The Computer Misuse Act 1990
The Computer Misuse Act 1990 | Case Studies | Territorial Scope of Offences| Council of Europe Cybercrime Convention| European Union Framework Decision | Review of the Computer Misuse Act
The Computer Misuse Act 1990
Computer Misuse Act 1990 came into force on 29 August
1990 and specifies offences for attacks against computer
systems or data. It provides protection for systems
and data, attempting to maintain their confidentiality,
integrity, and availability. The Act provides for three
Section 1 - Unauthorised access to computer material
It is an offence to cause a computer to perform any
function with intent to secure unauthorised access to
any program or data held in any computer (section 1a).
It is necessary to prove that the access secured is
unauthorised (section 1b), and the suspect knew that
this was the case (section 1c).
This offence is commonly referred to as ‘hacking’
or ‘cracking’. It covers entering a computer
system without permission having guessed or discovered
another individual’s password, or having obtained
it through the use of software tools.
Under section 17(2) of the Act access
is gained to any program or data in a computer, if by
causing a computer to perform any function the program
or data: is altered or erased; copied or moved to any
storage medium other than that in which it is held;
is used; or is output from the computer in which it
is held. The offence is punishable on conviction by
a term of imprisonment up to six months.
Back to top
Section 2 - Unauthorised access with intent to
commit or facilitate the commission of further offences
This offence is committed where a section 1 offence
has been committed, with the intention of committing
a further offence (any offence which may be punished
by a term of imprisonment of five years or more) or
facilitating the commission of a further offence. Even
if it is not possible to prove the intent to commit
the further offence the section 1 offence is still committed.
The offence is punishable on conviction by a term of
imprisonment up to five years.
Section 3 - Unauthorised modification of computer
Where a person does any act that causes the unauthorised
modification of the contents of any computer a section
3 offence is committed. There must have been the intent
to cause the modification and knowledge that the modification
has not been authorised. The offence does not have to
be preceded by a section 1 offence. This offence covers
the introduction of harmful worms and viruses to a system,
and denial of service attacks. The offence is punishable
on summary conviction for a term not exceeding five
Under section 17(7) of the Act a modification
takes place if by the operation of any function of any
computer any program or data held in the computer is
altered or erased, or is added to its contents. Any
act which contributes towards causing a modification
shall be regarded as causing it. Under section 17(8)
a modification is unauthorised if the
person is not entitled to determine whether the modification
should be made, or he does not have consent to make
the modification from any person who is so entitled.
Back to top
In January 2003 Simon Vallor, was jailed for two years
at Southwark Crown Court having been convicted of writing
and distributing three computer viruses under Section
3 of the Act. His actions were considered to have infected
27,000 PCs in 42 countries.
In 2004 John thornley pleaded guilty to four offences
contrary to Section 3 of the CMA having mounted a hack
attack on a rival site, and introducing a trojan type
virus to bring it down on several occasions. He was
sentenced to 60 hours community punishment order, plus
compensation and costs.
Territorial scope of offences
under the Act
The unauthorised access offence is committed where there
is a significant link with a domestic jurisdiction.
This is defined as where the accused was in the home
country (England, Wales, Scotland or Northern Ireland
as applicable) concerned when committing the act that
caused the computer to perform the function, or that
the computer containing the program or data to which
access was secured (or intended to be) was in the home
country concerned. Similarly with the unauthorised modification
offence this offence is committed where the accused
was in the home country concerned when undertaking the
act, or where the unauthorised modification took place
in the home country concerned.
The purpose of the Convention is to promote the prevention,
investigation and prosecution of computer and computer-related
crimes and to facilitate international co-operation to that end. Articles 2-6 of the Convention concern
offences against the confidentiality, integrity and
availability of computer systems and data. The negotiation
of this Convention was concluded in November 2001, and
it entered into force on 1 July 2004. The UK is already
compliant with the majority of the requirements of the
Convention, and is looking to bring forward changes
to legislation to enable its ratification by the UK.
Back to top
European Union Framework Decision
on attacks against information systems
This draft Framework Decision requires the approximation
of Member States’ criminal law (offences, penalties
and jurisdiction) on attacks against information systems.
On, 28 February 2003, the European Union Justice and
Home Affairs Council of Ministers approved a general
approach to this instrument. It is expected to be adopted
in 2004 after which Member States will have two years
to bring its provisions into force.
Review of the Computer Misuse
Following the negotiation of the Council of Europe Cybercrime
Convention and the European Union Framework Decision
on Attacks Against Information Systems, the Home Office
has reviewed the effectiveness of the Computer Misuse
Act to make any necessary changes required by these
texts, and to consider further amendments to the Act.
It is considered that the Computer Misuse Act 1990 already
covers the majority of the requirements of the Convention
as it relates to offences against computers and the
provisions of the Framework Decision. However there
will need to be some amendments to legislation in order
to be fully compliant with these texts. The main changes
envisaged concern clarifying that denial of service
attacks are provided for by the section 3 offence in the Act, and making changes to the current penalty level
for the unauthorised access offence. In considering
amendments the views and opinions of a number of interested
parties and groups has been sought, and a consideration
of papers produced on the Act by the Internet Crime
Forum in 2003, the Eurim-IPPR e-crime study in 2003,
and the All Party Internet Group in 2004 has taken place.
There is a widely held view that the Act is deficient
because it was drafted before current developments in technology had been envisaged, however, this is not
borne out by a consideration of the number of prosecutions
under the Act, nor the high success rate of prosecutions.
The Act is technologically neutral, and its terms –
such as 'computer' - deliberately undefined to provide
flexibility for the Courts in interpreting them widely.
The courts have shown a willingness to do this, and
the majority of judgements have favourably interpreted
the Act. However it is essential that legislation is
able to deal with all means of committing an offence
and that it is continually reviewed to consider whether
improvements can be made.
The Home Office will bring forward changes in order
to amend the Act in the light of the requirements of
the Convention and Framework Decision and to address
any necessary improvements when parliamentary time allows.
Back to top