The law surrounding cyber security is made up of a number of different overlapping components. It includes data protection through the Data Protection Act and GDPR; intellectual property, through copyright, patents and so on; and others. In this article, we look at the law specifically around computer misuse or "hacking".

• Computer Misuse

In the middle of the 1980s Robert Schifreen and Stephen Gold discovered the log-in details of an account on British Telecom's Prestel by watching what an engineer typed in to their terminal. They logged in and explored the system, managing to find details of accounts belonging to other people, including members of the royal family.

British Telecom discovered the unauthorised use and the pair were charged. At the time, there was no UK law that covered their activities exactly, so they were charged with manufacturing a "false instrument" under the Forgery and Counterfeiting act 1981. The argument was that by entering their unauthorised commands into the Pentel system, they had changed its internal state and somehow created something that infringed on the intellectual property of British Telecom.

They were fined less than £1500, but the case highlighted two things: one, that British Telecom had not taken security seriously (the username and password were 2222222222 and 1234 respectively) and the second that the law being applied did not quite fit the situation.

Schifreen and Gold appealed the finding on that second point and it was upheld. Lord Justice Brandon said that "we have accordingly come to the conclusion that the language of the Act was not intended to apply to the situation which was shown to exist in this case. The submissions at the close of the prosecution case should have succeeded. It is a conclusion which we reach without regret. The Procrustean attempt to force these facts into the language of an Act not designed to fit them produced grave difficulties for both judge and jury which we would not wish to see repeated. The appellants' conduct amounted in essence, as already stated, to dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a criminal offence. If it is thought desirable to make it so, that is a matter for the legislature rather than the courts."

This led to the creation of the Computer Misuse Act 1990, which set out three offences:

1. unauthorised access to computer material
2. unauthorised access with intent to commit or facilitate commission of further offences
3. unauthorised modification of computer material

The punishment, in terms of fines and prison sentences, was also laid out. Since then, these three offences remain in subsequent revisions of the act, although the fines and prison terms have changed. Two additional offences have also been added. At the time this article was written (May 2019), the list of offences is:

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
4. Unauthorised acts causing, or creating risk of, serious damage
5. Making, supplying or obtaining articles for use in offence under

Links

• https://www.itpro.co.uk/it-legislation/28174/what-is-the-computer-misuse-act
• https://www.cps.gov.uk/legal-guidance/computer-misuse
• https://www.legislation.gov.uk/ukpga/1990/18/contents