The United Kingdom misuse of computers act 1990 was implemented to protect personal data held by organizations from unauthorized access and modification (BBC, 2022). The Act had four key elements that made it effective in dealing with cyber security. The Act illegalized the following acts. First, it ensures no unauthorized access to computer materials, a hacking practice whereby you enter a computer system without permission. The second illegality outlined by the Act was an unauthorized access to computer materials to commit a crime. Such crime attempts include accessing a computer to steal data, network, or destroy a device. Thirdly, the law prohibited data modification. Deleting, modifying, and conversing to introduce spyware or malware in the computer system was a form of vandalism and theft of information which was highly inhibited. Finally, obtaining, supplying, and making anything presenting a data breach was a formidable offense. The paper aims to discuss fundamental legislative changes that have been made to the UK misuse of computers act 1990 over the years and assess the prospects for further reforms in the crucial area of the law.
Fundamentals of the UK misuse of computers act 1990
Getting the gesture of the critical features of the UK misuse of computers act 1990 is vital to have a smooth trajectory of how the amendments to the Act have transitioned from 1990 to the current state. It will help highlight fundamentals and critiques that could have led to the amendments, making the Act more effective in the advancing global technology experiencing high-tech cyber threats. The four elements of the Act highlighted in the introduction section had respective penalties for the offenders (Mark, 2022). They covered issues of viruses, blackmail, computer fraud, and hacking. Failure to conform and embrace the law led to potential imprisonment and fines.
Unauthorized access to computer material landed the offender to pay a £5,000 fine or be sent to prison for six months. Accessing computer materials illegally to commit a crime attracted a penalty of an unlimited fine and/or five-year prison sentence. Illegal modification of the computer data was responded to by an unlimited fine and/or five-year prison sentence similar to unauthorized data modification (BBC, 2022). Finally, the last element of the Act received an unlimited fine and/or a ten-year prison sentence.
Despite having the law in place, cybercrime in the United Kingdom has risen over the decades. Hackers have reverted to sophisticated systems of committing cybercrimes and scot-free without identifying, jeopardizing the law (Mark, 2022). For the law to be enacted on the offenders, the following scenarios were followed to initiate prosecution;
- During the time of the offense, the suspect should be located in the united kingdom
- The targeted computer system was within UK territories
- The server used in committing the crime was in the UK
- The committed crime had significant damage to the United Kingdom’s territory
Has the Computer Misuse Act 1990 been effective?
The Act has been in dispensation for the last three decades, approximately 30 years. It has been amended severally to suit the cybercrime evolving threats such as malware development and covering cybercrime-terrorism. For instance, from 2008 to 2018, 422 cases have been prosecuted under the law (Lukings & Lashkari, 2021). 76% of the convictions were of a guilty verdict, amounting to a high conviction rate. The conviction rate shows the law has been effective in combating cybercrime. 16% were sentenced to prison out of the convicted people, while 29% were given a suspended sentence (CPS, 2020). The GDPR and Data Protection Act present obligations to entrepreneurs on securing their data from attackers’ failure, to which the business could be subjected to private legal claims and penalties. Compliance with the Data Protection Act and the GDPR maintained comprehensive and precise privacy policies, adhering to GDPR’s principles of processing data, implemented data protection concepts by default and design, and created IT Security Policy.
Criticism of the Act
The majority felt the Act failed to recognize the value of “white hat” or “ethical” hacking. Upon citing that, critiques stated that developers could be subjected to conviction for involving themselves in legitimate software. The Act was introduced in haste and was poorly implemented, making it unfit for combating crime. The Act was developed from the failure to prosecute hackers of Prestel-BT’s nascent email system (Correia, 2019). The Act was outdated from the 2000s because it did not have a strategy, “wording for distributed denial of service attacks (DDoS),” presenting an acute problem. For example, in February 2000, “Mafiaboy,” a 15-year-old Canadian hacker, affected giant businesses, including eBay and Amazon, through a DDoS attack. The National Hi-Tech Crime in February 2002 issues concerns about the adequacy of the 1990 act for Denial-of-service (DoS) attacks (CPS, 2020). DoS overwhelms networks, systems, and servers with traffic hindering accessibility to users.
In June 2014, before the 2015 General Election, Queen opened the final parliamentary session, and the coalition government reconciled and agreed to amend the Computer Misuse Act 1990 (Correia, 2019). The amendment was to ensure cybercrime sentences reflected the damages caused as inscribed in the Serious Crime Bill because the 1990 act was outdated to deal with current cyber security threats. Additionally, the Act was criticized because few people had access to computers during its implementation, making it unfit for contemporary society. Currently, there are many devices in the jungle, such as PCs, laptops, and tablets used for personal life and work, scenarios that are not captured in the Computer Misuse Act 1990 (Department of Health, 2018). The law had a simple interpretation of the law is not applicable; thus, considering the subsequent reforms in the rest of the paper is crucial for precise understanding by the courts.
Key legislative changes for the Act
The Computer Misuse Act 1990 underwent amendment bills in 1998, 2005, and 2008 enacted in England and Wales, Scotland, and Northern Ireland (McCallion, 2019). The amendments ran from section 34 to section 86, schedules 1 and 4The new current legislation covered three offenses;
- Illegal access to computer materials was enshrined in section 35 Illegal access with intentions of committing or facilitating commission for further offenses.
- Illegal acts with intentions for impairing, or with recklessness as to impair and operate computer evident in section 36
Part 3 of the Police Act 1997 was more controversial and the amendments targeted to remove ambiguity for investigating cybercrime and interactions with relevant parties (Correia, 2019). The amendment did not apply to the law enforcement agencies as it clarified the existing powers. It provided insight into the 1990 Act. However, the reforms were contested by the civil rights groups such as privacy international, claiming the law was broad and needed changes to make it more specific. Subsequently, the Computer Misuse Act 1990 has been amended twice by the Police and Justice Act 2006 and the Serious Crime Act 2015 (McCallion, 2019). The two amendments introduced more offenses;
- Illegal acts lead to or create a risk of severe damage, and
- Obtaining, supplying, and making articles to facilitate crime under all sections of the law under section 37
The chronological amendments of the Act were significant for the UK government. . Section 34 of the Police and Justice Act of 2006 was inserted, which made surveillance of the cybercrime threats by cyber security researchers and intelligence difficult even for the white-hat hackers and ethical hackers. Section 38 focused on transitional and saving provisions (Noble Solicitors, 2022). Amendments from sections 35 to 38 formed part 5 of the Justice Act of 2006. Researching security threats from Section 3A to section 42 of the Act was compromised. Judges had difficult times interpreting and making rulings on cybercrime based on the amendment.
Sections 41 to schedule 4 were formed part 2 of the severe Crime Act 2015. The Serious Crime Act 2015 amendment introduced the three alterations above in the existing elements of the original law under section 3ZA to section 41 (Postoeva & Shestak, 2022). The crime attracted 14-years imprisonment and a fine. It aimed to reflect on economic and personal harm caused by cyber-attacks in the European Union Directive. It made prosecution easier in the UK territories, especially on the information systems. The amendment allowed the Crown Prosecution Service and police to prosecute United Kingdom people for cybercrimes outside UK boundaries.
The obtaining, supplying, and making amendment hit the cyber security hard according to the Serious Crime Act, section 42. A written parliamentary question in December 2018 sought indulgence on the possibility of amending section 1 of the Computer Misuse Act 1990 (Noble Solicitors, 2022). The requested amendment authorized the United Kingdom intelligence researchers and cyber security to offer utmost protection by supplying threat intelligence information. The Home Office affirmed that it keeps the Computer Misuse Act 1990 in check, and it is under regular reviews to determine potential drawbacks and benefits that can prompt legislative changes.
Section 43 was the amendment of the original Act sections 4, 5, and 10. Section 44 illustrated the savings amendment of sections 10 and 16 covered enactment and seizures. In contrast, section 47 tackled Serious Crime Prevention Orders, which added severe offenses such as computer misuse under Serious Crime Act 2007. Section 86 wanted reinforcement of sections 42 and 43 before their application (SCL, 2020). Schedule 1 amendment was similar to Scottish law. Finally, Schedule 4 was consequential and minor amendments changing Computer Misuse Act 1990 and Armed Forces Act 2006 (Davies, 2018).
Prospects for further reforms on the Computer Misuse Act 1990
As time progresses, fundamental key areas should be considered to make the Act more effective and valuable in combating cybercrime. First, there is a knowledge gap that should be addressed. Generally, the Act has not been effective for the Crown Prosecution Office, law enforcement officers, and cyber security practitioners. Judges are faced with challenges in interpreting the Act putting their judgments in jeopardy. For the successful prosecutions conducted in Southward Crown Court, the levels of acknowledging the computer crime were not good, and it was inadequate to handle cases well (Davies, 2018). The court is the most renowned specialist fraud center that deals with significant fraud and severe cybercrime cases in Wales and England. Therefore, for successful and practical application of the law, there is a need to address the knowledge gap primarily through amendments proposed in the 2018 parliamentary inquiry.
Secondly, there is an inevitable evolution of cyber threats requiring modern mechanisms to combat and address them. New threats emerge more often as the law was designed to combat cybercrime over the past three decades when computer literacy was low (Adams-Collman, 2018). The modern cyber-crimes are sophisticated, and cyber security policies need a facelift to make them effective and protect the business. For example, the DDoS threat requires similar cyber protections to combat. The new threats are evolving, making the law outdated (SCL, 2020). According to Crime Statistics in September 2019, a Crime Survey conducted in Wales and England showed that Action Fraud was the central growing crime area. It was developed for hacking resulting in extortion.
Hacking for extortion doubled in 2019 with 4,133 cases from 2,147 in previous years annually. Even though the cases have increased, the hacking issues and computer misuse have dropped significantly based on the UK malware and virus reports. In June 2019, UK Finance reported an increased Authorized Push Payment Frauds from £354m to £413m in 2018 and 2019. In 2018, the hacking into email systems and accounts recorded 84 000 cases, while in 2019, it recorded over 108 000 cases (UK Gov. Legislation, 2022). Reflecting on the UK Finance report shows there is a problem in combating cybercrime. The problem with the Act is the visible difference between the computer consideration as the key section of the fraud and the use of computers in committing cybercrimes. The Act should be reviewed to highlight all potential offenses areas to protect sustainable solutions to the threats.
Thirdly, web-scraping is deemed lawful. Compared to the United States of America (USA) law, Computer Fraud and Abuse Act (CFAA) enacted in 1986 catered for cybercrime. It was amended into the current computer fraud law and was absorbed in the Comprehensive Crime Control Act 1984. However, the law has been subjected to various amendments to cope with increasing technological advancements (UK Gov. Legislation, 2022). The United States Appeals Court ruled in favor that web-scarping for public sites was lawful and did not contravene CFAA legislation.
Besides, the court automatically illegalized competitors from information withdrawal on public sites. Site owners design technical obstacles as a competitive mechanism for protecting copying of non-copyright such as user profiles, product details, and ticket prices since they own the information, thus opting for web scraping. However, web scraping is considered theft. However, in the U.S. Case study, technical measures must be implemented to block web scraping interference because customers rely on the data (Lukings & Lashkari, 2021). Like the UK Act, such strategies should be made to avoid malicious interference with a contract as prohibited in American law. It will be a game-changer in the UK law and prevent web scraping.
Fourth, there is a lack of protection for justified hacking in UK law. The Computer Misuse Act 1990 has criminalized cyber security professionals’ investigations and cyber threat intelligence in the UK. The defensive forces undertake cyber threat intelligence to investigate cyber security issues, which is difficult to achieve under the dispensation of the UK Act. Cyber security professionals are supposed to interrogate, scan, and interact with criminal systems and compromised victims according to cyber threat intelligence (UK Gov. Legislation, 2022). Obtaining such information may require authorization and explicit permission, or owners might not have allowed the cyber security professionals to access the information.
The Act presents a technical challenge because it prevents and criminalizes computer access making it difficult for the defense security intelligence and research. There is a need to reform the Act similar to the United States, which has a whole industry for vulnerability scanning providing intelligence with possible cyber security issues such as terrorism. UK-based companies are prohibited (Button et al., 2021). Thus it’s an appeal for the UK companies to be allowed to compete on the international playing level field levels similar to U.S. based companies.
Finally, the UK Act has no scope for hacking back. The law does not allow in-depth investigations of cybercrime by law enforcement agencies. The current amended Computer Misuse Act 1990 lacks scope for vigilante-style hacking-back (Uk Politics, 2021). For example, gaining access to the criminals’ systems unauthorized attracts legal proceedings, thus being a criminal liability (Gashi, 2021). The Act should allow a degree of fighting back as it has increased pressure for developing and defining surrounding circumstances for hacking back. The reform will enable legal entities to establish attribution of an attack for retrieving and destroying stolen files. Besides, cyber security intelligence and researchers can monitor the behaviors of criminals and disrupt their malicious acts of cyber-attacks even without damaging other’s computers. Overly, a branch and root review of the Computer Misuse Act 1990 would fit the growing needs for cybercrime protection in the current world (Uk Politics, 2021). Applicability of the past three-decade legislation is like using trap and pony speed hindrances on modern vehicles.
Conclusion
In conclusion, critiques of the 1990 Act led to the amendments making it more relevant to the cybercrime threats. However, more reforms are required to cope with the advancing technology. The reforms will facelift it to cover the current trends of cybercrimes.
References
Adams-Collman, J. (2018). Ransomware and cyber security: The King that did not WannaCry. Primary Dental Journal, 7(1), 44-47. https://doi.org/10.1308/205016818822610307
BBC. (2022). Computer misuse act (1990) – Ethical, legal and environmental impact – CCEA – GCSE digital technology (CCEA) revision – BBC bitesize. BBC Bitesize. https://www.bbc.co.uk/bitesize/guides/z8m36yc/revision/5
Button, M., Blackbourn, D., Sugiura, L., Shepherd, D., Kapend, R., & Wang, V. (2021). Victims of cybercrime: Understanding the impact through accounts. Cybercrime in Context, 137-156. https://doi.org/10.1007/978-3-030-60527-8_9
Correia, S. G. (2019). Responding to victimisation in a digital world: A case study of fraud and computer misuse reported in Wales. Crime Science, 8(1). https://doi.org/10.1186/s40163-019-0099-7
CPS. (2020, February 5). Computer misuse act. The Crown Prosecution Service | The Crown Prosecution Service. https://www.cps.gov.uk/legal-guidance/computer-misuse-act
Davies G. (2018). Court of Appeal High Court: Extradition, forum bar and concurrent jurisdiction: Is the case of Love a precedent for trying hackers in the UK? Lauri Love v (1) The Government of the United States of America (2) Liberty [2018] EWHC 172. The Journal of Criminal Law, 82(4). org/10.1177/0022018318791670
Department of Health. (2018, December 3). The computer misuse act 1990. Health. https://www.health-ni.gov.uk/articles/computer-misuse-act-1990
Gashi, G. (2021). Analysing the correlation between Convolutional filter sizes and classification accuracy using MNIST. Thesis Commons. https://doi.org/10.31237/osf.io/g7ct6
Lukings M., & Lashkari, A. H. (2021). Global Relevance. Springer, 97–136. https://link.springer.com/chapter/10.1007/978-3-030-88704-9_4
Mark B. (2022). Enabling cyber incident collaboration in UK local government through fast-time communication. https://www.ingentaconnect.com/content/hsp/jcs/2022/00000005/00000003/art00006
McCallion, J. (2019, September 17). What is the computer misuse act? IT PRO. https://www.itpro.co.uk/it-legislation/28174/what-is-the-computer-misuse-act
Noble Solicitors. (2022). What is the computer misuse act? Noble Solicitors, leading experts in criminal, commercial, civil and family law. https://www.noblesolicitors.co.uk/about/indepth-computer-mis-use-act.html
Postoeva, E., & Shestak, V. (2022). Comparative legal analysis of countering the use of information and communication technologies for criminal purposes on the example of Russia and the UK. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4024416
SCL. (2020, March 30). The 30-year-old computer misuse act is not fit for purpose. https://www.scl.org/articles/10854-the-30-year-old-computer-misuse-act-is-not-fit-for-purpose
Uk Gov Legistaltion. (2022). Computer misuse act 1990. Legislation.gov.uk. https://www.legislation.gov.uk/ukpga/1990/18/contents
Uk Politics. (2021, June 15). Computer misuse act. Politics.co.uk. https://www.politics.co.uk/reference/the-computer-misuse-act-1990/
write