Computer hacking and the criminal law

Hacking of computers

The hacking of computers is a crime which has increased exponentially since the inception of the internet. It takes many forms: from the defrauding of large corporations, the hacking of government databases to expose state secrets, to the identity theft of individuals.

The Computer Misuse Act 1990

The Computer Misuse Act 1990 (CMA 1990) was introduced in August 1990 following a Law Commission report surrounding computer misuse which found that the UK was trailing behind many EU member states in relation to technological development.

What offences were introduced by CMA 1990?

CMA 1990 introduced the following three new offences into UK criminal law:

  1. unauthorised access to computer material;
  2. unauthorised access with intent to commit a further offence;
  3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc (as amended by the Police and Justice Act 2006).

Unauthorised access to computer material

The basic notion of hacking – whereby an individual causes a computer to perform a function when at the time he intends to access a program or data held in a computer – is covered by the offence of unauthorised access to computer material (s 1, CMA 1990).

Does an individual have to know that his accessing the computer material is unauthorised?

For the offence to occur, the access to the computer material has to be unauthorised and the individual gaining access has to be aware that his access is unauthorised.

What is meant by computer material?

There is no definition of computer material within CMA 1990. This has allowed CMA 1990 to apply to new pieces of technology as and when they are developed.

However, the accepted definition of computer being any device for storing and processing information can be found in the Civil Evidence Act 1968.

Unauthorised access with intent to commit a further offence

Section 2 of CMA 1990 covers unauthorised access to computer material with the intent to commit or facilitate the commission of further offences. The basis notion is that someone guilty of an offence under s 1 of CMA 1990 will have further criminal sanctions imposed on him if this is done with the intention to commit or facilitate the commission of further offences.

What is meant by further offences under s 2?

Further offences under s 2 are those which have a sentence fixed by law or where an individual found guilty of that offence would be liable for a term of imprisonment of five years or more.

Examples of a further offence may be:

Unauthorised acts with intent to impair

Section 3 of CMA 1990 was amended by the Police and Justice Act 2006. Its aim was to tackle computer viruses and denial of service attacks, which can have devastating effects on the organisations targeted. The offence does not have to be against a particular computer, program or data and is committed even if, for example, the denial of service is only temporary.

Other amendments to CMA 1990

The Serious Crime Act 2015 added a new offence (s 3ZA) of ‘unauthorised acts causing, or creating risk of, serious damage’. The territorial scope of computer misuse was also extended, meaning that a UK national is still committing an offence if the computer misuse happened outside the UK, as long as it was also illegal in the country where the hacking took place.

The Police and Justice Act 2006 added a new offence of ‘making, supplying or obtaining articles for use in offence under ss 1, 3 or 3ZA’ (s 3A).

Penalties

Penalties for offences under CMA 1990 range from two years’ imprisonment and/or a fine for unauthorised access to computer material; up to five years and/or a fine for unauthorised access with intent to commit or facilitate commission of further offences; up to 10 years and/or a fine for unauthorised modification of computer material; and imprisonment for life and/or a fine for breach of s 3ZA.

Other legislation dealing with computer hacking

The Terrorism Act 2000

When the Terrorism Act 2000 (TA 2000) first came into force it made the threat of or use of computer hacking a potential act of terrorism.

The use or threat of an action designed seriously to interfere with or seriously to disrupt an electronic system will be a terrorist action under TA 2000 only if both of the following conditions are satisfied:

  1. It is designed to influence the government or to intimidate the public or a section of the public.
  2. It is made for the purpose of advancing a political, religious or ideological cause.

TA 2000 does not, however, make for additional penalties for hackers who would be punished under the existing laws of CMA 1990.