The Computer Misuse Act 1990

This document, an adaptation of one produced by Brunel University, consists of a discussion of the Computer Misuse Act, by Detective Inspector Michael Gorrill of the Greater Manchester Police Commercial Fraud Squad.

Minimal adaptation has been done to remove text which was "Brunel-specific".

Computer Misuse Act 1990

Introduction

The Computer Misuse Act 1990 has now reached the statute book, and it contains several new offences. It is important to discuss the responsibilities of students and staff relative to the these offences.

It should be noted that I am unable to provide hard and fast guidelines, mainly because the Act is relatively new and has yet to be put to the test in the Courts. I hope that I will be able to steer staff and students alike away from the more obvious pitfalls. It is worth emphasising that whilst the three offences are not the most serious in British law, each offence is punishable by a period of imprisonment.

Section 2 and Section 3 offences are what are termed "arrestable offences" and an individual may be arrested without warrant by a police officer if the police officer has reasonable suspicion that they have committed that offence. These offences are more serious than the Section 1 offence.

Background

The Computer Misuse Act was created following some controversy in the mid to late nineteen eighties. At this time, hacking was not an offence and the hacker was relatively free to attempt to break into computer systems, if he or she had the intellect to bypass the various security measures employed by the system owners. Whilst hackers may have been viewed as a minor irritation, some were becoming more daring and others downright mischievous. Damage to data was being caused and there was perhaps an understandable concern that hacking could develop into something much more serious as computerisation became more prominent within society. The seeming inability of current legislation to cope with hackers was highlighted by a number of failed prosecutions.

The Duke of Edinburgh'’s mailbox

A notable case was that of two men named Gold and Shifreen, who were convicted at Southwark Crown Court in April 1986 of offences of forgery under the Forgery and Counterfeiting Act of 1981.

The two men had hacked into the British Telecom Prestel account and gained access to all the Customer Identification numbers. They left a number of messages in the Duke of Edinburgh’s private mailbox. Neither of the men was attempting to gain from his tour of Prestel, but they later said that they simply wished to demonstrate their skills by the access they gained. The offence with which they were charged is of interest today, because of its obvious inappropriateness for dealing adequately with the hacker. The exact offence with which they were charged was: "making a false instrument, namely a device on or in which information is recorded or stored by electronic means with the intention of using it to induce the Prestel computer to accept it as genuine and by reason of so accepting it to do an act to the prejudice of British Telecommunications plc"

The prosecution had to prove that the two men made a false instrument. There were two possible candidates for the role, the electronic impulses and the user segment. The trial Judge in his ruling said:

"...the defendant here made a series of electrical impulses which arrive at, affect and operate on what is called a user segment. These impulses are recorded or stored albeit for a limited period only ... by section 9(2) an instrument is sufficient and here there was, as I see it, an alteration to a user segment."

The two men were convicted and later appealed to the High Court. Their appeal was upheld by Lord Lane, Lord Chief Justice who said that the Forgery Act was not intended for computer misuse offences. The problem was that the machine was the "deceived" and the "false instrument" at the same time. Normally in a forgery case it was necessary to prove that some person was deceived. In this case the machine was both instrument and deceived entity.

Birth of the Act

This was clearly an area where new and appropriate legislation was required. A Royal Commission was set up to look at the whole area of computer misuse. As a result of the findings and recommendations of the Commission, the Computer Misuse Act 1990 was enacted.

Computer Misuse Act 1990 - computer misuse offences

The Act contains three main offences which are categorised under the following Sections:

Section 1

1(1)	A person is guilty of an offence if
a)	he causes a computer to perform any function with intent to secure 
access to any program or data held in a computer
b)	the access he intends to secure is unauthorised
or
c)	he knows at the time when he causes the computer to perform the 
function that this is the case.
1(2)	The intent a person has to commit an offence under this section 
need not be directed at
a)	any particular program or data
b)	a program or data of any particular kind
or
c)	a program or data held in any particular computer.
1(3)	A person guilty of an offence under this section shall be liable 
on summary conviction to imprisonment for a term not exceeding six 
months or to a fine not exceeding level 5 on the standard scale or both.

Section 2

2(1)	A person is guilty of an offence under this section if he commits 
an offence under section 1 above ("the unauthorised access offence") 
with intent
a)	to commit an offence to which this section applies
or
b)	to facilitate the commission of such an offence (whether by 
himself or by any other person)
and the offence he intends to commit or facilitate is referred to below 
in this section as the further offence.
2(2)	This section applies to offences
a)	for which the sentence is fixed by law
or
b)	for which a person of twenty one years of age or over (not 
previously convicted) may be sentenced to imprisonment for a term of 
five years (or in England and Wales might be so sentenced but for the 
restrictions imposed by section 33 of the Magistrates Courts Act 1980).
2(5)	A person guilty of an offence under this section shall be liable
a)	on summary conviction, to imprisonment for a term not exceeding 
six months or to a fine not exceeding the statutory maximum or both
and
b)	on conviction on indictment, to imprisonment for a term not 
exceeding five years, or to a fine, or both.

Section 3

3(1)	A person is guilty of an offence if
a)	he does any act which causes the unauthorised modification of the 
contents of any computer
and
b)	at the time when he does the act he has the requisite intent and 
the requisite knowledge.
3(2)	For the purposes of subsection 3(1)b above the requisite intent is 
an intent to cause a modification of the contents of any computer and by 
so doing
a)	to impair the operation of any computer
b)	to prevent or hinder access to any program or data held in any 
computer
or
c)	to impair the operation of any such program or the reliability of 
any such data.
3(3)	The intent need not be directed at
a)	any particular computer
b)	any particular program or data or a program or data of any 
particular kind
or
c)	any particular modification or a modification of any particular 
kind.
3(4)	For the purpose of subsection 1b above, the requisite knowledge is 
knowledge that any modification he intends to cause is unauthorised.
3(5)	It is immaterial for the purposes of this section whether an 
unauthorised modification or any intended effect of it of a kind 
mentioned in subsection (2) above is, or is intended to be, permanent or 
merely temporary.

Discussion

The Computer Misuse Act was created to prevent unauthorised access to computer systems and also to deter the more criminal elements in society from using a computer to assist in the commission of a criminal offence or from impairing or hindering access to data stored in a computer.

The section 2 and 3 offences, like many serious criminal offences, require an intent on behalf of the offender. Individuals committing those offences are clearly entering into the criminal arena and it would be difficult for them to claim that they did not believe that they were doing anything wrong.

Ignoring, for the moment, the more serious Section 2 and 3 offences, the Section 1 offence may be problematic for college staff and students alike. The police are often asked to advise college staff and systems managers about their responsibilities should they become aware of a Section 1 offence being committed. It is very difficult for the police to provide any kind of framework in this area, especially when it is clear that college authorities appear to be dealing with unauthorised access as a disciplinary matter and providing their own internal college sanctions. It is my view that internal disciplinary sanctions are more than likely appropriate. However, it may be worthwhile, when considering the action to be taken to seek advice from your local police fraud squad.

There are obviously differing degrees of seriousness dependent upon the individual circumstances. If you believe that there is some evidence that an individual is gaining unauthorised access in an attempt to commit Section 2 or 3 offences then we strongly recommend that the facts are reported to the police. In the long term this may be in everyone's best interests.

Dealing again mainly with Section 1 offences, unauthorised access, students should be aware that this is an offence which could ultimately lead to a period of imprisonment. It should be borne in mind that giving your user id and password for your college system to a friend or acquaintance who is not an authorised user may well lead to a court appearance, should a complaint be made to the police by the college authorities.

Furthermore, exploration within a system to which you have authorised access could also put you in jeopardy. If there is a hierarchy of privilege in your system, you must bear in mind the wording of the Section 1 offence if you are considering entry to parts of the system for which you do not have the requisite privileges.

In fairness, the ramifications of unauthorised access by students or staff should be well advertised. There should not be any equivocation or ambiguity about the access to which an individual is allowed. As a student you should not have any doubts about what your authorisation allows. If your college rules are not readily accessible or are in any way vague or unclear you should protest to the appropriate authority.

It would be worth considering forming a user group, consisting of students and staff to formulate policy in respect of computer misuse. The more "users" are involved in the group, the more likely the necessary information will be circulated to all those likely to be affected.

In conclusion, prevention is this area is almost certainly better than the cure. The parameters for use of college systems should be made clear as should the likely action which may be taken against those who transgress. Also, students should be able to seek advice if they are unsure about what they are or are not authorised to do on a college system.

Detective Inspector Michael Gorrill, Greater Manchester Police Commercial Fraud Squad


This html document came to me via the homepage of coldfire@paranoia.com - Cheers.
unix/net/hack page main index