Computer Misuse Act 1990
The Computer Misuse Act was first proposed when computers were not still largely distributed. Actions on computers were limited, so possible offences were very narrowly defined and often overlooked. Over the past few decades, digital devices and computer networks have experienced a rapid growth. There is a greater opportunity for some people, especially the hackers, to cause harm to others online via advanced technology. The law needed to be reshaped and adapted to the changing world, in order to prevent illegal acts which are either on purpose or by accident.
Computer Misuse Act has defined main offences that can be done online. The offences are:
Unauthorised access to computer material. This refers to entering a computer system without permission (hacking)
Unauthorised access to computer materials with intent to commit a further crime. This refers to entering a computer system to steal data or destroy a device or network (such as planting a virus)
Unauthorised modification of data. This refers to modifying or deleting data, and also covers the introduction of malware or spyware onto a computer (electronic vandalism and theft of information)
Making, supplying or obtaining anything which can be used in computer misuse offences
These offences can lead to severe punishments, where the lowest-level offence (unauthorised access to computer material) holds a penalty of up to two years in prison and 5,000 fine. The highest-level crime (making, supplying or obtaining) can bring you up to ten years in prison and unlimited fine. If the offence poses threat to human welfare or even to national security, the penalty could extend to life imprisonment.
In Computer Misuse Act, the word ‘access’ means:
altering or erasing the computer programme or data
copying or moving the programme or data
using the programme or data
outputting the programme or data from the computer in which it is held (whether by having it displayed or in any other manner)
The Act was amended again in 2015, creating a new offence of ‘unauthorised acts causing serious damage’ which widely addresses cyber terrorism and cyber warfare attacks (e.g. DDoS, distributed denial of service attack).
The government said that the penalties carried by these offences ‘did not sufficiently reflect the level of personal and economic harm that a major cyber attack on critical systems could cause’. This signifies the governmental concern towards cybersecurity on national level.
Civil rights groups such as Privacy International have questioned the changes for being too broad, because they give exemption to police and spy agencies such as GCHQ (Government Communications Headquarters).