How effective has the Computer Misuse Act 1990 been in the fight against hacking-related offences? Do you believe that there is a need for legislative reform in this area? The Computer Misuse Act1 (CMA) was introduced to address hacking-related crimes. However, as the internet has grown, there has been an increase in computer related crimes; this shows that the law relating to internet-related crimes need to be reformed. Natasha Jarvie states that the "defining characteristics of cybercrime is that its perpetration is only made successful through use of a global electronic network, which can transcend time and space.
"2 In other words, cybercrime is distinguishable from other offences, which simply use computers to commit crimes. The Council of Europe's Convention on Cybercrime is a treaty passed to deal with the crimes relating to computers, which have arisen since the growth of the internet; the UK has signed this treaty in 23 September 2001. There has been some reform in the form of the Police and Justice Act3 in relation to the area of '"Denial of Service" (DoS) attacks, and the creation and dissemination of "Hackers tools"'4.
However, there has been some development with these types of crimes and therefore, the question that has arisen is whether the CMA can cover the hacking-related crimes of the modern day. Firstly, to determine whether a reform of the 1990 legislation is needed, it is essential to look at the reasons for why this legislation was brought in. Prior to the legislation, there was a debate of whether hacking-related crimes could be covered by existing legislation or would a new legislation relating to this crime would need to be enacted.
The R v Gold5 (and Schifreen) case highlighted a number of problems, which indicated a necessity in the change in law thus the Computer Misuse Act 19906. In this case, by looking over the users shoulder, two individuals were able to obtain a password for a computer system. Using this password, the Gold and Schifreen were able to attain information on a number of individuals; they also gained access to the Duke of Edinburgh's personal computer. The issue that was raised before the court at first instance was whether information, i. e. a password, could be stolen; the court held to be no applying the decision of Oxford v Moss7.
Moreover, another issue, which the court had to deal with, surrounded the deception of a machine, which they also held to be no using the application of Davies v Flackett8. The Divisional Court upheld the Magistrate Courts reasoning that deception could only apply to a human mind, and therefore, inapplicable to the deception of a machine. The Crown Court decided that a prosecution under the Forgery and Counterfeiting Act9 would be grounds for a more suitable conviction. This argument failed at appeal, where they argued that there was no use of an instrument as needed for the purposes of the act.
Moreover, it was stated that s. 8 (1)10 defines an instrument as items that are tangible and physical; a password was not either and therefore could not be applied. Part d of this section also describes an instrument as an item "in which information is recorded or stored by mechanical, electronic or other means". The control area needed to have some degree of permanence; this was not the case as the password was deleted straight after use. Therefore, the final decision of the Court of Appeal was not guilty. This case caused a lot of pressure to pass legislation that dealt with the unauthorised access to information.
The first major legislation that dealt with computer crime was the CMA11. While this act was passing through the legislature, it was stated that the "House of Commons was informed that there was some inadequacy in the law as it stood, 12 and that, if nothing were done, there was a real risk that the UK could become 'an international hackers' haven'13. "14 This act had brought into force three computer-related offences: (i) Unauthorised access to computer materials;15 (ii) Unauthorised access to computer material with intent to commit or facilitate the commission of a further offence;16 and
(iii) Unauthorised modification of computer material. 17 Walden categorises crimes that involve computers describe them as "the instrument of the crime, such as in murder and fraud, the object of the crime, such as theft of processor chips; or the subject of the crime, such as 'hacking' or 'cracking'"18. The Council of Europe's Convention on Cybercrime19 have set the foundation for an international harmonization on this area, suggesting a change in legislation. This treaty has identified three substantive categories for which legislation must address.
Anne Flanagan recognises these three areas and explains each of these categories and the crimes they concern. "The first is 'offences against the confidentiality, integrity and availability of computer data and systems' that includes illegal access, illegal interception, data interference, systems interference and misuse of devices. 20 The second is 'computer-related offences' that encompasses forgery and fraud. 21 The final division might be labeled content-related offences that address child pornography and infringements of copyright and related rights.
22"23 The enactment of CMA was prior to the making of the Cybercrime treaty, therefore it is impractical to assume that the CMA would comply with the crimes stated within the treaty. However, certain amendments have now been passed which does comply with some of the requirements stated within the treaty in respect to the enforcement of offences, which are not a criminal offence in the UK. During the passing of this act, the legislature had considered the case law on the area of hacking, producing an act which made it illegal to commit such an offence.
However, this act had passed in hindsight, and therefore, did not consider other computer-related offences, which may be committed. The CMA 1990 was subject to a lot of criticism; it was suggested that the legislature rushed enact this legislation, and therefore, it is vague in the types of offences that it actually covers. The case of DPP v Bignall24 made apparent the faults within this legislation. In this case, the defendants were convicted under s. 1 of the CMA25, for obtaining details relating to two motor cars from the Police National Computer (PNC).
The DPP's argument throughout the trial was that the Commissioner of Police, who controlled access to the computer, gave the officers' authority to access the information for police purposes solely; he argued that the use of the PNC for personal gain was therefore unauthorised. This argument had failed in all courts on the grounds that s. 126 had been enacted to prevent unauthorised access, i. e. hacking, not to "protect the integrity of computers rather than the information stored on the computers"27, which it was stated in this case was the purpose of the Data Protection Act28 (DPA).
The courts looked at the definition of unauthorised as stated under section 17(5)29 to decide whether the officers could be tried for having unauthorised access to the data held within the PNC. However, the definition states "he is himself not entitles to control access of the kind in question to the program or data"30; since the officers did have control to access the data stored within the PNC, it could not be held that they have unauthorised access and therefore there was no breach of CMA.
The case of R v Bow Street Magistrates Court and Allison (A. P. ) ex parte Government of the United States of America31 also criticised the use of "unauthorised access" in the CMA and how it had been applied in the case of DPP v Bignall. 32 The House of Lords explained the true meanings of the provisions within the CMA and how it should be interpreted. Lord Hobhouse of Woodborough stated "… the authority must relate not simply to the data or programme but also to the actual kind of access secured.
"33 He adds to this point stating: "[T]he word 'control' [does not mean] a physical sense of the ability to operate or manipulate the computer. It does not introduce any concept that authority to access one piece of data should be treated as authority to access other pieces of data ' of the same kind' notwithstanding that the relevant person did not in fact have authority to access that piece of data. Section 1 refers to the intent to secure unauthorised access to any programme or data.
These plain words leave no room for any suggestion that the relevant person may say: 'Yes, I know that I was not authorised to access that data but I was authorised to access other data of the same kind'. "34 Therefore, applying this judgement, the defendant, who had the ability to access, however, not the authority to access, her employer's database, was held to be within the meaning of 'unauthorised access' under section 1 of the CMA.
It is apparent that this judgement conflicts with the decision in Bignall35; therefore, causing further controversy to the act since it does not give the courts a clear definition of "unauthorised access". Lord Hobhouse considered carefully the Bignall decision and stated it was "probably right"36. He distinguished the case of Bignall on the grounds that the access was authorised as "it was secured by the by the computer operators, who were authorised to access the PNC in response to requests from police officers"37.
The courts applied the doctrine of innocent agency; MacEwan states that the lacking of mens rea by the computer operators "means that that they should not have been viewed as participants in the alleged offences"38. He concludes this argument by stating, "… the Principal is the participant in the crime whose act is the most immediate cause of the innocent agent's act"39. Using this doctrine, the case was distinguished from the latter Bow Street case. In his article, MacEwan explains the loopholes that "occurred in the application of the… Act".
The first occurrence of a loophole was first illustrated in the case of DPP v Lennon41; this case concerned an email bombardment of a company's email system by an employee recently dismissed. He had been prosecuted under s. 3 of the CMA; however, since the email system was designed to receive emails, therefore his sending of them was authorised. The official name for this a Denial of Service (DoS) attack, this however, was not an offence covered within the CMA, therefore, it was not a criminal offence and the defendant could not be found guilty of this offence.