Offences Involving Misuse of Computers

AuthorMatthew Richardson
Pages1-52

Chapter 1


Offences Involving Misuse of Computers

1.1 BACKGROUND TO THE COMPUTER MISUSE ACT 1990

As long ago as 1988,1the Law Commission recognised that legislation was required to provide protection for society from the mischief of misuse of computer technology that was not adequately covered by pre-existing offences under criminal law. The requirement to address the issue had been brought into focus by the case of R v Gold and Schifreen [1988] AC 1063. In that case, the two defendants had gained access to the British Telecom Prestel computer network by entering Customer Identification Numbers (CINs) and passwords to gain unauthorised access to data contained in customer accounts held on the computer system, including altering some of the data. The CINs and passwords used by the defendants to gain access to the system were genuine but had been obtained and used without permission. The defendants claimed that they were highlighting the deficiencies in the security of such a computer system. Both were charged and convicted after trial of several specimen offences under section 1 of the Forgery and Counterfeiting Act 1981 – the offence of ‘making a false instrument with the intention that the defendant or another shall use it to induce somebody to accept it as genuine, and by reason of so accepting it to do or not to do some act to his own or any other person’s prejudice’.

The defendants successfully appealed their convictions in the Court of Appeal and their acquittals were subsequently upheld in the House of Lords (now the Supreme Court). However, the litigation exposed the gaps in the criminal law existing at the time regarding the misuse of computer systems. The Law Commission’s substantive report2on computer misuse stated that:

1See Law Commission, Computer Misuse, Law Commission Working Paper No 110 (Law

Commission, 1988).

2Law Commission, Law Commission Report No 186 on Computer Misuse, Cmnd 819 (Law

Commission, 1989).

2 Cyber Crime: Law and Practice

An increasing degree of interest and disquiet has become apparent in recent years in relation to the implications of, and the possible misuse of, the computerisation that plays an ever growing role in public, commercial and indeed private life. In this report we are concerned with one aspect of that public concern: the misuse of computers or computer systems by parties other than those entitled to use or control those computers, either by simply seeking access to the computers or amending the information held in them for what may be a wide range of ulterior motives. Such conduct can be generically described by the title of this report, ‘Computer Misuse’.

[…]

Before the criminal law is extended to deal with a newly apparent social problem it is necessary to be as certain as possible about the nature and extent of that problem; to be satisfied that the problem is not already met by existing legal sanctions whether civil or criminal; and to be satisfied that the particular and coercive remedies of the criminal law are appropriate to the requirements of the case.3

The report concluded that it was necessary to introduce three new criminal offences covering unauthorised access to a computer, unauthorised access to a computer with intent to commit or facilitate the commission of a serious crime and unauthorised modification of computer material. The result of the Law Commission’s recommendations was Parliament’s enactment of the Computer Misuse Act 1990 (CMA 1990), which was intended, principally, to target so-called ‘hacking’ offences. As the Law Commission indicated, the conceptual basis of the CMA 1990 was not the protection of confidential information but rather the integrity of computer systems.4

The Law Commission’s recommendations were, unusually, put before Parliament as a Private Member’s Bill by the Conservative MP, Michael Colvin, and were codified as the three offences set out in sections 1–3 of the CMA 1990 (as originally drafted). Given the advancements in the use and capacity of computers and the internet which came after the original drafting of the CMA 1990, it was, in hindsight, inevitable that the Act would require amendment to address issues arising from the application of the legislation. In addition, subsequent to the enactment of the CMA 1990, the United Kingdom assumed further obligations with regard to its membership of the European Union which were not covered by the existing legislation. Subsequent amendments and additions were therefore made by the Police and Justice Act 2006 (PJA 2006) and the Serious Crime Act 2007 (SCA 2007), including the insertion of an additional offence under section 3A of the CMA 1990 dealing with the offences of possessing, making or supplying articles for use in the offences under sections 1–3 of the CMA 1990.

3Ibid, at paragraphs 1.1–1.3.

4Ibid, at paragraph 2.13.

1.2 SECTION 1 OF THE COMPUTER MISUSE ACT 1990
– UNAUTHORISED ACCESS TO COMPUTERS

The basic offence of securing unauthorised access to computers is set out in section 1 of the CMA 1990,5which provides the following:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;

(b) the access he intends to secure, or to enable to be secured, is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at—

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable—

(a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

(b) [applies only to Scotland]

(c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

5As amended by section 35 of the PJA 2006, subject to the transitional provisions specified in section 38(1) and (2) of the PJA 2006. By section 38(2)(a), the substitution of section 1(3) does not apply to offences committed before the substitution was effected. By section 38(6) of the PJA 2006, for offences committed before section 154(1) of the Criminal Justice Act 2003 (CJA 2003) comes into force, ‘12 months’ in section 1(3)(a) should be read as ‘6 months’. This applies to the amended offences under sections 1–3A.

4 Cyber Crime: Law and Practice

1.2.1 Procedure and sentencing

The offence created by section 1 of the CMA 1990 describes the basic offence of unauthorised access to a computer system. It is triable either way and carries a maximum sentence of 12 months’ custody and/or a fine not exceeding the statutory maximum upon summary conviction; and a maximum sentence of 2 years’ custody and/or a fine upon conviction on indictment.

There are currently no guidelines from the Sentencing Council (formerly the Sentencing Guidelines Council) regarding offences under sections 1–3 of the CMA 1990. However, the Court of Appeal sought to offer some guidance in the case of R v Mangham [2012] EWCA Crim 973, [2013] 1 Cr App R (S) 11. In that case, the appellant had pleaded guilty and was convicted of three offences under section 1 of the CMA 1990 and a further offence under section 3 of the CMA 1990. He was given an 8-month custodial sentence on each of the four offences, to run concurrently, and a 5-year Serious Crime Prevention Order (SCPO) pursuant to section 1 of the SCA 2007. Over the period of a month, the appellant had hacked into the computers of the international social media platform, Facebook. He was able to infiltrate a Facebook employee’s email account and ‘stole’6intellectual property which the employee stored on a portable hard drive, including the source code behind Facebook’s software which gave it its functionality. The Court of Appeal7identified the following aggravating features for offences under sections 1–3 of the CMA 1990:

(a) whether the offence was planned and persistent;

(b) the nature and damage caused to the system itself;

(c) the nature of the damage caused to the wider public interest such as national security, individual privacy, public confidence and commercial confidentiality;

(d) the cost of remediation if damage caused (not a determinative factor);

(e) motive;

(f) benefit;

(g) revenge;

6Inverted commas have been used here as the taking of such information may not have constituted an offence of theft under the criminal law – the information was, however, taken without consent.

7Comprised of Hooper LJ, Cranston J and HHJ Rook QC sitting as a judge of the Court of Appeal

Criminal Division.

(h) attempts to gain financial benefit from the sale of information accessed;

(i) whether or not the information accessed has been passed on to others;

(j) the value of the intellectual property which may be involved.8

The court also noted that the offender’s psychological profile deserves close attention with regard to mitigation. However, it should be noted that the Court of Appeal in the case of R v Martin [2013] EWCA Crim 1420 (of which there is further discussion at para 1.4.1) has indicated that R v Mangham [2012] EWCA Crim 973, [2013] 1 Cr App R (S) 11 should not be treated as a benchmark for such cases, which, in the ordinary course, are now likely to attract sentences which are significantly longer.9

1.2.2 Elements of the offence

The actus reus of the offence under section 1 of the CMA 1990 is substantiated by causing a computer to perform ‘any function’ in order to...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT