Computer Misuse: The Implications of the Police and Justice Act 2006

Computer Misuse: the
Implications of the Police and
Justice Act 2006
Stefan Fafinski*
Abstract
While the Police and Justice Act 2006 is largely concerned with
policing reform, there are also some long-overdue amendments to the
Computer Misuse Act 1990 buried within it. These amendments attempt
to bring the 1990 Act up to date, thereby enabling it to encompass new
forms of mischief brought about by the technological advances of the
preceding 16 years. This article considers the rationale behind those
amendments and examines their implications on the contemporary in-
formation technology landscape.
Since the enactment of the Computer Misuse Act 1990 (hereafter CMA
1990) it became increasingly apparent, over time, that it was struggling
to deal with new manifestations of computer misuse that were un-
known and unforeseen at its inception.1 Change was overdue: not only
as a response to pressure from industry groups and the All-Party Inter-
net Group (APIG)2 but as a direct requirement of the UK’s ratification of
the COE Convention on Cybercrime.3 Recent cases such as DPP v
Lennon4 have highlighted the problem in the particular context of so-
called ‘denial-of-service’ attacks where systems are overwhelmed by
maliciously sent specious data.5 Private Members’ Bills sponsored by the
Earl of Northesk, Derek Wyatt MP and Tom Harris MP all attempted to
amend the CMA 1990 in broadly similar ways. The first two of these
failed for lack of parliamentary time; the latter was overtaken by govern-
ment amendments proposed in the Police and Justice Bill.6 This received
Royal Assent on 8 November 2006.
* School of Law, University of Leeds; e-mail: lawsff@leeds.ac.uk.
Grateful thanks (as ever) to Professors Clive Walker and David Wall of the Centre
for Criminal Justice Studies at Leeds and Dr Emily Finch of Brunel University for
their unfailing patience, constructive comment and support.
1 A more detailed analysis of the history of the CMA 1990 can be found in my earlier
article ‘Access Denied: Computer Misuse in an Era of Technological Change’ (2006)
70 JCL 424 which considers the initial driving factors behind the original enactment
of the CMA 1990 and charts its application up to the proposals for amendment put
forward in the Police and Justice Bill HC (2005–06), Bill 119, available at http:/
/www. publications.parliament.uk/pa/cm200506/cmbills/119/2006119.htm, accessed 22
November 2007.
2 Revision of the Computer Misuse Act: Report of an Inquiry by the All Party Internet Group,
June 2004, available at http://www.apcomms.org.uk/apig/archive/activities-2004/computer-
misuse-inquiry/CMAReportFinalVersion1.pdf, accessed 22 November 2007.
3 ETS No. 185, Budapest (23 November 2001).
4 [2006] EWHC 1201 (Admin).
5 The particular problems posed for the law by Lennon can be found in my case note
entitled ‘Computer Misuse: Denial-of-service Attacks’, DPP v Lennon (2006) 70 JCL
474.
6 (2005–06), Bill 119.
The Journal of Criminal Law
(2008) 72 JCL 53–66
53
doi:1350/jcla.2008.72.1.477

---

The Journal of Criminal Law
The Police and Justice Act 2006 (hereafter PJA 2006) introduces three
amendments to the CMA 1990.7 The s. 1 CMA 1990 offence relating to
the unauthorised access to computer material is broadened and attracts
an increased tariff.8 The s. 3 CMA 1990 offence covering the un-
authorised modification of computer material is replaced by a new
provision concerning unauthorised acts with intent to impair the opera-
tion of a computer.9 Finally, a new s. 3A offence is introduced into the
CMA 1990 which criminalises making, supplying or obtaining articles
for use in computer misuse offences.10 It is firstly necessary to consider
the rationale behind the PJA 2006 before considering the legislative
passage and potential impact of each of the new provisions in turn.
The rationale behind the Police and Justice Act 2006
The PJA 2006 is predominantly concerned, as its name suggests, with
various policing reforms and, as such, the amendments it proposed to
the CMA 1990 were largely peripheral to the main debate. Indeed,
when the Home Secretary, Charles Clarke MP,11 introduced the Second
Reading of the Police and Justice Bill in the House of Commons, he
made no mention of the CMA 1990 amendments, stressing instead
that:
The central objective of the Bill is to help build safer communities . . . by
taking forward our agenda for delivering real, sustained and lasting reforms
to the police service [and] . . . by helping to create a modern culture of
respect based on the needs, rights and responsibilities of the law-abiding
majority.12
Clarke eventually gave some insight into the rationale behind the seem-
ingly incongruous inclusion of computer law into an Act designed to
deliver lasting police service reform and a culture of respect by stating
that:
We must recognise that in an increasingly interdependent world, work
with international partners to tackle terrorism and serious organised crime
will be increasingly important. We have therefore included a number of
measures to strengthen policing at international level. Computer misuse—
the continued threat posed by computer hacking and denial-of-service
attacks—is one of the growing new threats that can be tackled only
through extensive international co-operation. To that end, the Bill takes up
a private Member's Bill tabled by my hon. Friend the Member for Glasgow,
South (Mr. Harris) to amend the Computer Misuse Act 1990. I am grateful
to my hon. Friend for his initiative.13
It is perhaps interesting to note that the original CMA 1990 was in-
troduced to counter the risks posed by hacking and virus propagation
7 The amendments to the CMA 1990 are, at the time of writing, not yet in force.
They may be brought into force by order of the Secretary of State.
8 Police and Justice Act 2006, s. 35.
9 Police and Justice Act 2006, s. 36.
10 Police and Justice Act 2006, s. 37.
11 Labour, Norwich South.
12 Hansard, HC, vol. 443, col. 608, 6 March 2006.
13 Ibid. at col. 618.
54

---

Computer Misuse: the Implications of the Police and Justice Act 2006
and the amendments to counter the ‘continued threat posed by com-
puter hacking and denial-of-service attacks’. This could be taken as tacit
government acknowledgement that the CMA 1990 had been ineffective
at controlling the hacker threat: an acknowledgement that is supported
by the low prosecution and conviction statistics for the original s. 1 CMA
1990 offence.14
In a five-hour debate, the Second Reading offered little further insight
into the proposed amendments, other than general support for the
hacking initiative. This was associated by Lynne Featherstone MP15 as a
necessary counter to the risks associated with the security of the pro-
posed national identity register database:
. . . we support the Government in their attempt to tackle better the
problems caused by computer hacking. Given their penchant for creating
surveillance databases, whether on national identity or DNA, the security
of those databases is paramount.16
A greater perceived risk was introduced by Mark Pritchard MP,17 parlia-
mentary vice-chairman of the Conservative technology forum, that to
the critical national infrastructure:
. . . al-Qaeda suspects have admitted that cyber crime and cyber terrorism
were one of their key objectives. They have admitted trying to infiltrate
critical British infrastructures for the intelligence agencies and, allegedly,
our nuclear and energy infrastructures.18
The Second Reading of the Police and Justice Bill echoed the original
CMA 1990 debate, with the exception that the original threat posed by
hackers was related to the cost to industry (of great public interest in
late-Thatcherite Britain), whereas the new threat—from the same
conduct—was connected with the post-September 11 concerns of ter-
rorism and national security. However, outside the House, the commer-
cial cost argument still prevailed. At the time that the Bill was
introduced, a Home Office spokeswoman said:
The estimated cost to UK business from these sorts of electronic attacks and
denial of service is estimated to be over £3 billion and they continue to
grow in sophistication . . . The Bill will increase penalties for hacking,
viruses and other cybercrimes to reflect their severity . . . In addition we are
looking to amend section 3 of the Computer Misuse Act to clarify that all
means of interference to a computer system are criminalised.19
Moreover, technological attacks on critical security systems may already
fall within the reach of the Terrorism Act 2000. Section 1(1) of the Act
defines ‘terrorism’ as:
14 Y. Akdeniz, ‘CyberCrime’ in S. Stokes and R. Carolina (eds), E-Commerce Law and
Regulation Encyclopedia (Sweet & Maxwell: London, 2003, revised April 2005)
15–19.
15 Liberal Democrat, Hornsey and Wood Green.
16 Hansard, HC, vol. 443, col. 631, 6 March 2006.
17 Conservative, The Wrekin.
18 Hansard, HC, vol. 443, col. 657, 6 March 2006.
19 D. Thomas, ‘New Bill to Beef Up E-crime Law: Home Office Proposes Tougher
Sentences for Hackers and Virus Writers’, Computing, 25 January 2006.
55

---

The Journal of Criminal Law
[T]he use or threat of action where—
(a) the action falls within subsection (2);
(b) the use or threat is designed to influence the government or to
intimidate the public or...