Offences Involving Misuse of Computers
Author | Matthew Richardson |
Pages | 1-52 |
Chapter 1
Offences Involving Misuse of Computers
1.1 BACKGROUND TO THE COMPUTER MISUSE ACT 1990
As long ago as 1988,
The defendants successfully appealed their convictions in the Court of Appeal and their acquittals were subsequently upheld in the House of Lords (now the Supreme Court). However, the litigation exposed the gaps in the criminal law existing at the time regarding the misuse of computer systems. The Law Commission’s substantive report
Commission, 1988).
Commission, 1989).
2 Cyber Crime: Law and Practice
An increasing degree of interest and disquiet has become apparent in recent years in relation to the implications of, and the possible misuse of, the computerisation that plays an ever growing role in public, commercial and indeed private life. In this report we are concerned with one aspect of that public concern: the misuse of computers or computer systems by parties other than those entitled to use or control those computers, either by simply seeking access to the computers or amending the information held in them for what may be a wide range of ulterior motives. Such conduct can be generically described by the title of this report, ‘Computer Misuse’.
[…]
Before the criminal law is extended to deal with a newly apparent social problem it is necessary to be as certain as possible about the nature and extent of that problem; to be satisfied that the problem is not already met by existing legal sanctions whether civil or criminal; and to be satisfied that the particular and coercive remedies of the criminal law are appropriate to the requirements of the case.
The report concluded that it was necessary to introduce three new criminal offences covering unauthorised access to a computer, unauthorised access to a computer with intent to commit or facilitate the commission of a serious crime and unauthorised modification of computer material. The result of the Law Commission’s recommendations was Parliament’s enactment of the Computer Misuse Act 1990 (CMA 1990), which was intended, principally, to target so-called ‘hacking’ offences. As the Law Commission indicated, the conceptual basis of the CMA 1990 was not the protection of confidential information but rather the integrity of computer systems.
The Law Commission’s recommendations were, unusually, put before Parliament as a Private Member’s Bill by the Conservative MP, Michael Colvin, and were codified as the three offences set out in sections 1–3 of the CMA 1990 (as originally drafted). Given the advancements in the use and capacity of computers and the internet which came after the original drafting of the CMA 1990, it was, in hindsight, inevitable that the Act would require amendment to address issues arising from the application of the legislation. In addition, subsequent to the enactment of the CMA 1990, the United Kingdom assumed further obligations with regard to its membership of the European Union which were not covered by the existing legislation. Subsequent amendments and additions were therefore made by the Police and Justice Act 2006 (PJA 2006) and the Serious Crime Act 2007 (SCA 2007), including the insertion of an additional offence under section 3A of the CMA 1990 dealing with the offences of possessing, making or supplying articles for use in the offences under sections 1–3 of the CMA 1990.
1.2 SECTION 1 OF THE COMPUTER MISUSE ACT 1990
– UNAUTHORISED ACCESS TO COMPUTERS
The basic offence of securing unauthorised access to computers is set out in section 1 of the CMA 1990,
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable—
(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;
(b) [applies only to Scotland]
(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.
4 Cyber Crime: Law and Practice
1.2.1 Procedure and sentencing
The offence created by section 1 of the CMA 1990 describes the basic offence of unauthorised access to a computer system. It is triable either way and carries a maximum sentence of 12 months’ custody and/or a fine not exceeding the statutory maximum upon summary conviction; and a maximum sentence of 2 years’ custody and/or a fine upon conviction on indictment.
There are currently no guidelines from the Sentencing Council (formerly the Sentencing Guidelines Council) regarding offences under sections 1–3 of the CMA 1990. However, the Court of Appeal sought to offer some guidance in the case of R v Mangham [2012] EWCA Crim 973, [2013] 1 Cr App R (S) 11. In that case, the appellant had pleaded guilty and was convicted of three offences under section 1 of the CMA 1990 and a further offence under section 3 of the CMA 1990. He was given an 8-month custodial sentence on each of the four offences, to run concurrently, and a 5-year Serious Crime Prevention Order (SCPO) pursuant to section 1 of the SCA 2007. Over the period of a month, the appellant had hacked into the computers of the international social media platform, Facebook. He was able to infiltrate a Facebook employee’s email account and ‘stole’
(a) whether the offence was planned and persistent;
(b) the nature and damage caused to the system itself;
(c) the nature of the damage caused to the wider public interest such as national security, individual privacy, public confidence and commercial confidentiality;
(d) the cost of remediation if damage caused (not a determinative factor);
(e) motive;
(f) benefit;
(g) revenge;
Criminal Division.
(h) attempts to gain financial benefit from the sale of information accessed;
(i) whether or not the information accessed has been passed on to others;
(j) the value of the intellectual property which may be involved.
The court also noted that the offender’s psychological profile deserves close attention with regard to mitigation. However, it should be noted that the Court of Appeal in the case of R v Martin [2013] EWCA Crim 1420 (of which there is further discussion at para 1.4.1) has indicated that R v Mangham [2012] EWCA Crim 973, [2013] 1 Cr App R (S) 11 should not be treated as a benchmark for such cases, which, in the ordinary course, are now likely to attract sentences which are significantly longer.
1.2.2 Elements of the offence
The actus reus of the offence under section 1 of the CMA 1990 is substantiated by causing a computer to perform ‘any function’ in order to...
To continue reading
Request your trial