Computer misuse

The Computer Misuse Act (CMA) is the piece of UK law that deals with the legality of how people interact with computers.

Before it, even though it was clear that someone accessing a computer without permission, for example, was wrong, it wasn’t easy to work out which bit of law actually applied.

The case that is cited as the trigger for the Computer Misuse Act is that of the journalists who used BT systems to gain access to the mailbox of Prince Philip in the mid 1980s.

The system they accessed was called Prestel. It allowed access to a hierarchical set of pages using a BBC Micro or some kind of television. Anyone who remembers or has seen Ceefax will recognise the technology of the era.

PRESTEL Page 58a<br>GOVERNMENT INFORMATION 1. GUIDE TO GOVERNMENT SERVICES (COI) 2 PARLIAMENT 3. GOVERNMENT DEPARTMENTS WITH INFORMATION ON PRESTEL

Journalists Robert Schifreen and Stephen Gold discovered the log-in details of an account on the Prestel by watching what an engineer typed in to their terminal. They logged in and explored the system, managing to find details of accounts belonging to other people, including members of the royal family.

British Telecom discovered the unauthorised use and the pair were charged. At the time, there was no UK law that covered their activities exactly, so they were charged with manufacturing a ‘false instrument’ under the Forgery and Counterfeiting Act 1981. The argument was that by entering their unauthorised commands into the Pentel system, they had changed its internal state and somehow created something that infringed on the intellectual property of British Telecom.

They were fined less than £1,500, but the case highlighted two things: one, that British Telecom had not taken security seriously (the username and password were 2222222222 and 1234 respectively) and the second that the law being applied did not quite fit the situation.

Schifreen and Gold appealed the finding on that second point and it was upheld. Lord Justice Brandon said:

…we have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury, which we would not wish to see repeated. The appellants’ conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts.

(Regina v Gold and Schifreen 1987)

This led to the creation of the Computer Misuse Act, which set out three offences:

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit or facilitate commission of further offences
  3. Unauthorised modification of computer material

The punishment, in terms of fines and prison sentences, was also laid out. Since then, these three offences remain in subsequent revisions of the act, although the fines and prison terms have changed. Two additional offences have also been added. At the time this article was written (May 2019), the list of offences is:

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit or facilitate commission of further offences
  3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc
  4. Unauthorised acts causing, or creating risk of, serious damage
  5. Making, supplying or obtaining articles for use in offence

References

Legislation.gov.uk (1990) Computer Misuse Act 1990 [online] available from https://www.legislation.gov.uk/ukpga/1990/18 [31 July 2019]

Legislation.gov.uk (1981) Forgery and Counterfeiting Act 1981 [online] available from http://www.legislation.gov.uk/ukpga/1981/45 [31 July 2019]

Regina v Gold and Schifreen [1987] Q.B. 1116

Share this article:

This article is from the free online course:

The Internet of Things: The Rise of Connected Devices

Coventry University