The UK Computer Misuse Act 1990: Your Essential Guide

In tech terms, 1990 seems like ancient history. So why do you need to know about an Act of Parliament that’s older even than the first ever web browser?

Here’s the reason: if you find yourself on the wrong end of the law for any one of an extremely wide range of activities – from delivering a malware payload, right down to some seemingly “innocent” snooping, The Computer Misuse Act (CMA 1990) is almost certainly the law that you’ll see on the charge sheet.

It’s hardly the wordiest piece of legislation on the statute book (originally, it consisted of just three offences). But the fact that it’s written in such general terms has helped it to stand the test of time. Over the years, we’ve seen a steady flow of court rulings aimed at trying to keep CMA 1990 fit-for-purpose; two additional offences have been added – and it’s attracted more than its fair share of controversy.

So what does it cover – and what should you be wary of? Here’s the lowdown…

CMA 1990: the five offences

These are as follows:

Section 1: Unauthorised access to computer material

A person is guilty of an offence under this section if: 

A. He causes a computer to perform any function with intent to secure access to any program or data held in any computer;

B. The access he intends to secure is unauthorised; and

C. He knows at the time when he causes the computer to perform the function that this is the case.

What it means:

Merely accessing a program or data on a computer without authorisation is a criminal offence. There doesn’t have to be any actual harm for a conviction – and neither does there need to be the intention to cause harm.

PENALTIES: a fine up to a maximum of £2,000 and/or a maximum six months imprisonment.

Section 2: Unauthorised access with intent to commit further offences

This section applies if a person has gained unauthorised access under section 1 where there is intent

A. To commit an offence to which this section applies; or

B. To facilitate the commission of such an offence (whether by himself or any other person)

What it means:

The next step up from Section 1, this part of the Act makes it a criminal offence to access a computer without authorisation where there is INTENT TO COMMIT (or facilitate the commission of) a further crime. It’s all about intent: a conviction could still apply if the individual does not, in fact, go on to commit the further offence – or even if it turns out that it would have been impossible to commit that further offence.

PENALTIES: for a summary conviction (i.e. in the Magistrates’ Court), six months imprisonment and a fine not exceeding the statutory maximum. On indictment (Crown Court): maximum imprisonment up to five years and/or a fine (depending on the nature of the relevant ‘further offence’).

Section 3: Unauthorised acts with intent to impair

This applies where the individual

A. Does any unauthorised act which causes an unauthorised modification of any computer

B. At the time when he does the act, he knows it to be unauthorised

C. And if, by doing the act, he intends to impair the operation of that computer – either by hindering access to any program or data held in a computer or to impair the operation of any such program or the reliability of any such data.

What it means:

Notice that this section only requires there to be an unauthorised act in relation to a computer; there does not necessarily have to be unauthorised access to a specific program or data (although clearly, both of these situations would be covered). It covers distributors of malware for every system that malware infects. It also covers situations where the individual is reckless as to the risk of damage or impairment. This recklessness is not confined to any particular computer, program or data: in other words, to be convicted under this offence, prosecutors only need show that the individual either intended or was reckless to the likelihood of damage or impairment of operation – of any computer.

PENALTIES: Up to five years maximum imprisonment and unlimited fines.

Section 3ZA: Unauthorised acts causing or creating risk of serious damage.

Added to CMA 1990 under The Serious Crimes Act 2015, this section is essentially aimed at those who seek to attack critical national infrastructure.

An offence arises if all of the following occur:

A. the person does any unauthorised act in relation to a computer;

B. at the time of doing the act, the person knows that it is unauthorised;

C. the act causes, or creates significant risk of, serious damage of a material kind; and

D. the person intends to cause serious damage of a material kind, or is reckless as to whether such damage is caused

Damage is defined as: (a) loss to human life (b) human illness or injury (c) disruption of a supply of money, food, water, energy or fuel (d) disruption of a system of communication (e) disruption of facilities for transport (f) disruption of services relating to health.

What it means:

It’s clearly geared towards serious threat actors. That said, it’s still a relatively new provision so it remains to be seen how exactly the powers that be will put it to work. Ethical hackers whose favourite targets include governmental agencies need to be especially careful. If an individual gains unauthorised access and was merely reckless to the risk of serious damage – even if that damage did not in fact occur – there’s the risk of a conviction under this section.

PENALTIES: up to 14 years and/or a fine; unless the offence caused or created significant risk to human welfare or national security – in which case there is a maximum life sentence.

Section 3A: Making, supplying or obtaining articles for use in an offence under Section 1,3 or 3ZA.

In its original wording, CMA 1990 didn’t do nearly enough to deal with the makers, suppliers and receivers of malware packages and various other “tools of the trade” put to work by hackers. This was the lawmakers’ attempt to address that inadequacy…

a person is guilty of an offence if he:

Amakes, adapts, supplies or offers to supply any article intending it to be used to commit or to assisting the commission of an offence contained elsewhere in the Act

B. supplies or offers to supply any article believing that it is likely to be used to commit or to assist in the commission of an offence contained elsewhere in the Act

Likewise, the recipient of such an item is guilty of an offence if he obtains it intending for it to be used in the commission of an offence or with the intention of re-supplying it as such.

What it means:

It’s clearly designed to catch the creators, distributors and users of malware and other damaging tools. But note the use of the word “likely” in the section. Let’s say you’ve developed a testing tool designed primarily for companies to stress-test their systems. Yet you make it widely available – including to those who are likely to use it in a damaging way. The message is clear: the more potentially dangerous the tool, the greater the care you need to exercise in controlling and limiting distribution.

PENALTIES: fines and imprisonment of up to two years.

Examples:

Who gets caught – and under which part of the Act? Here are some examples…

  • You guess someone’s password, use it to gain access to their phone, tablet or desktop. You then download their photos (Section 1).
  • Your employer has clear rules in place about who can access what across the company’s system. You deliberately bypass these to read your manager’s emails (Section 1).
  • You access someone’s online bank account with the intention of stealing cash. It turns out that the account is empty (Section 2).
  • For fun, you use a booting tool to knock your neighbour from his online game (Section 3).
  • You gain access to a police database ‘to have a look around’. You don’t give thought to the potential consequences in terms of public safety or national security (Section 3ZA).
  • You’ve just come up with a nifty spyware packet. Someone wants to buy it – and that person doesn’t seem to be part of the community of IT security professionals (Section 3A).

Take care – and avoid sleepwalking towards a conviction!

  • Brian Wood says:

    Thanks for the info. So from this i gather that to use any skills obtained in your White Hat Hackers Courses, that you need permission from whoever owns the system you are trying to test before you try anything.

    • Nathan House says:

      Absolutely! The scope should be clearly defined and contact signed for any professional pen Test. Also make sure whoever owns the infrastructure is good with it to.

  • Bernie Woolfrey says:

    Thanks for Blog post.

    I wonder how 3A, especially:

    “B. supplies or offers to supply any article believing that it is likely to be used to commit or to assist in the commission of an offence contained elsewhere in the Act”

    affects contributors or supporters of tools like Metasploit?

    • Nathan House says:

      It’s a gray area. It’s not been used that way so far. The contributor would argue it was developed for legal and ethical hacking.

  • Emma says:

    What if someone supplies you their password and you use their privileges to obtain data, which you are unauthorised to access. Which section would this come under?

  • Iqa says:

    Hi, nice sharing. But may i ask for further explanation with regard to section 3ZA? I don’t really get it. If crime committed in Dark Web such as selling drugs and firearms, can the perpetrator be charged under this section? Thank you

  • >