Academics call for UK's Computer Misuse Act 1990 to be reformed

Britain's main anti-hacker law, the Computer Misuse Act 1990, is "confused", "outdated" and "ambiguous", according to a group of pro-reform academics.

A report launched this morning by the Criminal Law Reform Now Network (CLRNN) described a "range of measures to better tailor existing offences in line with our international obligations and other modern legal systems" in a call for the 30-year-old Act to be overhauled.

CLRNN mostly consists of academics from the University of Birmingham. In its report (PDF), the network described the current Act as "preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geo-political threat actors", something it said is "leaving the UK's critical national infrastructure at increased risk".

Broadly, the network calls for new public interest defences for infosec professionals, academics and journalists as well as specific guidance for prosecutors and sentencing judges alike.

It also calls for the introduction of civil penalties for computer misuse naughtiness (mischief, in the legal jargon), with the Investigatory Powers Commissioner being suggested as a civil "regulator" to decide who should and should not be slapped with a civil fine.

Down in the detail

The CLRNN's specific recommendations are:

• Reforming the section 1, CMA90 offence to make it summary-only, or to narrow its current scope by "specifying required harms beyond simple unauthorised access."
• Narrowing sections 3 and 3ZA to require an intention to commit a criminal act, or to enable someone else to do so.
• Creation of a "corporate failure to prevent offence" so companies can be held criminally liable for employees acting as such who commit computer misuse crimes.
• Adding a new defence of assumed consent to accessing someone else's computers "if [the other person] had known about the access and the circumstances of it, including the reasons for seeking it."
• A public interest defence allowing accused hackers to "prove that in the particular circumstances the act or acts (i) was necessary for the detection or prevention of crime, or (ii) was justified as being in the public interest".

Ollie Whitehouse, global CTO of British infosec biz NCC Group and spokesman for the CyberUp campaign, commented in a canned statement: "This report shines a welcome light on the UK's outdated cyber security crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security within a regime drawn up 30 years ago."

Neil Brown of tech law firm decoded.legal told The Register: "The current CMA is either showing its age, or else [is] just a bit of a pig's ear, depending on how charitable you are feeling. The devil is in the detail, but the proposals look sensible. In particular, offering greater security to those looking to offer security – a public interest defence – would be welcome."

It won't be plain sailing

Peter Sommer, a professor of digital forensics at Birmingham City University and one of the CLRNN's contributors, published an insightful LinkedIn post about how the current CMA90 impacts the cyber security sector.

"The key to understanding the Act was that from the outset it was designed to fill in gaps in the existing legislation rather than to provide a comprehensive response to whatever you think "cybercrime" is," something that makes sense when read in the context of the Prestel hack.

He added: "Indeed there are frequent occasions in which the Computer Misuse Act has clearly been breached but where prosecutors decide not to pursue charges with any vigour or indeed at all because success would be unlikely to alter the court's view of punishment in the event of conviction."

This was the case in the recent sentencing of National Lottery hacker Anwar Batson. At the start of the hearing, prosecutors added a new charge to the indictment to which Batson pleaded guilty. It was this charge that weighed heaviest on the judge's mind when he gave Batson nine months in prison.

The CLRNN report comes hot on the heels of separate calls from industry to reform the CMA. A launch event is being held this afternoon in Parliament which may lead to further calls. The National Crime Agency is also known to hold internal views about the suitability of the CMA. ®