Parliament to consider APIG recommendations for an update to the Computer Misuse Act 1990.

APIG Report on the Computer Misuse Act 1990 and other cybercrime issues

Introduction

The All Party Internet Group (APIG) has reported on the results of its inquiry into the Computer Misuse Act 1990 (CMA) and has made a number of recommendations to Parliament on an update to the CMA and on the issue of cybercrime generally.

Background

The CMA was an early attempt by Parliament to impose criminal sanctions for a number of (previously legal) activities involving the misuse of a computer or computer software.

The Act created three basic offences:

1. Using a computer to secure, or with the intention of securing, unauthorised access to programs or data held on a computer (Section 1);
2. Obtaining such access with a view to committing or facilitating a further serious criminal offence (one which can incur a sentence of more than 5 years in prison – e.g. fraud) (Section 2); and
3. Causing an unauthorised modification of the contents of any computer which (a) impairs the operation of the computer, (b) prevents or hinders any access to software or data, or (c) impairs the operation of software or the reliability of data (Section 3).

The person committing the offences must intend to commit the offence in question, although for the Section 3 offence that intent does not need to be directed at any particular computer, piece of software, or data (e.g. someone creating a virus).

The maximum sentence under the CMA is 6 months imprisonment.

Although the CMA was drafted in the late 1980s, before the widespread use of the Internet began, the wording of the CMA's provisions is technology neutral and can be applied to nearly all "illegal" activities that involve the Internet today. For example, the wording of the Act criminalises such activities as: on or off-line hacking, virus creation and dissemination, phishing(1), and denial-of-service (DoS) attacks(2).

Very few prosecutions have been brought under the CMA since it was enacted. Various reasons have been suggested for this including: a lack of understanding of the scope of the CMA; the limited maximum sentence that can be applied; and a feeling that the judiciary view computer crime less seriously than other criminal activities.

As a result of increasing pressure on the Government to take a more pro-active role in dealing with increasing levels of cybercrime, in particular from financial institutions, IT industry interest groups, and the press, the Home Office has committed itself to a review of the CMA.

The APIG announced in March of this year that it intended to carry out an inquiry into the CMA, stating that it saw the inquiry as a form of pre-legislative scrutiny, which it hoped the Home Office would take into account during its review.

The APIG received oral and written evidence from interested parties in April, after stating that it would focus on the following issues in particular:

• Whether the CMA is broad enough to cover the criminality encountered today.
• Whether the Act's generic definitions of computers and data have stood the test of time.
• Whether the Act contains loopholes that need to be plugged.
• What revisions may be needed to meet the UK's international treaty obligations.
• Whether the level of penalties in the Act is sufficient to deter today's criminals.

The Report

The Report makes a number of key recommendations in relation to cybercrime. However, considering the size of the inquiry and the adverse responses received by APIG about the Act, there were only two recommendations for amendments to the CMA. These were:

• Add a denial-of-service (DoS) offence to the CMA

APIG acknowledged that the CMA already makes many DoS attacks illegal, but thought that there would be a significant value in adding an explicit offence to the legislation. In particular they thought it would send a clear signal to the Police, CPS and the Courts that such attacks should be treated seriously.

In 2002, Lord Northesk introduced a private members bill to update the CMA so that all DoS attacks would be illegal. Unfortunately, this ran out of parliamentary time and no update was made.

As a result of the APIG recommendation and the increased political and media interest in DoS attacks, the E-crime minister Caroline Flint recently announced that the Home Office would make an amendment to Section 3 of the CMA to specifically include DoS attacks.

• Increase the "tariff" for CMA Section 1 (hacking) offences from six months to two years

It was also recently announced that the Home Office was considering increasing the CMA's maximum sentence from six months to a higher figure. APIG's recommendation is that the maximum sentence for Section 1 offences be increased to two years, as it was thought this would be an adequate deterrent to would be "hackers".

When the CMA was first drafted, the financial cost of hacking attempts was relatively low. However, the financial cost and impact on individuals of such hacking attempts today can be catastrophic. It was APIG's recommendation that the law should be updated to reflect this.

The APIG report also set out some other "key recommendations" in relation to the CMA. These were:

• Ensure that the Director of Public Prosecutions (DPP) sets out a permissive policy for private prosecutions under the CMA

Financial restraints and the high cost of expert evidence have, in some instances, made the CPS reluctant to take action against individuals for crimes under the CMA. Whilst this is often because those individuals are also being prosecuted for more serious (and easier to prove) crimes, there are inevitably some instances where suspects are not prosecuted at all, even when the victims of an attack suffer losses.

If APIG's recommendation is followed, and private prosecutions become easier to undertake, then this would allow private companies to take action where the CPS chooses not to act.

• Provide educational material about the CMA on the Home Office Website

Some of the evidence submitted to APIG's inquiry showed, what APIG described as, "a remarkable misunderstanding of what the CMA already criminalized". To ensure a greater understanding of the provisions of the CMA, it was therefore suggested that the Home Office website was used to provide a detailed guide on what offences the CMA created.

• Improve information on cybercrime by use of statistical sampling

APIG noted that it was difficult for the Government to form policy decisions on cybercrime because there was very little statistical evidence to base that policy on. The report therefore called for statistical sampling to take place in order to estimate overall incidences of cybercrime. It was called for the National Office of Statistics to include all cybercrime activities in their monthly and quarterly figures.

The biggest problem in carrying out any statistical analysis on cybercrime, is that the majority of incidents are not reported. However, if the APIG recommendations are carried out and general knowledge and understanding of the provisions of the CMA improves, then more crimes will be reported to the police. This will increase the number of incidents reported and allow statistical analysis to take place.

• Introduce a new Fraud Bill

In carrying out its inquiry, APIG received a number of responses which it felt could be best dealt with by reforming the law on fraud. One such area was Phishing(1) where it was thought that the actual act of tricking a person into revealing their details was more linked to fraud than cybercrime. It was recommended that the Government deal with those responses when it considers the 2002 Law Commission report on Fraud.

Comment

The most interesting aspect of the APIG report is the lack of proposed amendments to the CMA. The CMA has been widely and publicly criticised for failing to address cybercrime effectively, yet APIG was unable to find many activities, which were thought of as being "illegal", that were not covered by the Act's provisions. The existing wording of the Act even covers the majority of DoS attacks, which APIG highlighted as an area in need of development.

The CMA, as it currently stands, is technology neutral and its provisions are undefined, giving the Courts the opportunity to be flexible and interpret the provisions widely. However, the Courts are yet to take this opportunity, and have been slow in dealing with the issue of cybercrime.

If the APIG Report's recommendations for greater statistical analysis and the public education of the provisions of the CMA are taken on board by the Government, this could have the dual effect of increasing the Courts' awareness of the issue and deterring would be cyber-criminals from carrying out illegal activities.

Footnotes:

1. e.g. tricking on-line bank customers into giving out their details and using those details to access accounts. Although the CMA may not cover the actual act of phishing (i.e. obtaining the bank details), the subsequent use of those details is covered.
2. e.g. hacking into a computer (or a computer system) with the intention of causing that computer to crash or hang – or otherwise preventing the service that computer provides from taking place. One area where there is some confusion as to whether the CMA would apply is a DoS attack where the attacker causes an overload of (otherwise legal) data on the victim's systems (i.e. causing thousands of information request forms to be sent from the website) – as the attacker is not causing an unauthorised modification of the contents of the computer being attacked, it is possible that the CMA would not apply.