CS 302 Professional Issues

Chapter 9 - Computer Misuse Legislation

§9.0 Approaches §9.3 At the University of Strathclyde ...
§9.1 UK Computer Misuse Act §9.4 Legal Footnote
§9.2 Implications of Misuse Act

Previous Reading: Legal Considerations

§9.0 Approaches

In 1990 the UK parliament passed an act against computer misuse - the first legislation (in the sense of legislation driven by perception of a wholly new need) there had been in this country which was solely due to the advent of the computer. That the act was promoted at all was in large part due to the efforts of an individual MP - Emma Nicholson - who had previously practised as a professional computer scientist and whose efforts in connection with the act were strongly supported by the British Computer Society. Lady Nicholson, as she now is, is also a specialist in Islamic affairs; she has recently (2002) been appointed Mediterranean envoy on health, peace and development for the World Health Organisation

Before the act (and similar acts in other countries) computer systems managers had suffered significantly from the destructive efforts of assorted hackers ... and they had suffered twice over, from the hacking itself and then because there was great difficulty in prosecuting malpractice. For example,

was recognised by the law as an offence. That statement is not quite definitive ...

were recognised as crimes. But ... quantifiably so? How much electricity is stolen when a computer is used by an unauthorised user? How much attention therefore were the courts likely to take?

Issues of computer fraud - for example, the classic problem of redirecting into the fraudster's account all those fractions of a penny not paid out in interest - were easier. But then the proceedings were based on well understood issues of fraud rather than on issues of computer misuse: successful prosecution was perfectly feasible, provided the alleged malpractice could be detected and tied back to the actions of a particular user.

The real problem was that illegal activities frequently meant abuse of information ...
... and (although one American State tried it, unsuccessfully) information was not regarded as property, and was therefore not protected in law.

Thus, for example, wiping a disc - whether a hard disc or a floppy one - in the eyes of the law

Since the act, the position is very different!

And police forces, like that in Strathclyde (which was the second in the UK to act), are at last starting to set up special units to deal with computer misuse.

§9.1 UK Computer Misuse Act 1990

The Act created three specific new offences:

  1. Unauthorised access to computer material

  2. Unauthorised access with intent to commit or facilitate a crime

  3. Unauthorised modification of computer material

together with related issues of conspiracy and incitement to commit the various offences.

Unauthorised Access - "Simple Hacking"

The "basic offence" under the Act, defined by its section one, results if

  1. a computer is caused to perform any function with intent to secure access; and

  2. the access sought is unauthorised; and

  3. the would-be user knows the access to be unauthorised.

Note the beautiful form of wording of the first condition! More usefully, note the need defined in the third condition - that the potential mis-user can reasonably be expected to be aware that the intended use is unauthorised.

The basic offence covers all forms of ostensibly innocent hacking, from probing and browsing to full-scale attack ... but, if you think about it, you'll see that it's far from straight-forward for anyone to show (if no other misdeeds occur) that a basic offence has been committed.

The act as a whole applies as much to insiders as it does to outsiders - particularly in a commercial world, who can access which bits of the computer system is a matter of some significance. But it is the first part of the act which is likely to be particularly relevant to insiders, since frequently the limitation of their right of access is going to be more gently protected than would be the case for an outsider trying to hack in.

Unauthorised Access with Intent - "Aggravated Hacking"

The key phrase here is "with intent [to commit or facilitate a crime]". So charges can be brought under this section even when no other crime has actually occurred, indeed even when there is no other crime ... although naturally such charges may then be very hard to prove to the level required to obtain a conviction.

Curiously, aggravated hacking is often very much easier to identify than the basic offence - and it is, of course, much more seriously punishable.

That has implications, potentially painful implications, for authorised users

Unauthorised Modification

A charge under the third section of the act usually accompanies allegation of an offence under section one or section two, although such linkage is not essential. A potential ofence will result if

Note how dangerous this section makes allowing other people to use your computer account!

People normally think of unauthorised modification as meaning the deletion of material, but the addition of material is at least as big a problem - although one of a very different nature. The section thus covers (in particular)

This section of the act probably also includes the copying of material, but we need case law before we can comment further on that.

§9.2 Some Implications of the Computer Misuse Act

Clearly the Act has implications for mis-users

Equally clearly, it has implications for what you might call "proper" users

But there are also inferences to be drawn for the managers of computer systems, if they want to benefit from the legal protection that the Act offers for their system.

We will come back to these needs, for action to create security, from a different angle when we review the protection the law requires for the processing of personal data.

§9.3 At the University of Strathclyde ...

So how does the University respond to these imperatives, given that it has responsibility for the actions of a large body of students and staff, almost all of whom have all but unsupervised access to an extensive computer system?

Short section - but not included here since in previous years it has formed one of the bases of assessed coursework, and in 2008/09 it forms a specific tutorial discussion question.

§9.4 Legal Footnote

The presentation of this section has very much suggested that computer misuse legislation is a good thing. From the viewpoint of the computer scientist, that is undoubtedly true - an onus of care is heaped on system administrators and on users, but the benefit is greater security for the system and its authorised users.

But from the point of view of the lawyers, the matter is not quite so clear.

Firstly, in the context of the United Kingdom the discussions which led to the act produced an unusual emphasis of difference between the Law Commission of Scotland and that of England & Wales. The former had reservations about the concept of privacy inherent in section one of the act (because there was then in law little related formal concept of privacy), whereas the latter was much swayed by the time and money which were being spent combating the effects of hackers. It is a general truth of research and development that advances often come when differences can be placed side by side and cross pollination of ideas take place - but what holds in the world of research does not always prove effective in the construction of rules for guidance, which is what laws really are.

The second point is almost a flippancy, but yet it matters rather crucially. For very good reasons, the UK act does not define what is meant by a "computer". But in the time since the act came into being, the use of embedded computing systems has expanded enormously. Is it therefore a basic offence for someone to use your washing machine without permission? One would hope not! Yet the very fact that the question can sensibly be framed is cause for a certain amount of unease.

The third point is that some of the decisions reached on cases brought under the act have not always been as clear-cut as might have been hoped. So, is the act really an effective tool for dealing with the problems of computer misuse? The answer to that has to be, yes - but saying yes does not rule out the need for further legal development in the area.

If you want to pursue ideas like this further, or to make a wider study of the interplay between law and the use of computers, you may find of interest the book

"Legal Aspects of the Information Society", Ian J Lloyd, Butterworths, 2000.

© Paul Goldfinch 2008 Next Chapter Return to CS 302 Menu