The Computer Misuse Act 1990 is intended to protect the integrity and security of computer systems and data through criminalising access to them that has not been authorised by the owner of the system or data.
In May 2021, the Home Secretary announced a review of the Act and carried out a consultation in early 2023, which considered:
- a new power for law enforcement agencies to take control of domains and IP addresses if being used by criminals, including in respect of fraud and offences
- a power to require the preservation of computer data, before its seizure, to prevent it being deleted where it may be needed for an investigation
- a power to take action against a person possessing or using data obtained by another person through an offence under the Act, for example, through accessing a computer system to obtain personal data, would be useful, subject to appropriate safeguards being in place.
The consultation also covered the Government’s proposed approach to sentencing, defences to the offences, improvements to the ability to report vulnerabilities, and whether the UK has adequate laws to deal with extra-territorial threats. The Home Office has issued its response to that consultation.
Extra-territorial provisions
Most respondents agreed that, given the cross-border and international nature of offences in many cases, the Act's territorial provisions should be clarified and expanded. Some said that the concept of what constitutes "significant links" to the UK should be clarified. One respondent suggested that extra-territorial reach could be similar to that under data protection legislation where the legislation applies to activities affecting UK data subjects, whether or not the activity takes place in the UK.
Defence for legitimate cybersecurity work
Some respondents said that currently, the Act consumer groups, cyber security professionals and researchers from undertaking a legitimate public interest activity to keep UK consumers safe, and so would support the introduction of a defence to offences under the Act.
Some highlighted that introducing a new offence for possessing or using illegally obtained data could inadvertently criminalise legitimate cybersecurity work, and would, if implemented, require a statutory defence of its own, demonstrating that the Act's offences and defences cannot be considered in isolation. However, some agreed that any statutory defence for vulnerability and threat intelligence research must continue to enable the effective investigation and prosecution of criminals, should respect system owners' rights and should not provide defences for offensive cyber activity (that is, "hack back").
Sentencing
Many respondents suggested that the current maximum sentences for offences under the Act are too low. Additionally, respondents supported other options for younger offenders, rather than prosecution.
Conclusion and next steps
Domain and IP address takedown and seizure
The Home Office has been working with various partners in this area. There are significant considerations, including the impact on the current successful voluntary arrangements, suitable safeguards and thresholds, and definitions of relevant organisations. It intends to legislate at the earliest possible opportunity.
Power to preserve data
Despite broad support, the Government is aware that several organisations were concerned that data storage is expensive and that any long-term data storage requirements would affect organisation's finances. It says that it needs to carry out further work to understand the impacts and look to mitigate them effectively if possible. If this isn't possible, it will consider legislation .
Data copying
The consultation highlighted possible adverse impacts that could result if the possession or use of data obtained through an offence under the Act were criminalised. There is a significant amount of positive work, such as victim awareness, that takes place because organisations identify and use data that has been made available due to an offence being committed. The Government plans to carry out further work in this area before providing legislative solutions.
The pace of change appears to be glacial. The parliamentary Joint Committee on National Security Strategy has recently issued a report on ransomware, in which it said that the UK regulatory frameworks are insufficient and outdated, and pointed out that the Computer Misuse Act, was introduced before the arrival of the internet - and legislation to reform it was missing from the King’s Speech. It said that reform of the Computer Misuse Act is urgently needed. Separately, the government is seeking views on proposed regulation to improve the security and resilience of data infrastructure, including data centres. However, the consultation makes limited reference to ransomware attacks.
Also, the recent dramatization of the Post Office Horizon scandal has brought the issue of the misuse of computers into sharp focus, with remote access to the Horizon system being possible for many years without apparently being admitted.
With Horizon in mind, any reform of the Computer Misuse Act might also want to consider “the absurd and unreal presumption in English law that evidence produced by a computer is somehow ‘true’ unless a hapless defendant can show why it is not” (Paul Marshall, Cornerstone Barristers). The Law Commission recommended the presumption at the turn of the century. The aim was to make prosecuting based on computer evidence easier. The Horizon scandal cases show that it has succeeded in that aim, but with devastating consequences for those caught up in it. With the growth in the use of, and decision-making by, AI, it seems clear that this area should be regulated more carefully. Recommendations for reform were made to the Ministry of Justice at the request of Alex Chalk MP, who was then a junior justice minister, in 2021. It will be interesting to see how much priority is given to this on the legislative agenda, but reform is clearly overdue.