Computer Misuse

updated 18/12/2018|Legal Guidance, Cyber / online crime

Introduction

This guidance is designed to assist Prosecutors considering cases involving offences or attacks against computer systems, such as hacking or denial of service (DOS) attacks. The Computer Misuse Act 1990 (CMA) has been updated a number of times, in line with changes in technology and criminal activity and to give the court increased sentencing powers.

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. These new data protection regulations in the Data Protection Act 2018 replaces the previous Data Protection Act 1998 and creates offences relating to the collection, processing and storage of personal data

Definitions

The CMA does not provide a definition of a computer because rapid changes in technology would mean any definition would soon become out of date.

Definition is therefore left to the Courts, who are expected to adopt the contemporary meaning of the word. In DPP v McKeown, DPP v Jones ([1997] 2 Cr. App. R. 155, HL, at page 163), Lord Hoffman defined a computer as "a device for storing, processing and retrieving information."

The Council of Europe Cybercrime Convention definitions may also assist:

"Computer system": Any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.

"Computer data": Any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.

The Data Protection Act 2018 (DPA) defines personal data as any information relating to an identified or identifiable living individual.

Computer Misuse Act 1990: Jurisdiction

Liability for offences under CMA (Sections 1, 3 or 3ZA) requires proof of at least one 'significant link' with the 'home country concerned', which for the purposes of English law means England and Wales. This would include the fact of either the accused or the target computer being in the home country. The extended extra-territorial jurisdiction arrangements also apply to conspiracy or attempts to commit offences under the CMA.

In relation to an offence under Section 3ZA, any of the following is also a significant link with domestic jurisdiction:

  • That the accused was in the home country concerned at the time when he did the unauthorised act (or caused it to be done);
  • That the unauthorised act was done in relation to a computer in the home country concerned;
  • That the unauthorised act caused, or created a significant risk of, serious damage of a material kind (within the meaning of that section) in the home country concerned.

The jurisdiction of the court at common law is fairly extensive. For instance, where an offender had produced racially inflammatory material and posted it on website hosted by a remote server in the United States, they could be tried in the United Kingdom because a substantial measure of their activities had taken place in the UK, as required by the test laid down in R v Smith (Wallace Duncan) (No.4) [2004] EWCA Crim 631 Q.B 1418. See also R v Sheppard and R v Whittle [2010] EWCA Crim 65.

Computer Misuse Act 1990: The Offences

Section 1 CMA: Unauthorised access to computer material.

The maximum penalty on indictment is 2 years imprisonment. Sections 1 and 2 of the CMA must be read in conjunction with the interpretation section at Section 17.

Actus Reus

The offence is made out once a defendant has caused a computer, which would include his own computer, to perform a function with intent to secure access.

This excludes mere physical contact with a computer and the scrutiny of data without any interaction with a computer (thus the reading of confidential computer output, the reading of data displayed on the screen, or 'computer eavesdropping', are not covered).

There is no requirement that the defendant should succeed in obtaining access to the program or data, or be successful in subverting computer security measures in place. The substantive offence is drafted in such a way as to include conduct which might usually be thought to fall within the scope of the law of attempt.

Secondary liability may arise where, for example, a person supplies a hacker with information which would assist him, such as a confidential computer password. The operator of a computer hacker 'bulletin board' might, therefore, come within the reach of the offence.

The access to the program or data which the accused intends to secure must be 'unauthorised' access.

Mens rea

There are two elements:

  • There must be knowledge that the intended access was unauthorised; and
  • There must have been an intention to secure access to any program or data held in a computer.

The word 'any' makes it clear that the intent need not relate to the computer which the accused is at that time operating. The Computer Misuse Act 1990, Section 1(2), explains that the intent of the accused need not be directed at any particular program or data, so as to include the hacker who accesses a computer without any clear idea of what he will find there.

There has to be knowledge on the part of the offender that the access is unauthorised; mere recklessness is not sufficient. This covers not only hackers but also employees who deliberately exceed their authority and access parts of a system officially denied to them.

In the case of R v Bow Street Magistrates' Court and Allison (AP) Ex Parte Government of the United States of America (Allison) [2002] 2 AC 216, the House of Lords considered whether an employee, who was authorised to access certain client accounts, could commit an offence securing unauthorised access. It was held that the employee clearly came within the provisions of Section 1 of the CMA, as she intentionally caused a computer to give her access to data she knew she was not authorised to access (which she then passed on to others who were able to forge credit cards). The House of Lords made it clear that an employee would only be guilty of an offence if the employer clearly defined the limits of the employee's authority to access a program or data.

This judgment contrasts with the earlier case of DPP v Bignell [1998] 1 Cr App R8, where two police officers, who were authorised to request information from the police national computer (PNC) for policing purposes only, requested a police computer operator to obtain information from the PNC which, unbeknown to the operator, was for their own personal use. The Divisional Court held that the two officers had not committed a Section 1 unauthorised access offence. The House of Lords, in Allison, did not overrule the decision in Bignell, but stated that the conclusion of the Divisional Court in the earlier case was probably right. The House of Lord's went on to say that:

"it was a possible view of the facts that the role of the officers in Bignell had merely been to request another to obtain information by using the computer. The computer operator did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed under section 1 of the CMA."

Prosecutors dealing with CMA cases involving employees should carefully assess the employee's contract of employment, together with any surrounding information (for example oral advice given or office practices amongst others), in order to determine whether the employer had clearly defined the limits of the employee's authority. Such cases normally depend on whether the evidence available demonstrates sufficiently that the conduct complained of was unauthorised.

In R v Lennon [2006] EWHC 1201(Admin), the court considered the circumstances in which authority might be implied in the context of emails, saying that the owner of a computer able to receive emails would ordinarily be taken to have consented to the sending of emails to his computer such implied consent was not without limits, and did not cover emails that had been sent in order to interrupt the computer system.

In certain circumstances, prosecutors should also consider the Data Protection Act 2018- see Alternative Offences later in this guidance.

Section 2 CMA - Unauthorised access with intent to commit or facilitate commission of further offences

The maximum penalty on indictment is 5 years imprisonment.

The offence under Section 2 is committing the unauthorised access offence under Section 1 with intent to commit or facilitate the commission of a more serious 'further' offence. It is not necessary to prove that the intended further offence has actually been committed.

Examples of such offences are obtaining the unauthorised access with the intention of committing theft, such as by diverting funds, which are in the course of an electronic funds transfer, to the defendants own bank account, or to the bank account of an accomplice; or where the defendant gained unauthorised access to sensitive information held on computer with a view to blackmailing the person to whom that information related.

A person can be found guilty of a Section 2 offence even if the commission of the further offence is impossible (Section 2(4) CMA). A person found not guilty of a Section 2 or 3 CMA offence by a jury, can be convicted of a Section 1 CMA offence (Section 12 CMA).

Section 3 CMA - Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer

The maximum sentence on indictment is 10 years' imprisonment.

The effect of Section 3 is that a person commits an offence if he performs any unauthorised act in relation to a computer, knowing it to be unauthorised, if he intends by doing the act to do one of the things set out in Section 3(2), or if he is reckless as to whether by doing the act he will do one of the things set out in Section 3(2).

Examples of this are deliberate or reckless impairment of a computer's operation, preventing or hindering access to computer material by a legitimate user or impairing the operation or reliability of computer-held material. The offender must know that the act was unauthorised. In DPP v Lennon (2006) 170 JP 532, Section 3 of the CMA should be considered in cases involving distributed denial of service attacks (DDoS), as the term "act" includes a series of act, there is no need for any modification to have occurred and the impairment can be temporary.

DDoS is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet using incoming traffic originating from many different sources flooding the victim, making it difficult to stop the attack by blocking just one source. It has been compared to crowds of people blocking an entrance to business premises making it impossible for legitimate customers to enter and thereby disrupting trade.

If a computer is caused to record information which shows that it came from one person, when it in fact came from someone else, that manifestly affects its reliability and thus the reliability of the data in the computer is impaired within the meaning of Section 3(2)(c): Zezev and Yarimaka v. Governor of H.M. Prison Brixton [2002] EWHC 589 (Admin).

Simply modifying the contents of a computer is not criminal damage within the meaning of Section 10 of the Criminal Damage Act 1971. In Cox v Riley (QBD) 1986, the court stated that it shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

Section 3ZA CMA- Unauthorised acts causing, or creating risk of, serious damage

The maximum sentence on indictment is 14 years, unless the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in Section 3 (a) and (b), in which case a person guilty of the offence is liable to imprisonment for life.

The SCA 2015, Section 41(2), inserted Section 3ZA, with effect from 3 May 2015.

Section 3ZA is designed to cater for computer misuse, where the impact is to cause damage to, for example, critical national infrastructure and where the maximum penalty of ten years available under Section 3 may be inadequate.

If Prosecutors are considering a charge under this section, they should consider whether they believe there are any links to or issues surrounding national security, in which case it should be referred to Special Crime Counter Terrorism Division (SCCTD).

Section 3A CMA - Making, supplying or obtaining articles for use in offence under Section 1, 3 or 3ZA

The maximum sentence on indictment is two years' imprisonment.

The rationale behind the creation of this offence is the market in electronic malware or 'hacker tools'; which can be used for breaking into, or compromising, computer systems.

The prosecution has to prove the defendant had the necessary intent. Possession alone is not an offence.

Section 3A(2) of the CMA covers the supplying or offering to supply an article 'likely' to be used to commit, or assist in the commission of an offence, contrary to Sections 1 or 3. 'Likely' is not defined in the CMA but, in construing what is 'likely', prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it. For example, whether the article was circulated to a closed and vetted list of IT security professionals or was posted openly. In the offence under Section 3A(2), the relevant mens rea is 'belief' and mere suspicion is not enough.

In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:

  • Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
  • Is the article available on a wide scale commercial basis and sold through legitimate channels?
  • Is the article widely used for legitimate purposes?
  • Does it have a substantial installation base?
  • What was the context in which the article was used to commit the offence compared with its original intended purpose?

Alternative Offences

Fraud Act 2006

Prosecutors may wish to consider whether the 'article' might be intended for use in fraud and consider whether there is an offence contrary to Section 7 and/or Section 6 of the Fraud Act 2006. For example phishing (false financial e-mails), pharming (cloned false websites for fraud) and Trojan installation (viruses) could be prosecuted under the Fraud Act.

An offence of making or supplying articles for use in fraud, contrary to Section 7, is punishable by a maximum of 10 years' imprisonment. An offence of possession of articles for use in fraud contrary to section 6 is punishable by a maximum of 5 years' imprisonment.

Section 3 Investigatory Powers Act 2016

Unlawful interception of a public telecommunication system, a private telecommunication system, or a public postal service,

The common-law offence of misconduct in public office, for example, where a police officer misuses the Police National Computer .

Data Protection Act 2018 and GDPR

DPA 2018 creates a number of offences in relation to the control and access to data:

Section 119: Creates offences relating to the obstruction of inspections of personal data by the Commissioner

Section 132: Creates an offence for persons who are currently or have previously been the Commissioner, a member of the Commissioners staff or an agent of the Commissioner from disclosing information obtained in the course of, or for the purposes of, the discharging of the Commissioners functions unless made with lawful authority.

Section 144: Creates an offence for a person to intentionally or recklessly make a false statement in response to an information notice

Section 148: Creates an offence where the Information Commissioner has given an information notice or an assessment notice requiring access to information, a document, equipment or other material, it is an offence to destroy or otherwise dispose of, conceal, block or (where relevant) falsify it, with the intention of preventing the Commissioner from viewing or being provided with or directed to it.

Section 170: Creates an offence of the deliberate or reckless obtaining, disclosing, procuring and retention of personal data without the consent of the data controller.

Section 171: Creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller who de-identified the data. This responds to concerns about the security of de-identified data held in online files. For example, recommendations in the Review of Data Security, Consent and Opt-Outs by the National Data Guardian for Health and Care called for the Government to introduce stronger sanctions to protect de-identified patient data.

Section 173: Creates an offence of the alteration of personal data to prevent disclosure following the exercise of a subject access right. The relevant subject access rights are set out in subsection (2).

Section 184: Creates an offence for an employer to require employees or contractors, or for a person to require another person who provides goods, facilities or services, to provide certain records obtained via subject access requests as a condition of their employment or contract. It is also an offence for a provider of goods, facilities or services to the public to request such records from another as a condition for providing a service.

In England and Wales, proceedings for an offence under this Act may be instituted only (a) by the Commissioner, or (b) by or with the consent of the Director of Public Prosecutions.

Sentencing Cases

There are no official guidelines for sentencing for offences under CMA.

R v Mudd [2018] 1 Cr App R (S) 33 (7)

The offender, who was aged between 16 and 18 over the course of the offending, admitted offences under ss. 1 and 3, of CMA, and a further offence of concealing criminal property. He had devised a distributed denial of service program which he used on some occasions himself and on other occasions supplied the program for payment for others to use. In total, 1.7 million DDoS attacks were carried out directed at well over half a million individual IP addresses or domain names.

The defendant received in the order of 250,000 total payment for the DDoS program supplied.

The judge considered pre-sentence, psychological and psychiatric reports, which agreed that the offender was autistic. Given the scale of the offending, and despite personal mitigation, the judge imposed a sentence of detention in a young offender institution for two years. The Court of Appeal upheld the custodial sentence but reduced it to 21 months.

  1. v Brown (Charles) [2014] EWCA 695

Charles Brown, 39, was convicted of one count of possession of articles for use in fraud, contrary to s.6 (1) of the Fraud Act 2006 and two counts of securing unauthorised access to computer material with intent, contrary to s.2 (1) of the CMA. The CMA counts related to access to bank accounts. The basis of the fraud count was possession on the appellant's computer of the stolen bank and credit card details.

The appellant's modus operandi involved changing details online and the subsequent impersonation of the account holders in order to obtain a new card and PIN.

There was no actual loss - the potential loss from the 83 accessed accounts was almost £500,000 but that was based on the maximum credit limits for the accounts. The appellant and the prosecution agreed that the potential loss was in fact just over £200,000.

The trial judge sentenced him to a total of three years' imprisonment.

The Court of Appeal set aside the sentence, noting that while potential loss is an aggravating feature it is not the determining means by which the fraud should be valued and imposed a total of two years' imprisonment.

  1. v Martin (Lewys Stephen) [2013] EWCA Crim 1420

Lewys Martin, aged under 21 at the time of the offences, pleaded guilty to offences contrary to section 1, 2, 3 and 3A CMA relating to DOS attacks against the Oxford and Cambridge University websites, the Kent Police website and offences targeting two private individuals (including unauthorised use of a person's Paypal account). His sentence of two years was upheld on appeal, the court noting the prevalence of computer crime, the fact that organisations were compelled to spend substantial sums combating it and the potential impact on individuals meant that sentences for such offences should involve a real element of deterrence.

R.v Crosskey (Gareth) [2012] EWCA Crim 1645; [2013] 1 Cr.App.R.(S.) 76

Gareth Crosskey, aged 19, pleaded guilty to offences under ss.1 and .3, having accessed the Facebook account of the step-father and manager of an actress. He persuaded Facebook staff to provide the password to the account. He contacted magazines offering to reveal information about her and contacted her stepfather to say he had access to her private emails and invited discussion as to what would prevent him from doing further damage. Southwark Crown Court sentenced him to 6 and 12 months' custody, concurrent, for the s.1 and s.3 offence, respectively.

On appeal, the court referred to the "seriously aggravating features" of the offence, namely the element of harm to the actress and her step father. The court rejected the argument that the sentence should have been suspended. However, having regard to the mitigating factors, namely the appellant being a young man of previous good character, the offending taking place over a short period of time and the appellants' expression of remorse, the sentence was reduced to four and eight months, concurrent, in a young offender institution.

R v Mangham (Glen Steven) [2012] EWCA Crim 973; [2013 ] 1 Cr. App. R. (S.) 11

Glen Mangham, aged 26, pleaded guilty to three offences under ss. 1, and 3, having accessed Facebook's computers and modified the functionality of various programs. It cost Facebook $200,000 to respond to the incident. Southwark Crown Court sentenced him to eight months' custody, concurrent, on each count and a Serious Crime Prevention Order was imposed. On appeal, the court identified a number of aggravating factors which would "bear on sentences in this type of case":

  1. whether the offence was planned and persistent;
  2. the nature of the damage caused to the system itself and to the wider public interest such as national security;
  3. individual privacy;
  4. public confidence;
  5. commercial confidentiality;
  6. the cost of remediation, although that was not a determining factor.

Motive and benefit were also relevant, as was revenge. Other factors to be considered were any financial benefit from the sale of the accessed information, whether the information was passed on to others, and the value of the intellectual property involved.

Among the mitigating factors the psychological profile of the offender deserved "close attention". The Court upheld the appeal, substituting a sentence of four months imprisonment.

A useful list of Computer Misuse Act cases is available online here

Further reading