Computer Misuse Act
- Introduction
- Definitions
- Jurisdiction
- The Offences
- Section 1: Unauthorised access to computer material
- Actus Reus
- Mens rea
- Section 2: Unauthorised access with intent to commit or facilitate commission of further offences
- Section 3: Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer
- Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage
- Section 3A: Making, supplying or obtaining articles for use in offence under Section 1, 3 or 3ZA
- Public Interest
- Alternative Offences
- Data Protection Act 2018
- Sentencing Cases
- Further Assistance
Introduction
This guidance sets out how to consider prosecuting cases under the Computer Misuse Act 1990 (‘CMA’). It also provides guidance on offences relating to the collection, processing, and storage of personal data under the Data Protection Act 2018 (‘DPA’). For a general overview on cybercrime, please see the Legal Guidance on Cybercrime.
Definitions
The CMA does not provide a definition of a computer because rapid changes in technology would mean any definition would soon become out of date.
Definition is therefore left to the Courts, who are expected to adopt the contemporary meaning of the word. In DPP v McKeown, DPP v Jones ([1997] 2 Cr. App. R. 155, HL, at page 163), Lord Hoffman defined a computer as "a device for storing, processing and retrieving information."
The Council of Europe Cybercrime Convention 2001 ('Budapest Convention') definitions may also assist:
"Computer system": Any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.
"Computer data": Any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.
The DPA defines personal data as any information relating to an identified or identifiable living individual.
Jurisdiction
Under section 4 CMA, liability for offences under sections 1, 3 or 3ZA requires proof of at least one ‘significant link’ with the ‘home country’ concerned (i.e. England and Wales)'. A significant link could include:
- The accused is in the home country at the time of the offence
- The target of the CMA offence is in the home country
- The technological activity which has facilitated the offending may have passed through a server based in the home country
As defined in section 5, in relation to an offence under Section 3ZA, any of the following is also a significant link with domestic jurisdiction:
- That the accused was in the home country concerned at the time when s/he committed the unauthorised act (or caused it to be done);
- That the unauthorised act was done in relation to a computer in the home country concerned;
- That the unauthorised act caused, or created a significant risk of, serious damage of a material kind (within the meaning of that section) in the home country concerned.
As defined in section 6, the extended extra-territorial jurisdiction arrangements also apply to conspiracy or attempts to commit offences under the CMA and therefore will supersede the usual rule for conspiracy charges
The Offences
Section 1: Unauthorised access to computer material
The maximum penalty on indictment is 2 years imprisonment. Sections 1 and 2 of the CMA must be read in conjunction with the interpretation section at Section 17.
Actus Reus
The offence is made out once a defendant has caused a computer, which would include his own computer, to perform a function with intent to secure access.
This excludes mere physical contact with a computer and the scrutiny of data without any interaction with a computer (thus the reading of confidential computer output, the reading of data displayed on the screen, or 'computer eavesdropping', are not covered).
The access to the program or data which the accused intends to secure must be 'unauthorised' access.
Mens rea
There are two elements:
- There must be knowledge that the intended access was unauthorised; and
- There must have been an intention to secure access to any program or data held in a computer.
The word 'any' makes it clear that the intent need not relate to the computer which the accused is at that time operating. Section 1(2) explains that the intent of the accused need not be directed at any particular program or data, so as to include the hacker who accesses a computer without any clear idea of what he will find there.
There has to be knowledge on the part of the offender that the access is unauthorised; mere recklessness is not sufficient. This covers not only hackers but also employees who deliberately exceed their authority and access parts of a system officially denied to them.
In the case of R v Bow Street Magistrates' Court and Allison (AP) Ex Parte Government of the United States of America (Allison) [2002] 2 AC 216, the House of Lords considered whether an employee, who was authorised to access certain client accounts, could commit an offence securing 'unauthorised access'. It was held that the employee clearly came within the provisions of Section 1, as she intentionally caused a computer to give her access to data she knew she was not authorised to access (which she then passed on to others who were able to forge credit cards). The House of Lords made it clear that an employee would only be guilty of an offence if the employer clearly defined the limits of the employee's authority to access a program or data.
This judgment contrasts with the earlier case of DPP v Bignell [1998] 1 Cr App R8, where two police officers, who were authorised to request information from the police national computer (PNC) for policing purposes only, requested a police computer operator to obtain information from the PNC which, unbeknown to the operator, was for their own personal use. The Divisional Court held that the two officers had not committed a Section 1 unauthorised access offence. The House of Lords, in Allison confirmed the conclusion of the Divisional Court in the earlier case. The House of Lord's went on to say that:
"it was a possible view of the facts that the role of the officers in Bignell had merely been to request another to obtain information by using the computer. The computer operator did not exceed his authority. His authority permitted him to access the data on the computer for the purpose of responding to requests made to him in proper form by police officers. No offence had been committed under section 1 of the CMA."
When dealing with cases involving employees careful consideration should be given to the employee's contract of employment, together with any surrounding information (for example oral advice given or office practices amongst others), in order to determine whether the employer had clearly defined the limits of the employee's authority. Such cases normally depend on whether the evidence available demonstrates sufficiently that the conduct complained of was unauthorised.
In certain circumstances consideration should be given to the Data Protection Act 2018. (See Alternative Offences below).
Section 2: Unauthorised access with intent to commit or facilitate commission of further offences
The maximum penalty on indictment is 5 years imprisonment.
The offence under Section 2 is committing the unauthorised access offence under Section 1 with intent to commit or facilitate the commission of a more serious 'further' offence. It is not necessary to prove that the intended further offence has actually been committed.
Examples of such offences are obtaining the unauthorised access with the intention of committing theft, such as by diverting funds, which are in the course of an electronic funds transfer, to the defendants own bank account, or to the bank account of an accomplice; or where the defendant gained unauthorised access to sensitive information held on computer with a view to blackmailing the person to whom that information related.
A person found not guilty of a section 2 or 3 offence by a jury can be convicted of a section 1 offence see Criminal Law Act 1967 section 6(3).
Section 3: Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer
The maximum sentence on indictment is 10 years' imprisonment.
The effect of Section 3 is that a person commits an offence if he performs any unauthorised act in relation to a computer, knowing it to be unauthorised, if he intends by doing the act to do one of the things set out in Section 3(2), or if he is reckless as to whether by doing the act he will do one of the things set out in Section 3(2).
Examples of this are deliberate or reckless impairment of a computer's operation, preventing or hindering access to computer material by a legitimate user or impairing the operation or reliability of computer-held material. The offender must know that the act was unauthorised. In DPP v Lennon (2006) 170 JP 532, Section 3 should be considered in cases involving distributed denial of service attacks (DDoS), as the term "act" includes a series of acts, there is no need for any modification to have occurred and the impairment can be temporary.
DDoS is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet using incoming traffic originating from many different sources flooding the victim, making it difficult to stop the attack by blocking just one source. It has been compared to crowds of people blocking an entrance to business premises making it impossible for legitimate customers to enter and thereby disrupting trade.
If a computer is caused to record information which shows that it came from one person, when it in fact came from someone else, that manifestly affects its reliability and thus the reliability of the data in the computer is impaired within the meaning of Section 3(2)(c): Zezev and Yarimaka v. Governor of H.M. Prison Brixton [2002] EWHC 589 (Admin).
Simply modifying the contents of a computer is not criminal damage within the meaning of Section 10 of the Criminal Damage Act 1971. In Cox v Riley (QBD) 1986, the court stated that it shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.
Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage
Section 41(2) of the Serious Crime Act 2015 inserted section 3ZA, with effect from 3 May 2015.
The maximum sentence on indictment is 14 years, unless the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in Section 3 (a) and (b), in which case a person guilty of the offence is liable to imprisonment for life.
Section 3ZA is designed to cater for computer misuse, where the impact is to cause damage to, for example, critical national infrastructure and where the maximum penalty of ten years available under Section 3 may be inadequate.
When considering, the definition of “critical national infrastructure”, (in line with European Directive (2013/40/EU)) it could be understood to be an asset, system or part thereof located in Member States, which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, such as power plants, transport networks or government networks, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions.
Particular consideration should be given to the required mens rea and actus rea for this offence.
Cases in which a section 3ZA charge is being considered, given the nature of such cases, should be referred to SEOCID.
Section 3A: Making, supplying or obtaining articles for use in offence under Section 1, 3 or 3ZA
The maximum sentence on indictment is two years' imprisonment.
The rationale behind the creation of this offence is the market in electronic malware or 'hacker tools'; which can be used for breaking into, or compromising, computer systems.
Whilst there is no definition of ‘article’ in CMA, section 8 of the Fraud Act 2007 states that an ‘article’ includes any program or data held in electronic form.
The prosecution has to prove the defendant had the necessary intent. Possession alone is not an offence.
Section 3A(2) of the CMA covers the supplying or offering to supply an article 'likely' to be used to commit, or assist in the commission of an offence, contrary to Sections 1 or 3. 'Likely' is not defined in the CMA but, in construing what is 'likely', prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it. For example, whether the article was circulated to a closed and vetted list of IT security professionals or was posted openly. In the offence under Section 3A(2), the relevant mens rea is 'belief' and mere suspicion is not enough. In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:
- Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
- Is the article available on a wide scale commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
Public Interest
Where there is sufficient evidence to meet the evidential test under the Code for Crown Prosecutors, the following Public Interest factors should be carefully considered:
- The financial, reputational, or commercial damage caused to the victim(s);
- The offence was committed with the main purpose of financial gain;
- The level of sophistication used, particularly sophistication used to conceal or disguise identity (including masquerading as another identity to divert suspicion);
- The victim of the offence was vulnerable and has been put in considerable fear or suffered personal attack, damage or disturbance;
- The mental health, maturity and chronological age of the defendant at the time of the offence.
CMA suspects can be disproportionately represented by individuals who are under 18 and may be more neurologically diverse than other types of offenders. Further guidance can be found on these matters can be found in the legal guidance on Youth Offenders and Suspects with Mental Health Conditions.
Alternative Offences
When considering charging for CMA offences, in line with paragraph 2.5 of the Code for Crown Prosecutors, consideration should be given as to whether the most appropriate offence is being prosecuted. CMA offences are often committed as a precursor to another offence such as fraud or blackmail. In these circumstances a prosecutor may decide to charge the offence for which the sentence is likely to be higher in order to reflect the nature of the offending.
Fraud Act 2006
Prosecutors may wish to consider whether the 'article' might be intended for use in fraud and consider whether there is an offence contrary to Section 7 and/or Section 6 of the Fraud Act 2006. For example phishing (false financial e-mails), pharming (cloned false websites for fraud) and Trojan installation (viruses) could be prosecuted under the Fraud Act.
An offence of making or supplying articles for use in fraud, contrary to Section 7, is punishable by a maximum of 10 years' imprisonment. An offence of possession of articles for use in fraud contrary to section 6 is punishable by a maximum of 5 years' imprisonment.
Investigatory Powers Act 2016
Unlawful interception of a public telecommunication system, a private telecommunication system, or a public postal service,
Misconduct in Public Office
The common-law offence of misconduct in public office, for example, where a police officer misuses the PNC.
Data Protection Act 2018
DPA 2018 creates a number of offences in relation to the control and access to data:
Section 119: Creates offences relating to the obstruction of inspections of personal data by the Information Commissioner
Section 132: Creates an offence for persons who are currently or have previously been the Information Commissioner, a member of the Information Commissioner's staff or an agent of the Information Commissioner from disclosing information obtained in the course of, or for the purposes of, the discharging of the Information Commissioners functions unless made with lawful authority.
Section 144: Creates an offence for a person to intentionally or recklessly make a false statement in response to an information notice
Section 148: Creates an offence where the Information Commissioner has given an information notice or an assessment notice requiring access to information, a document, equipment or other material, it is an offence to destroy or otherwise dispose of, conceal, block or (where relevant) falsify it, with the intention of preventing the Commissioner from viewing or being provided with or directed to it.
Section 170: Creates an offence of the deliberate or reckless obtaining, disclosing, procuring and retention of personal data without the consent of the data controller.
Section 171: Creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller who de-identified the data. This responds to concerns about the security of de-identified data held in online files. For example, recommendations in the Review of Data Security, Consent and Opt-Outs by the National Data Guardian for Health and Care called for the Government to introduce stronger sanctions to protect de-identified patient data.
Section 173: Creates an offence of the alteration of personal data to prevent disclosure following the exercise of a subject access right. The relevant subject access rights are set out in subsection (2).
Section 184: Creates an offence for an employer to require employees or contractors, or for a person to require another person who provides goods, facilities or services, to provide certain records obtained via subject access requests as a condition of their employment or contract. It is also an offence for a provider of goods, facilities or services to the public to request such records from another as a condition for providing a service.
In England and Wales, proceedings for an offence under this Act may be instituted only (a) by the Information Commissioner, or (b) by or with the consent of the Director of Public Prosecutions.
Sentencing Cases
There are no official guidelines for sentencing for offences under CMA. The below are examples of precedent sentences.
R v Mudd [2018] 1 Cr App R (S) 33 (7)
The offender, who was aged between 16 and 18 over the course of the offending, admitted offences under sections 1 and 3, and a further offence of concealing criminal property. He had devised a distributed denial of service program which he used on some occasions himself and on other occasions supplied the program for payment for others to use. In total, 1.7 million DDoS attacks were carried out directed at well over half a million individual IP addresses or domain names. The defendant received in the order of 250,000 total payment for the DDoS program supplied.
Psychological and psychiatric reports indicated the offender was autistic. Having reviewed these, the judge imposed a sentence of detention in a young offender institution for two years, given the scale of the offending. The Court of Appeal upheld the custodial sentence but reduced it to 21 months.
R v Brown (Charles) [2014] EWCA 695
Charles Brown, 39, was convicted of one count of possession of articles for use in fraud, contrary to section 6 (1) of the Fraud Act 2006 and two counts of securing unauthorised access to computer material with intent, contrary to section 2 (1) of the CMA. The CMA counts related to access to bank accounts. The basis of the fraud count was possession on the appellant's computer of the stolen bank and credit card details.
The appellant's modus operandi involved changing details online and the subsequent impersonation of the account holders in order to obtain a new card and PIN.There was no actual loss - the potential loss from the 83 accessed accounts was almost £500,000 but that was based on the maximum credit limits for the accounts. The appellant and the prosecution agreed that the potential loss was in fact just over £200,000.The trial judge sentenced him to a total of three years' imprisonment.
The Court of Appeal set aside the sentence, noting that while potential loss is an aggravating feature it is not the determining means by which the fraud should be valued and imposed a total of two years' imprisonment.
R v Martin (Lewys Stephen) [2013] EWCA Crim 1420
Lewys Martin, aged under 21 at the time of the offences, pleaded guilty to offences contrary to section 1, 2, 3 and 3A CMA relating to DOS attacks against the Oxford and Cambridge University websites, the Kent Police website and offences targeting two private individuals (including unauthorised use of a person's Paypal account). His sentence of two years was upheld on appeal, the court noting the prevalence of computer crime, the fact that organisations were compelled to spend substantial sums combating it and the potential impact on individuals meant that sentences for such offences should involve a real element of deterrence.
R.v Crosskey (Gareth) [2012] EWCA Crim 1645; [2013] 1 Cr.App.R.(S.) 76
Gareth Crosskey, aged 19, pleaded guilty to offences under ss.1 and .3, having accessed the Facebook account of the step-father and manager of an actress. He persuaded Facebook staff to provide the password to the account. He contacted magazines offering to reveal information about her and contacted her stepfather to say he had access to her private emails and invited discussion as to what would prevent him from doing further damage. Southwark Crown Court sentenced him to 6 and 12 months' custody, concurrent, for the sections1 and 3 offences, respectively.
On appeal, the court referred to the "seriously aggravating features" of the offence, namely the element of harm to the actress and her step father. The court rejected the argument that the sentence should have been suspended. However, having regard to the mitigating factors, namely the appellant being a young man of previous good character, the offending taking place over a short period of time and the appellants' expression of remorse, the sentence was reduced to four and eight months, concurrent, in a young offender institution.
R v Mangham (Glen Steven) [2012] EWCA Crim 973; [2013 ] 1 Cr. App. R. (S.) 11
Glen Mangham, aged 26, pleaded guilty to three offences under sections 1 and 3, having accessed Facebook's computers and modified the functionality of various programs. It cost Facebook $200,000 to respond to the incident. Southwark Crown Court sentenced him to eight months' custody, concurrent, on each count and a Serious Crime Prevention Order was imposed. On appeal, the court identified a number of aggravating factors which would "bear on sentences in this type of case":
- whether the offence was planned and persistent;
- the nature of the damage caused to the system itself and to the wider public interest such as national security;
- individual privacy;
- public confidence;
- commercial confidentiality;
- the cost of remediation, although that was not a determining factor.
Motive and benefit were also relevant, as was revenge. Other factors to be considered were any financial benefit from the sale of the accessed information, whether the information was passed on to others, and the value of the intellectual property involved.
Among the mitigating factors the psychological profile of the offender deserved "close attention". The Court upheld the appeal, substituting a sentence of four months' imprisonment.
Further Assistance
Cyber Leads in the Serious Economic, Organised Crime and International Directorate are able to offer further assistance.