2.3 The Computer Misuse Act 1990 (CMA)
The Computer Misuse Act 1990 (CMA) is one of the most influential pieces of legislation relating to computers. It has been updated and amended by a number of other acts:
- Criminal Justice and Public Order Act 1994
- Criminal Justice (Terrorism and Conspiracy) Act 1998
- Police and Justice Act 2006
- Serious Crime Act 2015
It has been the inspiration for similar laws being introduced in other countries.
The CMA came about, in part, because of a 1988 case where two hackers broke into the British Telecom Prestel network and obtained access to user accounts including that of Prince Philip.
Prestel was a text-based interactive information system developed by the UK Post Office in the late 1970s. Users could browse numbered pages of text (similar to the contemporaneous Ceefax and Teletext information services) on their television as well as send electronic messages to other Prestel users. Prestel services were expensive and the system did not become widely used, although Prestel technology was sold to many other telecom companies. Prestel was gradually sold off in the early 1990s as the internet became available to domestic users.
The two hackers were originally tried and convicted under a law concerned with forgery and counterfeiting, but the conviction was overturned by higher courts who concluded that the Forgery and Counterfeiting Act 1981 had never been intended to be used for this purpose. This led the majority of legal experts to conclude that hacking was not actually illegal in Britain at the time.
The CMA was drawn up hurriedly and was criticised at the time for not being adequately scrutinised, but its central aims have stood the test of time. The original Act introduced three new criminal offences:
- unauthorised access to computer materials
- unauthorised access with intent of committing or aiding further offences
- unauthorised modification of computer material.
Note that ‘unauthorised’ in this context means that the attacker must be aware that they are not intended to use the computer in question. So using another person’s account details, or breaking in to a computer by a password attack are clearly unauthorised use of the computer.
The CMA has been amended a number of times to cover new offences including denial-of-access or denial-of-service to legitimate users (making denial-of-service attacks a criminal offence in the UK), and criminalising the creation and supply of software and hardware that might aid an attack on a computer. This not only criminalises the development of programs designed to break passwords or the development of certain types of malware, but it could potentially criminalise tools used by forensics experts to investigate computer systems which can be abused by attackers.
The CMA has been successfully used in a wide range of criminal cases including denial-of-service attacks against Kent Police, Oxford University, the United States Air Force, the CIA, Sony and Nintendo; fraudulent activities in online games; illegal access and disclosure of confidential emails and personal information; theft from online banks; stalking; hoax calls to emergency telephone numbers and piracy.
The next act you’ll find out about is The Fraud Act.