The Computer Misuse Act 1990 - offences you probably didn’t know existed

Our Bryan McMahon discusses the Computer Misuse Act 1990 what it covers and how you might fall foul of the law.

What is misuse of a computer?

This is an offence that few know about but is being used more commonly to reflect the society we now live in.

First there is no definition of what constitutes a computer. Due to rapid changes in technology any definition would undoubtedly soon become outdated, a problem legislators have also found in trying to deal with synthetic drugs which change in composition almost daily.

There are some definitions which exist in case law, but for the purposes of this article lets simply accept the layman’s understanding of what a computer is.

What is a computer misuse offence?

There are various offences covered by the act which rise in severity in terms of actions, intention and punishment. Section 1 of the act deals with the primary offence of unauthorised access to a computer, further offences in accordance with Sections 2, 3, 3ZA & 3A (dealt with further in this article) follow the same general principle but require additional acts or intent.

What is unauthorised access to computer material?

In order for the prosecution to prove the offence they must establish the following:

  1. One of the computers must be in the UK, either the target computer or indeed the computer being used to target.
  2. You must have caused a computer to perform a function with intent to secure access. It is simply not enough for someone to walk past a computer screen of a colleague and see something that interests them. One must interact with a computer in some shape or form.
  3. You must be aware that what you were doing was unauthorised. It is important that Employers ensure that their employees know what they are allowed or not allowed to access.
  4. You must intend to secure access to data or information held on a computer. So it cannot be accidental, there must knowledge on the part of the alleged offender that the access is unauthorised, It is not sufficient for the prosecution to simply say that the act was reckless.

It is not necessary for the prosecution to prove that the access came from outside the organisation i.e. hacking. The case of R v Bow Street Magistrates Court (AP) Ex Parte Government of the United States of America (Allison) [2002] 2 AC 216 deals with those circumstances and found that an employee who was authorised to access some data, but then actually accessed data at a level above their authority was guilty of an offence.

Is it illegal to hack a Facebook account?

If you access the Facebook account of another person without their permission you are causing a computer to perform a function with intent to secure access to data that you would otherwise not have access, so in short the answer is yes.

There are many types of acts which would be covered by Section 1 of the Computer Misuse Act 1990 but some of the more common are as follows:

  • A police officer who uses the Police National Computer to see if a friend has previous convictions.
  • Password guessing and accessing somebody else’s mobile phone perhaps to spy on an ex-partner without their permission.

What is the penalty for unauthorised access to computer material?

The penalties for offences will depend on the individual circumstances, but can be quite serious. The offence can be dealt with in either the Magistrates or Crown Court, and sentences range from a discharge or fine, up to a maximum of 2 years imprisonment.

Section 2 Computer Misuse Act 1990 - Unauthorised access with intent to commit or facilitate commission of further offences

In addition to unauthorised access, this offence also requires the prosecution to prove an intention to commit a further offence, for example, where a police officer passes on information from the Police National Computer which tends to pervert the course of justice, or where financial data is stolen with an intention of committing cyber fraud. This offence is made out even if it’s commission is impossible. So, if you access somebody else’s online bank account without permission, intending to steal you would be guilty of the offence even if the account had no credit. The maximum sentence for unauthorised access with intent to commit or facilitate commission of further offences is 5 years imprisonment.

Section 3 Computer Misuse Act 1990 - Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

Commonly referred to as ‘cyber attacking’ or ‘cyber hacking’ this offence is serious and can be punished with a sentence of up to 10 years imprisonment. An example of this type of offence would be hacking a banks online system therefore not allowing clients to access their money for a time period, or a by infecting a computer with a virus which can be capable of attaching itself to, and damaging system files which can bring down computers systems, often with devastating effects to business.

Section 3ZA Computer Misuse Act 1990 - Unauthorised acts causing, or creating risk of, serious damage

This offence was brought about by the implementation of the Serious Crime Act 2015 and came into force in May of that year. This requires the offender to perform an ‘act’ with the intention of causing or creating a risk to cause damage (or being reckless as to whether damage is caused) to national security, a countries economy, the environment or to human welfare. Clearly if you hacked the intelligence service computer systems then this could create a risk of damage to national security. However the definition of ‘damage to human welfare’ includes disruption of facilities for transport or disruption of a system of communication. So one example might include cyber attacks of the Highways Agency computer systems or causing email systems to malfunction. Offences under this section can lead to a sentence of up to 14 years imprisonment, although that can be increased to life imprisonment if the act creates damage or a serious risk of harm to life or national security.

Section 3A Computer Misuse Act 1990 – Making, supplying or obtaining articles for use in the previous sections.

Punishable with imprisonment for up to 2 years, this offence is clearly designed for those who create or supply worms, viruses and Trojan horses as an article is defined as ‘any program or data held in electronic form’. Making the article does require a specific intention for it be used in a criminal offence. Supplying or obtaining only requires a belief that it may be used in a criminal offence so would include the creation of clone websites, email spamming or phishing emails.

If you need legal advice from a leading criminal defence solicitor please contact us. Burton Copeland are expert computer misuse solicitors based in Manchester, but operating throughout the UK, We have a wealth of experiencing in advising clients accused of computer misuse, fraud and cyber crime offences.