IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is the Computer Misuse Act?

If your computer systems are attacked, is the law effective enough to put those criminals behind bars?

Keyboard with red-glowing keys

With the use and distribution of personal computers exploding over the last few decades, legislators have been keen to establish laws that govern how digitally stored information is protected. This is especially pertinent given the increasing role that computers and such devices have played in business contexts, with critical and sensitive information often stored and processed locally on these machines.

The Computer Misuse Act (CMA) was drafted in 1990 as the law governing the way that individuals can lawfully access data on a machine. Crucially, it criminalised any unauthorised access to data and the practice of making modifications to stored information without the permission of the owner. These laws were informed by the 1978 case of Regina v Gold and Schifreen, which involved two hackers stealing the login details of a BT engineer at a trade show to remotely access BT’s Prestel service.

Using a technique called shoulder surfing, they stole the credentials and used them to access the service. After doing so, they located the late Duke of Edinburgh’s email address as a demonstration of how deep they could go. Monitoring the account they were using, BT passed details of this suspicious activity to the authorities, and they were convicted under the Forgery and Counterfeiting Act 1981. However, this was overturned on appeal based on the fact that they hadn’t tried to make any profit from accessing the Prestel service.

This event demonstrated there was a clear gap in the law whereby there was a lack of legislation that governed acceptable and unacceptable behaviour with regards to computer systems. Businesses, in particular, craved legal backing given the rising amount of data that was being kept in the digital realm.

This ushered in the CMA 1990, which has since been updated several times to reflect continued changes in technology and cyber security. The most significant update came in 2015, although many now believe the law is out of date, and that an entirely new piece of legislation is required to keep up with the times.

Computer Misuse Act penalties

There are three levels of penalty if you are prosecuted under the Computer Misuse Act and they are applied according to the crime and severity of the act.

The lowest level of penalty is applied if you are found guilty of gaining access to a computer without permission (or officially known as "unauthorised access to a computer"). This crime holds a penalty of up to two years in prison and a £5,000 fine.

If you gain access to a computer without permission to steal data or take part in another crime, such as using that data to commit fraud, you will receive a sentence of up to 10 years in prison and can receive a fine of unlimited amounts, depending on the severity of the crime and damaged caused although it can be difficult to prove intent in this case.

If you modify the content of a computer or provide the tools so others can do so for example, if you distribute malware with the intent to destroy or change the contents of a computer you can receive a prison sentence of up to ten years alongside an unlimited fine.

If this potential damage extends to causing harm to human welfare or puts national security at risk, the sentence could be up to life imprisonment.

Computer Misuse Act expansion and controversy

Related Resource

Build vs. buy: Roll your own auth vs. a pre-built identity layer

Challenges of identity and access management

Whitepaper cover with title and black shaded square graphicsFree Download

The digital landscape has changed beyond recognition in the three decades since 1990. In contrast, the Computer Misuse Act has more or less stayed the same, except for a few provisions made to it.

This explains why the legislation has been heavily criticised for not being suited to today’s world and being heavily outdated. Back in 1990, when the Computer Misuse Act was passed as legislation, not a lot of people had access to computers. If you did have access to one, it was usually through work, while people who were lucky enough to own a device usually didn’t have more than one.

In the modern day, most users juggle multiple tablets, laptops, and PCs, which are used for work and personal life. Some of these devices have been bought with our own money, while others were provided by our place of work. If you travelled back in time to tell anyone in 1990 that this is what the future holds, they probably wouldn’t have believed us. That’s why it’s not surprising that the Computer Misuse Act failed to consider these kinds of scenarios.

As technology has developed intensely since the 1990s, so has the threat landscape. In 1990, the methods through which users could cause harm using computers were extremely narrow, which meant that the law had a fairly simplistic interpretation of what constitutes a malicious act. Since 1990, however, a new generation of computer users has become more digitally literate than any previous generation, since they grew up with the constant presence of PCs, laptops, and mobile phones.

Although the increase in new tech skills is a positive sign, it also means there are more hackers than ever before, and cyber crime can be committed in an infinite number of new ways. Legislators have been forced to tweak the act to adapt to new online threats. For example, the updates to the law added definitions for cyber attack methods that criminals could carry out, as well as considering the preparation to launch an attack as a malicious action.

Section 37 of the Police and Justice Act of 2006, for example, is among the provisions inserted into the Computer Misuse Act through the years. Section 3A, in particular, states that making, supplying or obtaining any articles for use in a malicious act using a computer is categorised as criminal activity. The ownership, therefore, of any hacking software or exploit tools would be considered illegal under this legislation, even if you’re an ethical hacker, or white-hat hacker, researching security threats. It’s technically illegal to be in possession of the tools needed to do your job, which many in the security community have criticised for placing them under needless constraints. A judge would likely be sympathetic to how these tools are being used, but ideally, things would never escalate to this stage.

The legislation was again amended in 2015 thanks to the Serious Crime Act, which included specific passages on computer misuse and introduced three alterations to the original law, falling under Section 3ZA. Specifically, the amendments created a new offence of unauthorised acts causing serious damage, brought the EU Directive on Attacks against Information Systems into law in the UK, and clarified the "savings" provision that protects law enforcement from prosecution if they broke into or modified a computer in the course of a criminal investigation.

In a fact sheet, the government stated that the new offence of unauthorised acts causing serious damage "addresses the most serious cyber attacks, for example, those on essential systems controlling power supply, communications, food or fuel distribution". This is the kind of attack that might more colloquially fall under the heading of cyber warfare or cyber terrorism.

The rationale given for the inclusion of this provision is that the most serious crime previously covered by the act was a section 3 offence of unauthorised access to impair the operation of a computer which carried a maximum penalty of 10 years. This, the government said, " did not sufficiently reflect the level of personal and economic harm that a major cyber attack on critical systems could cause".

The changes made regarding the EU Directive on Attacks against Information Systems were primarily focused on extending extraterritorial jurisdiction, making it easier to prosecute a cyber criminal using the UK as a base -- even if they weren't physically located here and also allowing the police and Crown Prosecution Service to pursue and prosecute UK residents for cyber crimes committed abroad.

The final provision was far more controversial. In the words of the government, the changes were made "to remove any ambiguity for the lawful use of powers to investigate crime (for example under Part 3 of the Police Act 1997) and the interaction of those powers with the offences in the 1990 Act".

"The changes do not extend law enforcement agencies' powers but merely clarify the use of existing powers (derived from other enactments, wherever exercised) in the context of the offences in the 1990 Act," is added.

However, civil rights groups, including Privacy International, have contended that the changes are too broad, as they give complete exemption under the law to police and spy agencies such as GCHQ. A case in the European Court of Human Rights brought by Privacy International and five other applicants against the UK is ongoing.

Is the Computer Misuse Act fit for purpose?

There have been calls to reform or scrap the Computer Misuse Act in recent years, with many security researchers and law enforcement professionals calling into question its ability to cope with the complexities of modern-day computing.

Although many point to the act’s fairly anaemic record for supporting criminal investigations, with less than 1% of computer hacking offences investigated in the UK in 2019 resulting in prosecution, much of the criticism falls on the act’s limited definitions and inability to distinguish between criminal and ethical hacking.

The definition of ‘computer’ is outdated

Perhaps the most obvious complaint is that the act does not accommodate recent innovations in computing, representing a time when a computer was mainly referred to as a desktop PC.

“The Computer Misuse Act 1990 contains several issues that apply subjectivity when objectivity should be the test,” argues Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre. “The term “computer” isn’t defined and the contemporary definition of “computer” has likely shifted in the intervening thirty years.”

This lack of clear definition creates a “grey area”, adds Mackey, where prosecutors are forced to apply the act based on subjective interpretation, rather than objective fact.

“This can lead to interesting scenarios which would question whether a smartphone, nanny-cam, WiFi-connected dishwasher or CCTV system are in fact computers – despite the reality that each of these devices often runs a general-purpose operating system, is connected to a network, and runs software at the behest of its user.”

The understanding of cyber crime is outdated

Another area that most seem to agree on is that the nature of cyber crime has evolved beyond the scope of the Computer Misuse Act.

“The types of crime the Act was originally designed to fight are actually decreasing – but new threats are emerging seemingly every month,” says Peter Yapp, Partner at law firm Schillings and former Deputy Director of the UK’s National Cybersecurity Centre. “For example, hacking for extortion has nearly doubled over the past year while virus/malware reports have dropped. This underlines one of the main shortfalls of the Act – the evolution of using computers to commit fraud to the computer becoming the main conduit for fraud.”

The subjective interpretation of the act ultimately creates friction between law enforcement and security researchers, with some arguing that judges often appear to misunderstand the wider issues facing the industry.

“In essence, the Act isn’t working for cyber security practitioners, law enforcement officers, the Crown Prosecution Office and the Courts,” adds Yapp. “Even more worryingly, judges don’t seem to understand the issues. For example, Southwark Crown Court is supposedly a specialist fraud centre that deals with the majority of the serious and major fraud cases in England and Wales, but its level of understanding around computer crime isn’t sufficient to facilitate any significant number of successful prosecutions. The police have dedicated many more resources to this area over the past five years, but until every police officer understands cybercrime, we will be playing catch up.”

Richard Millett, cyber security training lead at Firebrand Training and regular cyber security advisor for police forces across the UK, explains that many cyber crime cases are instead tried under other legislation, such as fraud and theft, not only because of a lack of definitions but also because much tougher penalties can be issued as a result.

“If you look at the tariffs for the various sections under the [Computer Misuse] act you see that the penalties defined do not match the severity of some of the offences that have been committed,” says Millett. “It is only when you look at section 3za which covers “causing or creating risk of serious damage” do you see tariffs of “imprisonment for life”. The financial and economic damage that has been inflicted by some individuals is not reflected in the penalties that have been applied, running into millions in many cases.”

Ethical hacking is technically illegal under the act

The most difficult challenge facing cyber security researchers trying to operate within the scope of the act is its failure to distinguish between criminal and ethical hacking.

As Rob Shooter, head of technology of law firm Fieldfisher explained to IT Pro, many in the industry believe that the hacking offences under the Computer Misuse Act are too “broad brush”, making it technically impossible for cyber security researchers to perform ethical hacking against cyber criminals.

The main problem is that the act makes it illegal to access a computer system without consent, regardless of the system involved. Technically, this means that functions performed by researchers to analyse potential threats, whether that’s scanning, file interrogation, or interaction with compromised systems, are illegal unless they have gained consent from both the victim and perpetrator of the crime.

“As an example, there are a multitude of US-based companies offering vulnerability scanning services of the extended supply chain, whereas there are few, if any, UK companies offering the same service,” explains Yapp.

Although this technicality may limit the actions of ethical hacking or may leave some wary about potential prosecution, Yapp adds that he is unaware of any cases involving UK researchers being sanctioned by law enforcement because of their work.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Swift exit: How the world cut off Russian banks

Swift exit: How the world cut off Russian banks

24 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022