The act is often used to prosecute cyber criminals that fall foul of its rules. Common offences charged under the act include hacking, harvesting data and unauthorised encryption of data which usually occurs during extortion campaigns such as ransomware.
Like many laws in the UK in need of a refresh to keep up with societal changes and advancements, the Computer Misuse Act has undergone a few amendments, the most significant of which was the amendment made in 2015 which changed it in order to adhere to the Serious Crime Act 2015.
This amendment changed how the search and seizure process of computers believed to be involved in cyber crime was carried out, and also a few other things.
The penalty for breaking the law was changed to 14 years imprisonment, a large fine, or both depending on the severity of the offence. If the offence posed a risk to national security, such as a Snowden-esque leaking of secret MI6 files, or could cause social jeopardy the fine rises to life imprisonment.
Another amendment to the act allowed any UK national to be charged under it anywhere in the world whereas prior to the 2015 amendment, a UK national could only be charged under it in the UK.
This amendment was exercised earlier this year when a British man was sentenced for carrying out a cyber attack which wiped out an entire country's internet for longer than a day, a feat thought to be a world's first.
Law surrounding this type of nefarious behaviour became necessary after a case in 1984 which saw journalists Robert Schifreen and Stephen Gold break into BT's Prestel service in order to access data inside the Duke of Edinburgh's email account, using just a router and a PC.
Schifreen and Gold were initially charged under the Forgery and Counterfeiting Act 1981, but were later acquitted when a High Court appeal ruled that because no data was stolen, no crime had been committed. The case naturally caused alarm as there was no provision in English law to adequately deal with the crime in question, despite the severity of the incident.
It was therefore decided that, as a direct result of the case, a new act would be introduced to address the changing technology landscape and to deter criminals from accessing systems without authorisation.
Computer Misuse Act penalties
There are three levels of penalty if you are prosecuted under the Computer Misuse Act and they are applied according to the crime and severity of the act.
The lowest-level of penalty is applied if you are found guilty of gaining access to a computer without permission (or officially known as “unauthorised access to a computer”). This crime holds a penalty of up to two years in prison and a £5,000 fine.
If you gain access to a computer without permission in order to steal data or take part in another crime, such as using that data to commit fraud, you will receive a sentence of up to 10 years in prison and can receive a fine of unlimited amounts, depending on the severity of the crime and damaged caused.
If you modify the content of a computer or provide the tools so others can do so (for example, if you distribute malware with the intent to destroy or change the contents of a computer, you can receive a prison sentence of up to ten years alongside an unlimited fine.
If this potential damage extends to creating serious damage that puts human life or national security in danger, the sentence could be up to life imprisonment.
Computer Misuse Act expansion and controversy
The original Computer Misuse Act was developed at a time when computers were a fairly new and limited concept. Therefore, it didn't penalise much more than using a computer in a potentially malicious way. However, technology has vastly moved on in the last 30 years and has been adapted to cover computer misuse in various forms to cover a wider range of criminal acts.
For example, section 37 of the Police and Justice Act of 2006 has been inserted into the legislation. Known as section 3A of the Computer Misuse Act, this stipulates that making, supplying or obtaining articles for use in computer misuse is a criminal activity.
It means that any hacking tools or exploits, such as those used by legitimate security hackers (ie., those attempting to hack into software and networks to expose and fix vulnerabilities) could potentially are considered to be illegal, even though they could be used for the greater good. Of course, if such activities were to be presented in a court of law, it's likely the judge would take into account how the tools were being used and the case would be thrown out, but it may lead to some unnecessary court appearances nonetheless.
Another new amendment to the Computer Misuse Act 1990 was 2015's addition that states police and intelligence personnel are immune from the existing cybercrime legislation. Although this makes it easier for investigators to uncover criminals using computer intelligence without being investigated themselves. However, Privacy International was concerned that this immunity could be abused and that not enough checks and balances were in place.
How effective is the Computer Misuse Act?
Although the Computer Misuse Act aims to crack down on the number of computer-related crimes, it would seem some hackers and others on the dark side of the law are now walking free after committing unlawful activities.
The number of individuals prosecuted under the terms of the Computer Misuse Act actually went down 18% between 2016 and 2017, falling from 57 down to 47 in 12 months. However, law firm RPC said the threat of cybercrimes is actually growing and estimates there were 1.7 million cyber-related crimes in the same period.
This is because although the law exists to prosecute individuals committing such crimes, police resources are not available to investigate every incident properly and so criminals are getting away without a thorough investigation.
“Police forces are doing their best with the resources they have but the scale of the problem means businesses cannot necessarily rely on the police to really help them when there is a cybercrime," said Richard Breavington, Partner at RPC.
“There will have to be some radical changes before businesses can start depending on the law enforcement agencies rather than private industry, including insurance, to help them if they have suffered from a cybercrime.”
See the Computer Misuse act in full.