigations (2007), p. 196.
120. Hansard, HC Standing Committee D, col.262 (March 28, 2006).
121. Hansard, HC Standing Committee D, col.267 (March 28, 2006).
122. Quoted from a Home Office letter by the Earl of Northesk; see Hansard, HL Vol.684, col.612 (July 11 2006).
123. Hansard, HL Vol.685, col.213 (October 10, 2006).
124. Hansard, HL Vol.684, col.611 (July 11, 2006).
125. See, e.g. the recent hack into a US governmental email system-"Cyber attack on Pentagon email", BBC News, June 22, 2007-http://news. bbc.co.uk/1/hi/world/americas/6229188.stm [Accessed September 21, 2008].
126. See D.S. Wall, Cybercrime: The Transformation of Crime in the Information Age (2007), p.47.
127. Potent, malicious software in the form of meta-trojans which contain many layers of viral infection.
128. The other three being "code", markets and norms.
129. See generally, L. Lessig, CODE and other laws of cyberspace (1999).
130. L. Lessig, "The Law of the Horse: What Cyberlaw Might Teach" (1999) 113 Harvard Law Review 501, 546.
131. See, e.g. J.P. Barlow, "Thinking Locally, Acting Globally" Cyber-Rights Electronic List, January 15, 1996;
132. see also J. Wallace and M. Mangan, Sex, Laws and Cyberspace (1996).
133. See generally, J. Goldsmith and T. Wu, Who Controls the Internet? Illusions of a Borderless World (2006).
134. Goldsmith and Wu, Who Controls the Internet? (2006), p. 164.
135. See, generally, D.S. Wall, "Maintaining order and law on the Internet" in D.S. Wall (ed.), Crime and the Internet (2001).
136. The new ss.3 and 3A of the CMA.