Advanced Search

CPS Public Consultations

We want to hear your views about our prosecution policy and so we conduct consultations to help inform our policy making.

Visit the consultations page to view the current and previous consultations

Computer Misuse Act 1990

Introduction

This guidance is designed to assist prosecutors considering cases involving offences or attacks against computer systems such as hacking or denial of service (DOS) attacks. The Computer Misuse Act (CMA) has been updated a number of times in line with changes in technology and criminal activity and to give the court increased sentencing powers.

Top of page

What is a Computer?

The CMA does not provide a definition of a computer because rapid changes in technology would mean any definition would soon become out of date.

Definition is therefore left to the Courts who are expected to adopt the contemporary meaning of the word. In DPP v McKeown, DPP v Jones [1997] 2Cr App R, 155, HL at page 163 Lord Hoffman defined a computer as a "device for storing, processing and retrieving information."

The Council of Europe Cybercrime Convention definitions may also assist:

a) "computer system" means any device or a group of interconnected or related devices , one or more of which, pursuant to a program, performs automatic processing of data;

b) "computer data" means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.

Top of page

Jurisdiction

The CMA provides jurisdiction to prosecute where there is a significant link with the domestic jurisdiction- this would include the fact the accused or the target computer was in England and Wales.

The Serious Crime Act 2015 extends the existing categories of "significant link to the domestic jurisdiction". It provides a legal basis to prosecute a UK national who commits any section 1 to 3A offence whilst outside the UK, where the offence has no other link to the UK, other than the offender's nationality, provide the offences in the country where it took place. The extended extra-territorial jurisdiction arrangements also apply to conspiracy or attempts to commit offences under the CMA.

In relation to an offence under section 3ZA, any of the following is also a significant link with the domestic jurisdiction:

(a) that the accused was in the home country concerned at the time when he did the unauthorised act ( or caused it to be done);

(b) that the unauthorised act was done in relation to a computer in the home country concerned;

(c) that the unauthorised act caused, or created a significant risk of, serious damage of a material kind (within the meaning of that section) in the home country concerned.

The jurisdiction of the court at common law is fairly extensive. For instance, where an offender had produced racially inflammatory material and posted it on a website hosted by a remote server in the United States, they could be tried in the United Kingdom because a substantial measure of their activities had taken place in the UK, as required by the test laid down in R. v Smith (Wallace and Duncan) (No 4) [2004] EWCA Crim. 631, [2004] Q.B 1418. See also R v Sheppard and R v Whittle [2010] EWCA Crim. 65.

Top of page

The Offences

Section 1 CMA - Unauthorised Access to computer material

Section 1 of the CMA legislates against unauthorised access to computer material.

1 (1) A person is guilty of an offence if -

(a) he causes a computer to perform a function with intent to secure access to any program or data held in any computer or to enable an such access to be secured;

(b) the access he intends to secure, or enable to be secured, is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that this is the case.

1 (2) The intent a person has to have to commit an offence under this section need not be directed at -

(a) a particular program or data;

(b) a program or data of a particular kind; or

(c) a program or data held in a particular computer.

Summary: Maximum six months imprisonment and/ or a fine not exceeding level five on the standard scale.

Section 1 and 2 of the CMA must be read in conjunction with the interpretation section at section 17.

Section 1 can be regarded as the basic offence and is frequently the precursor to the commission of other, more serious offences. The offence is complete once a defendant has caused a computer, which would include his own computer, to perform a function with intent to secure access, whether such access is actually secured or not is irrelevant.

The intent under section 1 of the CMA need not be directed at:

1. Any particular program or data;

2. A program or data of any particular kind; or

3. A program or data held in any particular computer.

The concept of authorisation is key to understanding the act. The convention on cybercrime uses the concept of " access without right" which may be useful analogy.

Section 17 gives the interpretation of " unauthorised access" for the purpose of section 1.Access is unauthorised where an individual is not entitled to or has not been given consent for the type of access in question.

The offence of unauthorised access requires proof of two mens rea elements section 1(1) :

  1. there must be knowledge that the intended access was unauthorised;
  2. there must have been an intention to secure access to any program or data held in a computer.

There has to be knowledge on the part of the offender that the offender that the access is unauthorised; mere recklessness is not sufficient. This covers not only hackers but also employees who deliberately exceed their authority and access parts of the a system officially denied to them.

In the case of R v Bow Street Magistrates' Courts and Allison (AP) Ex parte Government of the United States of America [Allison] [2002] 2 AC 216, the House of Lords considered whether an employee could commit an offence of securing "unauthorised access" to a computer contrary to section 1 of the CMA. It was held that the employee clearly came within the provisions within section 1 of the CMA as she intentionally caused a computer to give her access to data which she knew was not authorised to access. Their Lordships made it clear that an employee would only be guilty of an offence if the employer clearly defined the limits of the employee's authority to access a program or data.

In the earlier case of DPP v Bignell [1998] 1 Cr App R8, two police officers, who were authorised to request information from the police national computer (PNC) for policing purposes only, requested a police computer operator to obtain information from the PNC which, unbeknown to the operator, was for their own personal use. The Divisional Court held that the two officers had not committed a section 1 unauthorised access offence. The House of Lords in Allison did not over rule the decision in Bignell, but stated that the conclusion of the Divisional Court in the earlier case was probably right, The House of Lords went to say

"it was a possible view that the facts that the role of the officers in Bignell had merely been to request another to obtain information by using the computer. The computer operator did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed under section 1 of the CMA."

Prosecutors dealing with the CMA cases involving employees should carefully assess the employee's contract of employment together with any surrounding information ( for example oral advice given or office practices amongst others) in order to determine whether the employer had clearly defined the limits of the employee's authority. Such cases normally depend on whether the evidence available demonstrates sufficiently strongly that the conduct complained of was unauthorised. This has to be assessed on a case- by-case basis applying the Code for Crown Prosecutors.

In R Lennon [2006] EWHC 1201 (Admin) the court considered the circumstances in which authority might be implied in the context of emails, saying whilst the owner of a computer able to receive emails would ordinarily be taken to have consented to the sending of emails to his computer, such implied consent was not without limits, and did not cover emails that had been sent in order to interrupt the computer system.

In some circumstances prosecutors should also consider section 55 of the Data Protection Act 1998, which is punishable by a fine, as an alternative charge to a section 1 CMA offence.

Top of page

Section 2 CMA - Unauthorised Access with intent to commit or facilitate commission of further offences.

Section 2 of the Act creates an offence of securing unauthorised access to computer material with intent to commit or facilitate a further offence. It is also a precursor offence.

Section 2 (1) A person is guilty of an offence under this section if he commits an offence under section 1 ('the unauthorised access offence) with intent -

(a) to commit an offence to which this section applies; or

(b) to facilitate the commission of such an offence (whether by himself) or by another person);

and the offence he intends to commit or facilitate is referred to in this section as the further offence.

2(2) This section applies to offences-

(a) for which the sentence is fixed by law; or

(b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for term of five years.

2(3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.

2(4) A person may be guilty of an offence under this section even though the commission of the further offence is impossible.

Summary: Six months imprisonment and/ or a fine not exceeding the statutory maximum indictment: Imprisonment for a term not exceeding five years and / or a fine.

A person can be found guilty of a section 2 offence even if the commission of the further offence is impossible (section 2(4) CMA). A person found not guilty of a section 2 or 3 CMA offence by a jury, can be convicted of a section 1 CMA offence.

Top of page

Section 3 CMA - Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer

Section 3 of the CMA concerns offences committed through unauthorised acts with intent to impair, or with recklessness as to impairing the operation of a computer.

3(1) A person is guilty of an offence if-

(a) he does any unauthorised act in relation to a computer. (This section is about unauthorised acts and is not confined to unauthorised access to data though it would include such access)

(b) at the time when he does the act he knows that it is unauthorised; and

(c) either subsection (2) or subsection (3) below applies.

3(2) This subsection applies if the person intends by doing the act-

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in a computer, or

(c) to impair the operation of any such program or the reliability of any such data;

3(3) This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (c) of subsection (2) above.

3(4) The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to-

(a) any particular computer;

(b) any particular program or data; or

(c) a program or data of any particular kind.

3(5) In this section -

(a) a reference to doing an act includes a reference to causing an act to be done

(b) 'act ' incudes a series of acts;

(c) a reference to impairing, preventing or hindering something includes a reference to doing so temporarily.

Summary: 12 months imprisonment and/ or a fine.

Indictment: 10 years imprisonment and / or a fine.

Section 3 of the CMA should be considered in cases involving distributed denial of service attacks (DDoS);

(1) as the term "act" includes a series of acts;

(2) there is no need for any modification to have occurred, and

(3) the impairment can be temporary.

If a computer is caused to record information which shows that it came from one person. when it in fact came from someone else, that manifestly affects its reliability, and thus the reliability of the data in the computer is impaired within the meaning of section 3(2)(c): Zezev and Yarimaka v. Governor of H.M. Prison Brixton [2002] EWHC 589 (Admin);

Simply modifying the contents of a computer is not criminal damage within the meaning of section 10 of the Criminal Damage Act 1971. In Cox v Riley (QBD) 1986, the court stated that it shall not be regarded as damaging any computer or computer storage medium unless its effects on that computer storage medium impairs its physical condition.

Top of page

Section 3ZA- Unauthorised acts causing, or creating risk of, serious damage.

Section 3ZA is primarily aimed at those who seek to attack the critical national infrastructure (Depending on the motives of the perpetrator, terrorist legislation may be appropriate.)

(1) A person is guilty of an offence if-

(a) the person does any unauthorised act in relation to a computer;

(b) at the time of doing the act the person knows that it is unauthorised;

(c) the act causes, or creates a significant risk of, serious damage of a material kind; and

(d) the person intends by doing the act to cause serious damage of a material kind or is reckless as to whether such a damage is caused.

(2) Damage is of a "material kind" for the purposes of this section if it is -

(a) a damage to human welfare in any place;

(b) damage to the environment of any place;

(c) damage to the economy of any country; or

(d) damage to the national security of any country.

(3) For the purposes of subsection (2) (a) an act causes damage to human welfare only if it causes-

(a) loss to human life;

(b) human illness or injury;

(c) disruption of a supply of money, food, water, energy or fuel;

(d) disruption of a system of communication;

(e) disruption of facilities for transport; or

(f) disruption of services relating to health.

(4) It is immaterial for the purposes of the subsection (2) whether or not an act causing damage-

(a) does so directly

(b) is the only or main cause of the damage.

(5) In this section-

(a) a reference to doing an act includes a reference to causing an act to be done;

(b) "act" includes a series of acts;

(c) a reference to a country includes a reference to a territory and to any place in, or part or region of, a country or territory.

Indictment only: 14 years and/ or a fine unless the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in section 3 (a) and (b), in which case a person guilty of the offence is liable to imprisonment for life and / or a fine.

Section 3A CMA - Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA.

Section 3A of the CMA creates offences, designed to criminalise those who make or supply "malware". Prosecutors need to take care when considering software that can be used both legitimately and illegitimately. Whether an offence has been committed will depend on demonstrating that the offender has the necessary intent, as the act does not criminalise possession in itself.

(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under [section 1, 3, or 3ZA].

(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under [section 1, 3 or 3ZA].

(3) A person is guilty of an offence if he obtains any [article]

(a) intending to use to commit, or to assist in the commission of, an offence under section 1,3 or 3ZA or

(b) with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.

(4) In this section "article" includes any program or data held in electronic form.

Summary: 12 months imprisonment and/ or a fine.

Indictment: Two years imprisonment and / or fine.

Section 3A (2) of the CMA covers the supplying or offering to supply an article "likely" to be used to commit, or assist in the commission of an offence contrary to section 1 or 3. "Likely" is not defined in the CMA but, in construing what is "likely", prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it, for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.

In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:

  • Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
  • Is the article available on a wide scale commercial basis and sold through legitimate channels?
  • Is the article widely used for legitimate purposes?
  • Does it have a substantial installation base?
  • What was the context in which the article was used to commit the offence compared with its original intended purpose?

If prosecutors have any questions relating to the application of section 3A CMA please contact the Policy Helpdesk in the Operations Directorate.

Alternative Offences

Prosecutors may wish to consider whether the "article" might be intended for use in fraud and consider whether there is an offence contrary to section 7 and / or section 6 of the Fraud Act 2006. An offence of making or supplying articles for use in fraud contrary to section 7 punishable by a maximum of 10 years imprisonment. An offence of possession of articles for use of in fraud contrary to section 6 is punishable by a maximum of 5 year's imprisonment.

Sentencing Cases

R v Brown (Charles) [2014] EWCA Crim 695

Charles Brown, 39 ,was convicted of one count of possession of articles for use in fraud contrary to s. 6 (1) of the Fraud Act 2006 and two counts of securing unauthorised access to computer material with intent contrary to s. (2) 1 of the CMA,.The CMA counts related to access to bank accounts. The basis of the fraud count was possession on the appellant's computer of the stolen bank and credit card details.

The appellant's modus operandi involved changing details online and the subsequent impersonation of the account holders in order to obtain a new card and PIN.

There was no actual loss- the potential loss from the 83 accessed accounts was almost £500.000, but that was based on the maximum credit limits for the accounts. The appellant and the prosecution agreed that the potential loss was in fact just over £200,000.

The trial judge sentenced him to a total of 3 years imprisonment.

The Court of Appeal disapproved of the use of national loss in determining sentence and since there was no actual loss suffered in this case sentenced him to a total of 2 years imprisonment.

R.v Martin (Lewes Stephen) [2013] EWCA Crim 1420.

Lewes Martin, aged under 21 at the time of the offences, pleaded guilty to computer misuse offences contrary to sections, 1, 2, 3 and 3A relating to DOS attacks against the Oxford and Cambridge University Websites, the Kent Police Websites and offences targeting two private individuals (including unauthorised use of a person's Paypal Account). His sentence of two years was upheld on appeal.

R v Cleary, Davis, Al-Bassam and Ackroyd (Southwark Crown Court, 16 and 24 May 2013)

Ryam Cleary, aged 21, Jake Davis, 20, Mustafa Al-Bassam 18, and Ryan Ackroyd, 26, were all members of the internet hacking group "Lulzsec". All pleaded guilty to two counts of conspiracy to commit a s.3 offence (doing un unauthorised act with intent to impair the operation of a computer), relating to DDos attacks against various targets including the CIA (USA), the UK Serious Organised Crime Agency (SOCA) and News International; and unauthorised access and modification to websites including sites belonging to Sony, Twentieth Century Fox and the NHS during the period February - September 2011.

Cleary who pleaded guilty to additional offences including another, S.3 offence relating to provision of the "botnet" used for the DDos attacks. Davies and Ackroyd were sentenced respectively to 36 months, 24 months and 30 months custody - in young offender institute in the case of Davis Al-Bassam, who was 16 at the time when the offences were committed, received a 20 month sentence suspended for two years, was ordered to do 240 hours unpaid work and placed under six months supervision.

R.v. Crosskey ( Gareth) [2012] EWCA Crim 1645; [2013] 1 Cr. App. R. (S) 76.

Gareth Crosskey, aged 19, pleaded guilty to offences under s.1, unauthorised access and s.3, unauthorised act with intent to impair, having accessed the Facebook account of the step- father and manager of an actress. He persuaded Facebook staff to provide the password to the account. After accessing and copying the actress's private emails he contacted magazines offering to reveal information about her. On 16th May 2012 at Southwark Crown Court he was sentenced to 6 and 12 months, custody, concurrent, for the s.1 and s.3 offence, respectively. On appeal, the court referred to the "seriously aggravating features" of the offence, namely the element of deceit involved; the boasting and encouragement to others and the element of harm to the actress and her father. The Court rejected the argument that the sentence should have been suspended. However, having regard to the mitigating factors, namely the appellant being a young man of previous good character, the offending taking place over a short period of time and the appellant's expression of remorse, the sentence was reduced to 4 and 8 months concurrent, in a young offender institution.

R v Mangham (Glen Steven) [2012] EWCA Crim 973; [2013] 1 Cr. App.R (S.) 11

Glen Mangham, aged 26, pleaded guilty to three offences under s.1, unauthorised access and an offence under s.3, unauthorised act with intent to impair having accessed Facebook's computers' and modified the functionality of various programs. It cost Facebook $200.000 to respond to the incident. On 17 February 2012 at Southwark Crown Court he was sentenced to eight months custody, concurrent, on each count and a Serious Crime Prevention Order was imposed. On appeal, the court identified a number of aggravating factors which would be "bear on sentences in this type of case". These included whether the offence is planned and persistent, the nature of the damage to the system, the cost of the remediation (although this was not regarded as a determining factor), motive and benefit and whether there was any attempt to reap financial benefit by the sale of information accessed. Among the mitigating facots the psychological profile of the offender deserved "close attention". The Court upheld the appeal, substituting a sentence of four months imprisonment.

Expert Witnesses

Please note, the CPS does not endorse or recommend individual expert witnesses.

Top page