IP, Technology & Data

I’m sure I can’t be the only person who was surprised that an in-house lawyer at a national newspaper group was unaware of the Computer Misuse Act, and presumed that the only offence which might be triggered by a journalist hacking into someone’s email account is the “blagging” offence under the Data Protection Act (DPA).

So, never being one to miss a (#iPad, #iPhone, #Apple, #Android, #iPad) SEO friendly news story, here is the Brodies TechBlog Quick Guide To The Computer Misuse Act.

What does the Act say?
The Computer Misuse Act (CMA) was passed in 1990, following a long-running, but ultimately unsuccessful attempt to prosecute two people that hacked into BT’s systems in the early 1980s.

The main offence is section 1. Here’s what it says:

A person is guilty of an offence if—

    • (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
    • (b) the access he intends to secure, or to enable to be secured, is unauthorised; and
    (c) he knows at the time when he causes the computer to perform the function that that is the case.

This is quite a wide-ranging offence and covers not just systematic hacking (for example, using software to try multiple passwords), but also the unauthorised use of someone’s log-in details (where the hacker knows the user’s password) or an employee’s attempt to access systems to which he has not been given access.

The only requirement is that the person perpetrating the offence knows that his access is unauthorised. This is why you often see notices about unauthorised access when presented with a login screen on a computer (for example, my laptop displays a message when it boots to the hardware encryption password screen), and why employee IT acceptable use policies put the employee in notice about unauthorised system access.

Whilst the offence covers damage or destruction of data, there is no need for any damage to be caused, or data “stolen”. So, for example, it is an offence to use someone else’s username and password to gain unauthorised access to their web-based email system or social networking page.

However, there is a distinction between unauthorised access and use of permitted access for unauthorised purposes. So no offence is committed where a user is authorised to access a system, but uses the data for a purpose that is not authorised.

As Mr Brett found out sadly a little late in the day, unlike the blagging offence under the DPA, there is no public interest defence under the CMA.

Denial of Service Attacks
The CMA also prohibits denial of service attacks, and the malicious spreading of viruses, Trojan horses and other malware.

Whilst this was not covered by the original legislation, the Act was amended in 2006, to make it clear that doing such things was an offence.

You can read John’s previous blog (in relation to the Wikileaks incident a couple of years ago) to find out more about this offence.

Does the law cover mobile phones?
The CMA does not define a “computer”.

With remarkable foresight (given that the CMA was passed in 1990), Parliament decided that it would be foolhardy to include a fixed definition. It has therefore been left to the courts to interpret.

The Crown Prosecution Service guidance points to a House of Lords case where Lord Hoffman defined a computer as “a device for storing, processing and retrieving information”. This definition would appear quite capable of covering smartphones and other devices. I have even heard it argued that it may cover Internet connected fridges.

Indeed, as Professor Lilian Edwards points out, the breadth of this definition means that even unauthorised access to voicemails is likely to be an offence under the CMA.

An offence occurs where either the individual perpetrating the unauthorised access or the target computer/system is located in the UK. So if I were to hack into the Pentagon’s computers in the US, I would be committing an offence. Similarly, if someone in America was to hack into Brodies’ servers, they too would be committing an offence under the Act.

This means that the jurisdiction provisions stand up pretty well to offshore hosted cloud services – provided the person committing the hacking is in the UK.

So there you have it. Unauthorised access to someone’s email account is a criminal offence, and not one that can be justified as being in the public interest.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me