Computer Misuse Act 1990
The Computer Misuse Act 1990 (CMA) is an Act of the Parliament of the United Kingdom that criminalises unauthorised access to computer systems and data, as well as acts intended to impair the operation of computers without authorisation.[1][2] It establishes three primary offences: unauthorised access to computer material under section 1, unauthorised access with intent to commit or facilitate further offences under section 2, and unauthorised modification or impairment of computer material under section 3.[3] Enacted as Chapter 18 of the 1990 public general acts, the legislation received Royal Assent in June 1990 and entered into force to address gaps in prior laws that had failed to prosecute early hacking incidents effectively.[4] The Act originated from concerns over computer-related crimes in the 1980s, particularly after court rulings demonstrated that existing theft and fraud statutes did not adequately cover unauthorised electronic access.[5] It has since served as the cornerstone of UK cybercrime law, enabling prosecutions for hacking, malware deployment, and related disruptions.[2] Key amendments, including those via the Police and Justice Act 2006, expanded its scope to encompass denial-of-service attacks and impairment without physical damage, reflecting technological advancements.[6] While effective in establishing criminal liability for malicious digital intrusions, the CMA has drawn scrutiny for its potentially overbroad definitions, which critics argue could penalise ethical security testing or research by imposing up to 14 years' imprisonment for certain violations.[7][8] Government reviews, such as the 2023 consultation, have examined enhancements for law enforcement while balancing innovation in cybersecurity practices.[1]Background and Origins
The R v Gold and Schifreen Case
In September 1984, at the Communications '84 trade exhibition in London, Robert Schifreen observed a British Telecom engineer entering a user identification number and personal identification number (PIN) into a Prestel terminal during a public demonstration of the Viewdata service.[9] Using shoulder-surfing techniques, Schifreen memorized the credentials for a demonstration account, which provided access to the Prestel system—a nationwide online service for information retrieval and email operated by British Telecom.[10] Later that evening, Schifreen and journalist Stephen Gold, using home computers and modems, dialed into Prestel remotely; Schifreen entered the observed credentials, gaining unauthorized entry and navigating to the private mailbox of the Duke of Edinburgh (Prince Philip), where they posted a provocative message reading "Heil Hitler" to demonstrate the vulnerability before logging out.[9][10] British Telecom's Prestel security team traced the access attempts through modem logs and installed monitoring on the suspects' connections, leading to their arrests in March 1985. The pair, who positioned their actions as an exposure of systemic weaknesses in early telecom networks rather than malicious intent, faced charges under section 1 of the Forgery and Counterfeiting Act 1981, with prosecutors arguing that the electronic signals and false commands entered into the system constituted a "false instrument" capable of deceiving the computer.[11] They were convicted at Southwark Crown Court in 1986 on multiple counts, receiving suspended sentences and fines totaling around £1,500 each, as the court viewed the acts as reckless but non-destructive demonstrations akin to journalists testing security flaws.[9] On appeal in 1988, the Court of Appeal in R v Gold and Schifreen 2 WLR 984 quashed the convictions, ruling that the Forgery and Counterfeiting Act 1981 applied only to tangible documents or instruments intended to deceive humans, not intangible electronic impulses or data inputs directed at machines.[11][12] The judgment emphasized that while the defendants' pretexting—impersonating authorized users via phone to obtain further details—and unauthorized logins exploited rudimentary authentication like unencrypted PINs, existing forgery laws stretched illogically to cover such conduct, leaving a prosecutorial void for non-damaging computer intrusions. This case illuminated broader vulnerabilities in 1980s UK computing infrastructure, where the proliferation of personal computers, modems, and services like Prestel—coupled with early bulletin board systems (BBS) enabling code-sharing and phreaking techniques to bypass telecom safeguards—fueled a detectable uptick in exploratory hacks, often by hobbyists targeting weak remote access protocols without specific intent to defraud or destroy.[10] Empirical logs from Prestel and similar systems revealed repeated unauthorized probes, underscoring causal gaps in analog-era laws ill-equipped for digital persistence, as electronic traces lingered without physical artifacts, prompting parliamentary inquiries into dedicated cyber offenses.[9]Pre-1990 Legal Gaps and Legislative Push
Prior to the enactment of the Computer Misuse Act 1990, existing UK criminal laws, including the Theft Act 1968 and the Forgery and Counterfeiting Act 1981, proved inadequate for addressing unauthorized access to computer systems, as these statutes were predicated on tangible property or physical interference rather than intangible data manipulation.[13] The Court of Appeal's ruling in R v Gold and Schifreen (1988) exemplified this shortfall: defendants who gained unauthorized entry to the British Telecom Prestel service via guessed passwords were initially convicted under forgery laws for creating "false" electronic signals, but the conviction was overturned on appeal, with the court holding that transient electrical impulses did not constitute a "false instrument" under section 1 of the 1981 Act, nor did they amount to theft of property, as no permanent deprivation of data occurred.[14] Similar unreported incidents, such as attempts to prosecute under criminal damage provisions, failed because data alterations lacked the physical harm required by the Criminal Damage Act 1971, leaving prosecutors without viable charges for "hacking" that caused no overt tangible loss but posed risks to system integrity and confidentiality.[13] The Law Commission identified these doctrinal gaps in its Working Paper No. 110 (published August 1988), which consulted on the inadequacy of common law to deter or punish computer-specific harms like unauthorized access, emphasizing that such acts could enable fraud or disruption without fitting traditional offense categories, and followed with Report No. 186 (October 1989), recommending targeted offenses for unauthorized access and modification to align legal responses with the causal mechanisms of digital intrusions.[15] [16] These reports underscored the need for legislation recognizing computers as distinct from physical assets, influencing parliamentary momentum amid rising incidents of bulletin board intrusions and early network vulnerabilities reported in the late 1980s. Legislative efforts accelerated through a private member's bill sponsored by Conservative MP Michael Colvin, introduced in the 1989-90 session and debated in the House of Commons, culminating in its second reading on 9 February 1990.[17] [8] Debates from 1988 onward, including select committee discussions, balanced security advocates' calls for deterrence against industry warnings of over-criminalization, such as potential liability for ethical penetration testing or legitimate system audits, with Colvin arguing the bill's narrow focus on intent would mitigate undue breadth while closing the enforcement void.[17] The government supported the measure without amendments, leading to Royal Assent on 29 June 1990, driven by empirical evidence from prosecutorial failures rather than speculative threats.[8]Core Provisions and Structure
Primary Offenses Defined
Section 1 establishes the foundational offense of unauthorised access to computer material, criminalizing the act where a person causes a computer to perform any function with the intent to secure access to any program or data held in any computer, knowing that such access is unauthorised.[18] This requires both the actus reus of causing the computer function—such as entering credentials or executing a command—and the mens rea of intentional access coupled with knowledge of lacking authorization, without necessitating proof of damage or further harm.[18] The provision applies broadly, as the intent need not target specific programs, data types, or computers, thereby encompassing exploratory hacking or mere unauthorized logins.[18] Section 2 builds on Section 1 by prohibiting unauthorised access with intent to commit or facilitate further offences, rendering guilty any person who commits the Section 1 offense while intending to use that access to perpetrate or aid a subsequent serious crime, such as fraud or theft.[19] Here, "further offences" include those punishable by fixed sentences or up to five years' imprisonment for an adult with no prior convictions, and liability persists even if the intended crime proves impossible to complete or occurs at a later time.[19] This escalates the basic access offense by linking it causally to ulterior criminal motives, distinguishing it from innocuous unauthorized entry and addressing scenarios where access serves as a gateway to economic or other harms without immediate modification.[19] Section 3 targets unauthorised modification of the contents of any computer, deeming it an offense for a person to perform any unauthorized act in relation to a computer—knowing it to be unauthorized—with either the intent or recklessness as to impairing the computer's operation, hindering access to its programs or data, or adversely affecting the data's reliability or efficacy.[20] The "act" encompasses single actions or series, including introducing malware or altering code, and impairments may be temporary, such as denial-of-service effects, without requiring permanent destruction.[20] Unlike prior reliance on criminal damage laws, which analogized data alteration to physical property harm but faltered due to the intangible, replicable nature of digital material—evident in pre-Act cases where virus propagation evaded prosecution for lacking tangible ruin—Section 3 directly criminalizes functional disruptions to computing processes, closing the doctrinal gap by prioritizing operational integrity over physical analogies.[20] [21] These offenses delineate criminal liability from civil remedies like trespass to chattels, as they mandate explicit knowledge of unauthorized status and culpable intent or recklessness, absent in the original Act's framework for any public interest exceptions.[22]Penalties and Enforcement Mechanisms
The Computer Misuse Act 1990 prescribes penalties calibrated to the severity of unauthorized computer interactions, with maximum terms on indictment of two years' imprisonment and/or an unlimited fine for Section 1 offences involving basic unauthorised access to computer material. For Sections 2 and 3, which cover unauthorised access with intent to facilitate further crimes and unauthorised acts intended to impair computer operations or data, the maxima are five years' imprisonment and/or an unlimited fine. Summary convictions under these provisions originally permitted up to six months' imprisonment and/or fines not exceeding the statutory maximum, reflecting a tiered approach to punish knowing violations while allowing magistrates' courts to handle less grave instances.| Offence Section | Description | Maximum Penalty on Indictment |
|---|---|---|
| Section 1 | Unauthorised access to computer material | 2 years' imprisonment and/or unlimited fine |
| Section 2 | Unauthorised access with intent to commit or facilitate further offences | 5 years' imprisonment and/or unlimited fine |
| Section 3 | Unauthorised acts with intent to impair computer or data | 5 years' imprisonment and/or unlimited fine |