This article was originally published in Bristows' monthly IT e-newsletter 'The Cookie Jar'.

The Police and Justice Act 2006, which received royal assent on 8 November, modifies the Computer Misuse Act 1990 ("CMA") making it an offence to launch a denial of service attack in the UK and increasing the penalties for offences committed under the CMA.

Concerns had been raised that ‘denial of service’ attacks (causing a server to crash by bombarding it with more e-mail messages or requests for information than it can handle) fell through a loophole in the CMA, a shortcoming widely attributed to the CMA having been drafted before the days of widespread Internet usage.

Section 3 of the original CMA made it an offence to cause "an unauthorised modification of the contents of any computer" with the requisite intent and knowledge. It was arguable that denial of service attacks fell outside this definition, as most websites expressly or impliedly invite visitors to interact with the site by sending e-mails or inputting data and such interaction would therefore be ‘authorised’. This argument was used successfully to clear David Lennon of charges under the CMA at first instance, though he was convicted following an appeal.

The scope of section 3 CMA is expanded by Section 36 of the 2006 Act, which makes it a criminal act knowingly to do "any unauthorised act in relation to a computer" if you either intend or are reckless as to whether that act impairs the operation of any computer, prevents or hinders access to any program or data held on any computer, or impairs the operation of such a program or the reliability of such data. It is worth noting that such intent need not be directed at any particular computer, program or data.

The 2006 Act also doubles the maximum custodial sentence for both section 3 offences and the ‘hacking offence’ under section 1 CMA. The maximum term for summary offences under both sections 1 and 3 CMA, is raised from 6 months to 12 months and the maximum for an indictable offence under section 3, increases from 5 to 10 years.

Finally, the 2006 Act introduces a new offence of making, supplying or obtaining an article for use in computer misuse offences. An ‘article’ includes "any program or data held in electronic form", which could include a password or email address. It will be an offence to make or adapt an article, or obtain an article with a view to supplying it, with the intention that it be used to commit or assist in committing an offence under sections 1 or 3 CMA. It will also be an offence to supply or offer to supply an article intending it to be used to commit or assist in committing an offence under sections 1 or 3 CMA or believing that it is likely to be so used. This new offence has given rise to concerns as to whether the supply of tools that can be used to check network security will be caught. Such tools can be used either to ensure that a network is secure or to identify weaknesses that can then be attacked.

In summary, the key changes to the modification offence under section 3 CMA are:

  • it is the act which must be unauthorised, rather than the modification of the contents of the computer;
  • it applies to any unauthorised act so denial of service attacks and distribution of malicious code are caught;
  • an offence will be committed by a person who is reckless as to whether the unauthorised act impairs the operation of the computer or programme or access to or reliability of data, as well as a person who intends to do so; and
  • the maximum prison term is now 12 months for a summary conviction and 10 years for a conviction on indictment.

This article was originally published in Bristows' monthly IT e-newsletter 'The Cookie Jar'. If you would like to subscribe to The Cookie Jar please e-mail ben.miller@bristows.com".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.