Computer Misuse Offences

The Computer Misuse Act created three new offences in response to the Law Commission Working Paper No. 186, on Criminal Law: Computer Misuse (Cm 819), published in October 1989.

Even before the Act, dishonest computer activities were quite well-covered by the criminal law, and in particular by theft, and related offences.

A common type of computer fraud involves gaining unauthorized access in order to transfer funds to one's own account, or that of a friend. Another common variety is to use a forged bank card to obtain money from a cash dispenser. Because only the computer is deceived, it is probable that neither of these activities amounts to obtaining property by deception, since there is authority that that offence requires deception of a human mind. Nevertheless, it is clear that this type of fraud has always constituted theft.

Computers can also be used to commit the offence of blackmail, for example where a computer virus is introduced to a system (for example a time bomb, whose purpose is to corrupt or delete stored information after the lapse of a period of time), accompanied later by threats that some or all the files on the system will be corrupted unless a sum of money is paid into a particular account. Such a virus may be introduced directly by a hacker, or simply distributed as part of a software package. If the system is in fact corrupted by a virus, or directly by an unauthorized user, the offence of criminal damage may also be committed. In Cox v Riley (1986) 83 Crim App Rep 54, a disgruntled employee who erased programs on a printed circuit card belonging to his employer was held to have damaged the card, even though no physical damage had occurred.

There is also a range of other offences under the general criminal law, which may be committed by unauthorized computer users. Examples are theft of electricity, false accounting and suppression of documents. A hacker who obtains unauthorized access to and copies information from a computer storage system may also infringe the law of copyright (but confidential information is not property, and so cannot be the subject matter of theft).

Nevertheless, perhaps because computer misuse was estimated to cost UK industry over £400 million annually, it was felt that the pre-existing law was inadequate in a number of respects. In ...

This is a preview of the whole essay

Nevertheless, perhaps because computer misuse was estimated to cost UK industry over £400 million annually, it was felt that the pre-existing law was inadequate in a number of respects. In particular, hacking was not a criminal offence, and while unauthorized users may well, in using the computer, commits other offences, there were greater evidential difficulties in prosecuting such offences than in the case of non-computer crime. Nor was the deliberate creation of computer viruses a criminal offence.

The least serious new offence, to be found in s. 1 of the Act, makes hacking criminal, whether or not any harm is intended. Thus, even hacking out of curiosity, of for the challenge of breaking through a security system, is covered, so long as the hacker is aware that his access is unauthorized. The offence is triable summarily, and is punishable by a maximum of six months' imprisonment and/or £2,000 fine.

While s. 1 is aimed at unauthorized access, it is not necessary actually to gain access, attempted accessing also falling within the section. It is necessary only to cause ‘a computer to perform any function with intent to secure access’, so that, for example, an attempt to log on, which is rejected by the computer, falls within the section. The hacker who programs his computer to search through every possible password is therefore caught, whether or not his or her attempts at accessing are successful. Mere surveillance of data displayed on a VDU is outside the scope of the section, however, even where sophisticated electronic equipment is used, which can monitor from a distance radiation signals emitted from computers ‘electronic eavesdropping’.

The far more serious s. 2 offence, which is triable either way and carries a maximum penalty of five years' imprisonment and/or unlimited fine, is committed by committing the s. 1 unauthorized access offence, with intent to commit another offence, defined in s. 2(2) by criteria which are identical to those for an arrestable offence under the Police and Criminal Evidence Act 1984. Thus, for example, the hacker who gains (or attempts to gain) access to a banking computer system with intent to transfer funds from another account into his or her own account is caught by this section. If the funds are actually transferred, then he or she will of course also be guilty of theft. Another possibility would be committing the s. 1 offence with intent to obtain confidential and personal information in order to commit blackmail. In each case the s. 2 offence is committed as soon as the hacker 'causes a computer to perform any function' with the requisite intent. This could be long before the offences respectively of attempted theft and attempted blackmail are committed.

The s. 3 offence, which carries the same maximum penalty as s. 2, is aimed at those who introduce worms and viruses to computer systems. If the physical condition of the computer is impaired, whether intentionally or recklessly, an offence under the Criminal Damage Act 1971 may also be committed. Section 3 covers non-tangible damage, which is now (by s. 3(6) expressly excluded from the Criminal Damage Act, but intention is required (as defined in s. 3(2)-(4). Recklessness is not sufficient.

As explained above, the removal of Criminal Damage Act liability by s. 3(6), except where the computer is physically damaged, probably represents a change in the law.

An omission from s. 3 is that it does not, at any rate directly, cover the professional virus writer, who does not directly introduce viruses on to computer systems, but distributes them in book, or other printed form. He or she may possibly be guilty of incitement to commit an offence under s. 3, however.

Craig Lloyd