Gauging the Effectiveness of Computer Misuse Act in
Dealing with Cybercrimes
Reza Montasari Pekka Peltola
Computing and Mathematics Nottingham Geospatial Institute
University of Derby University of Nottingham
Derby, UK Nottingham, UK
r.montasari@derby.ac.uk pekka.peltola@nottingham.ac.uk
Abstract— Computer and Internet technology has become a
vital part of a daily life for many as it has brought many
enhancements to the quality of many individuals’ lives. Although
advances in computer and Internet technology are utilised by
many people for various respectable reasons, at the same time it
has become a tool in the hands of cybercriminals for various
nefarious reasons. Cybercrime has become a fast-growing type
of crime where more and more criminals exploit the speed,
convenience and anonymity of the Internet to perpetrate various
criminal activities that have no border. This paper examines the
phenomenon of cyber crime and the difficulties and challenges
that it presents due to the way that it is being regulated in
England and Wales. A major focus will be placed on the area of
hacking. To this end, the effectiveness of the Computer Misuse
Act in dealing with cybercrimes both in the past and in the future
will be examined.
Keywords— computer misuse act; cybercrime; hacking;
regulation of investigatory powers, IT law, internet technology
I. INTRODUCTION
This paper examines the phenomenon of cyber crime and
the difficulties and challenges that it presents due to the way
that it is being regulated in England and Wales. A major focus
will be placed on the area of hacking. To this end, the
effectiveness of the Computer Misuse Act – hereafter referred
to as CMA – in dealing with cybercrimes both in the past – as
originally ratified – and in the future – in its recently emended
form – will be examined. It will be suggested that the CMA
1990 has failed to deal properly and effectively with this
problem due to its lack of keeping pace with the rapid growth
of technological changes. We shall examine three law cases to
evidence our argument. After each case, appropriate related
recommendations will be offered. An introductory section will
review the original CMA while a further section will discuss
the emended form of the CMA and its weaknesses in
regulating cyber crime. The final part will provide some
concluding recommendations on how to regulate cyber crime
effectively.
II. COMPUTER MISUSE ACT
The first piece of UK legislation which was designed to
specifically address computer misuse was the Computer
Misuse Act 1990. The Computer Misuse Act came into force
Victoria Carpenter
Academic Development Directorate
York St John University
York, UK
v.carpenter@yorksj.ac.uk
in 1990 due to the difficulties caused by the pre-existing law
“as it was stretched to encompass previously un-encountered
mischief resulting from technological advances” [1]. The CMA
was enacted to correct the deficiencies in the criminal law
relating to hackers and viruses. Both society and industry had
expressed their concerns about the potential damage that could
be caused by hackers. This discontent followed, in particular,
after the hacking of the British Telecom Prestel computer
network when hackers penetrated the systems and altered the
files (R v Gold and Schifreen) [2]. They even accessed Prince
Philip’s mailbox and left a message [1]. At the time, the
existing criminal law could not deal with such mischief by
prosecuting the hackers for criminal damage. As a result, Gold
and Schifreen could not be prosecuted for the forgery of the
Prestel password and managed to get away with their
behaviour. The Computer Misuse Act was enacted so as to
rectify this loophole.
Although, the CMA was passed in the hope that it would be
“an Act to make provision for securing computer material
against unauthorised access or modification; and for connected
purposes,” [3] it lacked wise planning and proved unable to
imagine technological advances in the future. Some believe
that the UK Government should have taken more time and care
in devising legislation in this area; [4] they believe as a result
of this rush “the CMA suffered a premature birth which was
left weak and vulnerable when the Internet, as we know it,
arrived” and that it did not fully anticipate the Internet’s
“potential application to cause harm” [5]. In 2006 amendments
were made to the CMA, by means of paragraphs in the Police
and Justice Act, hoping to deal with new cyber crime related
challenges; in particular the proliferation of Denial of Service
(DoS) attacks, and the creation and spread of “Hackers' tools”.
Criticism has continued, however, in relation to its
interpretation and how enforceable it will be. We will expand
on the new Act in section 4 below.
III. LAW CASES
A. DPP V Lennon
The judgment given in the case of DPP v Lennon 2006
EWHC 1201 exposed the loopholes in the CMA and how it
could be misinterpreted [6]. The case involved a former
employee of Domestic and General Group who, out of the
resentment, launched a DoS attack through the Avalanche,
mail-bomber software. He sent 5 million emails and
overwhelmed the server, taking the company’s website out of
service.
He was charged under S.3 of the Computer Misuse Act
1990 concerning “unauthorised access to computer systems”
[3]. The accused argued that the emails sent were authorised
since an email server was set up for the specific purpose of
receiving emails and therefore his former employer had
consented to receiving the emails. So despite the admitted
intent to cause a problem and the pretence that they were sent
from the manager, he was acquitted. The judge interpreted the
CMA such as to conclude that there had been no unauthorised
act [5].
The prosecution appealed on the basis of S17 ss (8) (a)&(b)
[3], which upheld by The Lord Justice Keene of the Divisional
Court [1]. He overruled the lower court’s decision by offering a
different interpretation of “unauthorised access”, such that it
included “unauthorised modification to the contents of the
company's computer with the intent to impair its operation,”
contrary to s.3 of the Computer Misuse Act.
Relying upon section 17 of the act, he concluded that the
defendant’s action regarding the Avalanche program had
caused an unauthorised modification to the contents of D&G’s
computers by adding data to their contents with the requisite
intent as provided by section 3(2) because he had intended to
hinder the operation of the system. Just as a householder (he
said) consents to the public walking up the path to his door
when they have a legitimate reason for doing so but that
consent does not extend to allowing a burglar coming up his
path or to having his letter box choked with rubbish, so he
argued that as long as the emails are not sent for the purpose of
communication but for the interruption of the proper operation
and use his system, that modification of data is unauthorised
[5].
Despite this apparently much more sensible interpretation,
however, the punishment afforded Lennon of 2 months curfew
still seems very light in view of the £30,000 cost to the
company of the damage he inflicted. It also seemed to offer
very little deterrence to future hackers. It has been suggested
that the improper misinterpretation of the act in the first place
effectively meant that the Act was becoming a wholly
ineffective legal response to cyber crime [7].
Perhaps the problem was not only in the misinterpretations
of judges, but also in the Act itself which failed to provide a
clear meaning of the term “implied consent” and failing to
allow for unforeseen changes in technology. Even a world of
emails had hardly been conceived of by the framers of the law.
It may well be considered an unfair criticism of the law to say
that it did not provide for what it could not foresee, and the
problem perhaps lies with the case-law UK system itself in
which judges feel constrained by the wording of the Act even
when reality has changed since the Act was passed.
The judge in the lower court could have interpreted the Act
such that the ‘implied consent’ only applied to emails from
those who were intending to communicate in good faith; that
the company had never consented to receiving emails in the
number and circumstances that the defendant sent them. The
law could easily be amended by granting the consent only to
bona fide emails with no malicious intent, and indeed this is
how the prosecution argued in the Lennon case [5]. Although
the higher judge made a better interpretation, a clear definition
of the limits of the consent needs to be established for the
CMA to be effective in such cases.
Another area left untouched by this case and its
interpretation concerns the actus reus and the motives of the
perpetrator(s). The conviction was made based on the damage
caused to the computer system. But what if the emails had not
caused such a massive system failure, even though they had
been intended to do so? In order to deal with actus reus in this
scenario, it would be appropriate to suggest that the law should
make it clear that the perpetrators should be held liable based
on their motives and not the methods of their attacks whether it
is an individual attack or attack through software.
This has an important application in the area of ‘spam’
emailing. Without a clear threshold which specifies exactly
what constitutes a DoS attack, it will always be difficult to
prosecute effectively.
B. R V Cuthbert
By contrast with Lennon, where the defendant had
malicious intent to cause damage, in R v Cuthbert there seemed
to be no malicious intent [8]. A seemingly non common-sense
interpretation of the CMA was passed by a judge in the case of
a defendant who had gained unauthorised access to the website
of a charity. The defendant had himself donated £30 but feared
afterwards that it might have been a scam. He thought the
website had been spoofed and so hacked it in order to find out.
His tests, however, set off alarms in an intrusion detection
system and Cuthbert was tracked down and charged under S.1
of the CMA. “The court took a literal interpretation of the
section 1 offence, there being no burden on the prosecution to
prove that the defendant had intended to cause any damage
[9].”
In the previous case the defendant admitted intent to cause
damage but still received very little punishment whereas in this
case, even though the district judge accepted non-intent, she
proceeded to convict, saying that it was a matter of “deep
regret that she was finding him guilty…there is almost no case
law in this area [8].” It would be easy to pass on the blame on
the district judge for issuing such a weak verdict just because
she could not find a law case, however equally it can be said
that the underlying problem was the ambiguity of terms in the
Act, in this case that of ‘intent’. In both cases, it seems that
interpretation was the problem.
C. DPP V Bignell
The word “authority” is an important underlying term in
the CMA [4]. The access or modification (now impairment) [3]
of data must be unauthorised for the individual to become
liable for cyber crime. If the accused was not entitled to
control the process in question and did not have the consent of
someone who was, the requisite lack of authority is established
[4].
 One unforeseen result is that the CMA has dealt with
insiders very lightly [10]. This can be illustrated in DPP v
Bignell [11]. The defendants were police officers who
instructed computer operators to extract information from the
Police National Computer for private purposes. Although they
were in contravention of police policy, neither the lower nor
the Divisional Court would convict them under the CMA since
their access was deemed a misuse rather than unauthorised.
The court believed that the defendants had authority to
access the data, but this surely would involve having
permission, something they clearly did not have. In his
commentary on the Bignell case, J.C. Smith uses an analogy
similar to that employed in the Lennon cases: “If I give you
permission to enter my study for the purposes of reading my
books, your entering to drink my sherry would surely be
unauthorised ‘access’ to the room as well as to the sherry
[12].” Again it seems that judges have struggled to deal
effectively with the concept of “implied consent”. On the other
hand, what the judges were effectively deciding in this case
was that their actions were a breaking of policy and hence
reprehensible, but should not be construed as criminal. It is a
vital role for judges to find the boundary line that defines what
is genuinely ‘criminal’, and it is often too easy for
commentators on the sidelines to see a decision as being
counter-intuitive, which was not necessarily so.
Many have felt as a result that the government has failed to
address these key issues, that the law needs to be clearer and
harsher. The House of Lords Science and Technology
Committee Report on Personal Internet Security made a series
of proposals in this direction which seem to have been largely
rebuffed by the government who remain “unconvinced” by,
e.g., the Committee's recommendation regarding the need for a
data security breach notification law [13]. Without an immense
about of detail, it is hard to judge who is right, but there is
certainly much uneasiness both in UK and elsewhere that not
enough has been done.
D. DPP V Bignell
In Regina vs Oliver Baker [14] defendant, an ex-employee
IT contractor, sacked by Welsh Assembly (for producing fake
pay and display parking tickets) hacked into the Assembly's
computer system on twenty occasions to read sensitive emails.
Under the CMA, as amended, he was still only given a four
month custody despite causing a great deal of expensive
damage. This case may be briefly mentioned in addition to the
others because it shows how the act is still being used very
recently in a similar way to how it was earlier, even after
amendment.
In Regina v Vallor (Simon Lee), however, a defendant
convicted of causing viruses was awarded a three year custody.
So although there are of course problems with the legislation
and the amount of proper reporting of crime that occurs, the
courts are perfectly capable of dealing harshly with the
problem at times.
IV. AMENDED CMA 1990
To cover the loopholes within CMA, new amendments
were made to the CMA 1990 under sections 35-38 of the
Police & Justice Act 2006 [15]. Some of the new amendments
are important and appropriate, e.g. launching a DoS attack
becomes a criminal offence. This is now in line with the
judgment of the divisional court in the case of Lennon.
However, the problems surrounding implied consent to the
receipt of email still remain.
For example, Section 36 substitutes a new section 3
into the CMA which “criminalizes, among other things,
committing a knowingly-unauthorised act with regards to a
computer with intent to impair its operation (even temporarily)
or being reckless as to that impairment.” The previous section
3 offence focused on the unauthorised modification of
computer material. It may prove difficult to define what
constitutes ‘temporary impairment’ once a system is back up
and running. The Prosecution would have to prove sufficient
temporary impairment and link it to the unauthorised act.
On the other hand, some suggest that the updated
CMA criminalises security experts (researchers in information
security, penetration testers etc.) if their tools fall in the hands
of cyber criminals. MacEwan raises the question, “when will
a supplier’s general knowledge that password recovery tools
can be used for criminal ends cross the requisite threshold of
belief in a specific case? [4]” Unless the government deals
with this particular matter, this problem may well hamper the
development of security tools. In a report carried out in 2004,
at the time the government was considering the new
amendments to the section, the APIG asked the government
not to legislate on this particular matter [16]. Other calls for
the removal of this clause came from an MP with genuine
understanding of IT and cyber crime who stated that this was
unnecessarily and dangerously broad [17].
One further addition to the CMA s.3 involves the use of the
term ‘reckless state of mind’. We have yet to see whether
prosecutions can realistically be made under this clause, but
one imagines that it will lead to yet more varying and
confusing interpretations.
V. PHONE HACKING
Mobile devices, in particular those with smart features,
have become indispensible parts of modern life. This denotes
that although the three pieces of legislation including: CMA
1990, RIPA 2000 and Data Protection Act (DPA) 1998 deal
with unauthorised interception of mobile phone calls and
messages [18], there exist very few cases upon which judges
can rely. Ambiguous terms and definitions in the
aforementioned pieces of legislation concerning a mobile
device have created further interpretive challenges for the
judges. For example, under the section 1 of the RIPA 2000, an
individual will commit an offence if he/she “intentionally” and
without lawful authority intercepts any communication “in the
course of its transmission” by means of a public or private
telecommunication systems. The offender might be sentenced
to a term of imprisonment for up to two years.
The phrase “in the course of transmission” has created
issues associated with its interpretation. In its report on Press
standards, privacy and libel [19] as also cited by the House of
Commons’ website [18], the Select Committee on Culture,
Media and Sport reported,
“The police ... told us that under section 1 of the Regulation
of Investigatory Powers Act (RIPA) it is only a criminal
offence to access someone else's voicemail message if they
have not already listened to it themselves. This means that to
prove a criminal offence has taken place it has to be proved
that the intended recipient had not already listened to the
message. This means that the hacking of messages that have
already been opened is not a criminal offence and the only
action the victim can take is to pursue a breach of privacy,
which we find a strange position in law.”
It appears that evidence provided to the Culture, Media and
Sport Committee by the Metropolitan Police had indicated that
a message was in the process of being transmitted until it
reached its intended recipient. Once the recipient had listened
to the message, the transmission had stopped. Evidence
provided to the Home Affairs Committee has cast doubt on this
interpretation [18][19]. This is due to the fact that a voicemail
message is stored on the mobile phone service provider’s
server, not on the handset. This denotes that it is essential for a
hacker to communicate with the server so that he/she can listen
to the message regardless of whether it has been previously
listened to or not. Witnesses attending the Committee had
stated that this denoted that a voicemail message is "in the
course of transmission" each time it is listened to and that the
section 1 of RIPA therefore applied to the hacking of such a
message on each occasion it took place [18].
Another example of the interpretative challenges
concerning “smart” mobile devices under the three
aforementioned legislation is regarding section 1 of the CMA.
As already discussed in the paper, under section 1 of the CMA
1990, a person will commit an offense if he/she knowingly
cause a computer to preform any function with intent to secure
unauthorised access to any program or data held on the
computer. Due to its many functions, a smart mobile device
should be considered as a computer similar to the servers
where voicemail messages can be stored. However, it appears
that the CMA 1990 has not been utilised as the basis to
prosecute the hackers in relation to mobile devices.
Therefore, it would be appropriate to update the CMA 1990
and RIPA 2000 in order to clarify phrases such as “in the
course of transmission” and define the terms such as “smart”
phones – devices with Internet browsers and other
connectivity feature. It appears that at the time of writing,
there are ongoing discussions regarding amending the CMA
1990 in order to define “smart” phones as computers under the
CMA 1990. These discussions have emanated from the New
International phone hacking scandal in 2011. The likely
amendment to the CMA, might introduce a new offense of
making information available with intent. For example, under
the possible future amendments to the CMA 1990, it would be
an offense to disclose a password for someone’s mobile device
or computer in order for others to be able to access it illegally.
VI. CONCLUDING REFLECTIONS
1. The CMA is still the principle instrument for the
conviction of those charged with computer-related offences.
Despite updates, it has not changed radically and is not really
fit for use in 2015. Even recent cases are still being conducted
with the CMA as the principle piece of guiding legislation.
2. The CMA was intended to deter and prosecute computer
misuse external to the victim organisation. However, it has
failed adequately to tackle the most prevalent IT risks of all –
“the misappropriation of data by those who have authorised
day-to-day access to it” [20].
3. The CMA in its current form is equivocal about the
widespread risks to corporate intellectual property which are
economically just as severe as the damage made by hackers
and other cybercriminals.
4. The CMA has not been an effective deterrent due to
loopholes leading to those convicted rarely receiving custody
based sentences. In 2011, the Security Minister stated,
“criminals are fearless because they do not think they will be
caught [21]." Under the new amendments the terms of
imprisonment have increased and certain offences now receive
twice longer imprisonment terms, but this is only effective if
prosecution is itself easier.
5. The CMA does not include compensatory element. The
£30,000 damage caused in the Lennon case was not required of
the defendant. Some restitutional element needs to be included.
6. The computer related-provisions in Police Justice Act
2006 extended through parliamentary debate so that the
amended CMA would not suffer from “the contrived
application of its predecessor to technological change” [5].
However, by doing so, it has brought new range of
interpretative challenges that have created problems for the
courts of law. Amendments made to the CMA may provide
better solutions in the short term but technological advances
are proceeding so fast that the law needs frequent updating [7].
Even in 2006, for instance, the world of social networking was
not yet a major feature of society, and who knows what
opportunities for cyber crime will have developed in the next
few years. In all sorts of different cases, the problem of
technological change has tied the hands of judges so that they
are forced into difficult situations [21].
7. The CMA has failed to establish a clear meaning of
“implied consent”. This needs to be clarified in some way to
close off loopholes in the CMA.
8. The government’s task in battling cyber crime needs to
focus not just on law but on better security. Crimes frequently
depend upon the ignorance and carelessness of their victims.
This may entail providing assistance and education to the
public and firms concerning their computer systems. It is
reported that many firms do not have a proper understanding of
their own systems [21]. Having said this, it must not be
permitted for defendants to argue that claimants did not take
adequate precautions for the security of their own systems. It
would be wrong if the recipient of the spam emails in a DoS
attack should be taken to have consented to the receipt of these
emails for example if they have not configured their servers
properly. This is well illustrated by an analogy drawn by
Fafinski “This is logically no different to saying that rapists
should be acquitted if their victims did not take steps to prevent
it [7].”
 9. Because cyber crime is not geographically limited, it
requires global solutions. In 2012, one of the servers of the
Intentional Atomic Energy Agency was hacked by an unknown
group critical of Israel's undeclared nuclear weapons program
who posted contact information for more than 100 experts
working for the IAEA [22]. International laws are needed,
along the lines of the new European framework, which will
establish standards for international co-operation [23]. How
this might work in relation to Asia or Africa seems still a rather
underexplored area [24].
10. Finally, there will increasingly be a problem over the
definition of a computer. This seemed simple in 1990 whereas
today, with smart phones and all sorts of other new devices on
the market every year, this certainty is quickly vanishing. This
overlaps with the whole, and very topical, issue of phone
hacking, which has not been discussed but which ought also
perhaps to be included under the sphere of the CMA in the
future [24].
REFERENCES
[1] Fafinski, S (2007) ‘The security ramifications of the Police and Justice
Act 2006’, The Network Security Journal, 2, p.8-11.
[2] Regina v Gold and Schifreen 1987 Q.B. 1116; 3 W.L.R. 803.
[3] Computer Misuse Act 1990, S.1-3,17
[4] MacEwan, N (2008) ‘The Computer Misuse Act 1990: Lessons from its
past and predictions for its future’, Criminal Law Review, 12, pp. 955-
967.
[5] Fafinski, S (2007) ‘Cyber Crime’, New Law Journal, 157 (7258), 159.
[6] DPP v Lennon 2006 EWHC 1201 (Admin), 170 J.P. 532.
[7] Fafinski, S (2006) ‘Service Denied’, New Law Journal, 156(7248),
1712-1713.
[8] Regina v Cuthbert 2005 Unreported. Horseferry Magistrate’s Court
2005.
[9] Fafinski, S (2006) ‘Access Denied: Computer Misuse in an Era of
Technological Change’, Journal of Criminal Law, 70 (5) 424.
[10] Law Com. No.186, Computer Misuse. Cm.819 (1989), para.3.35.
[11] DPP v Bignell 1998 1 Cr. App. R. 1; 161 J.P. 541.
[12] Smith, J (1998) ‘Misuse of computer - unauthorised access to computer
program or data - meaning of unauthorised’, Criminal Law Review
1999, Dec, 970-972 [NB: mis-cited in McEwan as 1998].
[13] Hodgkinson, D. and T. Wright, (2008) ‘Government response to House
of Lords Science and Technology Committee Report on Personal
Internet Security’, Computer and Telecommunications Law Review,
14(3), pp. 65-69.
[14] Regina v Oliver Baker [2011] EWCA Crim 928.
[15] Police and Justice Act 2006, S.35-38 “Computer Misuse”.
[16] APIG (2004) ‘Revision of the Computer Misuse Act: Report of an
inquiry by the All Party Internet Group’, Report, [Online] Available at:
https://www.cl.cam.ac.uk/~rnc1/APIG-report-cma.pdf (Accessed: 4th
November 2015).
[17] Hansard, HL Vol.684, col.611 (July 11, 2006).
[18] United Kingdom Parliament (2011) ‘Privilege: Hacking of Members'
mobile phones - Standards and Privileges Committee Contents’.
[Online] Available at:
http://www.publications.parliament.uk/pa/cm201011/cmselect/cmstnprv
/628/62805.htm#note8 (Accessed: 1st December 2015)
[19] Culture, Media and Sport Committee (2010), Press standards, privacy
and libel. (HC 362-1, 2009-10). London: The Stationary Office.
[20] Wilding, E (2006) ‘Hacked off’, New Law Journal, 156 (7223), 753.
[21] BBC (2011), ‘UK cyber crime costs £27bn a year - government report’.
Available at: http://www.bbc.co.uk/news/uk-politics-12492309
(Accessed: 4th November 2015).
[22] The Guardian (2012) ‘UN nuclear agency reports being hacked’,
Available at: http://www.guardian.co.uk/world/feedarticle/10547456
(Accessed: 10th November 2015).
[23] Goldsmith, Jack L., and Tim Wu, Who Controls the Internet? Illusions
of a borderless world (OUP: 2006).
[24] Cybercrime Law (2011) ‘The Group of Eight (G8)’, Available at:
http://www.cybercrimelaw.net/G8.html (Accessed: 12th November
2015).