Unauthorised modification of computer programs or data

The old offence under s3 of the Computer Misuse Act 1990

Under s3(1) of the Computer Misuse Act 1990 a person is guilty of an offence if:

(a)he does any act which causes an unauthorised modification of the contents of any computer; and

(b)at the time when he does the act he has the requisite intent and the requisite knowledge.

‘Authorisation’ is applied in a similar manner as it is to the offence of unauthorised access to computer material under s1 of the Computer Misuse Act 1990.  Section 17 of the 1990 Act, which deals with interpretation, gives a thorough, but at the same time broad, definition of modification, chiefly aimed at computer viruses and other forms of software which can cause severe damage to computer systems.  In summary, modification is the alteration, erasure or addition of any program or data to the contents of a computer.  The addition of a program or data includes, as mentioned, the addition of computer viruses and other malicious software.  The requisite intent under s3(1)(b) of the Act is defined under s3(2) as an intent to cause a modification of the contents of any computer and by so doing:

(a)to impair the operation of any computer;

(b)to prevent or hinder access to any program or data held in any computer; or

(c)to impair the operation of any such program or the reliability of any such data.

The intent need not be directed at any particular computer, program or data, or at programs or data or modifications of a particular kind, or at a particular modification.  All that is required is knowledge that the intended modification is unauthorised.

Unsolicited emails

Since adding data to a computer falls within the definition of modification, one question arises as to whether a person who adds data to, for example, a computer disk, without authorisation, has the requisite intent.  In Director of Public Prosecutions v Lennon [2006] the defendant was dismissed from his employment.  He subsequently sent several hundred thousand emails to his former employer’s computer system which purportedly came from the company’s HR manager.  Charges were brought under s3 of the Computer Misuse Act 1990 for making an unauthorised modification to the contents of a computer.  The judge at first instance held that the emails were authorised as the employer’s computer system was set up to receive email.  It was also held that s3 was designed to prevent the sending of material such as computer viruses.  On appeal the High Court concurred that a person who sets up a computer to receive emails is giving consent to emails being sent to that computer.  But the consent does not extend to emails sent not for communication purposes but to disrupt the system. 

Scope of the offence

As mentioned, the scope of the s3 offence is fairly broad, but also well-defined, and covers viruses, trojans, time-bombs (a computer virus which is triggered by a specific date) and logic bombs (a program which will trigger a malicious function if certain conditions are met).  A number of successful prosecutions have been brought under s3 for various types of conduct.  A freelance typesetter altered a client’s computer with the consequence that the client was denied access, and was consequently convicted under s3.  In another case a nurse accessed a hospital computer and changed patients’ prescriptions, making them potentially fatal.  He was convicted of two offences under s3 and sentenced to 12 months’ imprisonment. 

The new s3 offence as introduced by the Police and Justice Act 2006

The Police and Justice Act 2006 has introduced a new s3 offence with the new title of “unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.”  The relevant provisions came into force on 1 October 2008.  The offence is now committed by a person who does an unauthorised act relating to a computer, knowing that the act is unauthorised, and intending the act to cause, or being reckless as to whether the act will cause, one of the following:

(a)the impairment of the operation of any computer;

(b) the prevention or hindering of access to any program or data held in any computer;

(c)the impairment of the operation of any such program or the reliability of any such data; or

(d) the enablement of any of the things mentioned in paragraphs (a) to (c) above.

As before, the intent or the recklessness need not be directed at any particular computer, program or data, or at programs of a particular kind.  The new s3 also has more severe penalties for conviction, the maximum being ten years imprisonment for a conviction on indictment.

Sentencing

Unlike offences under s1 of the Computer Misuse Act 1990, which are generally punished by the imposition of a fine, s3 offences usually result in a custodial sentence.  Indeed, the courts take a very serious view of offences committed under s3, even those which seem less severe.  For example, in R v Maxwell-King [2001] the defendant manufactured and supplied a device allowing cable television subscribers to receive channels which they had not paid for.  The device had limited success and turnover was around £600.  On conviction the accused was given four months’ imprisonment, though this was later reduced to 150 hours community service on appeal.