In December 2007 the UK Crown Prosecution Service issued guidance to prosecutors on when to prosecute for offences under the amended Computer Misuse Act 1990. In particular, the guidance covers the new offence of supplying articles that may be used to commit a crime under the Act. However, although they were approved by Parliament in November 2006, the amendments to the Act have not yet come into force. The guidance will only come into effect once the amendments to the CMA are finally implemented.
What changes will be made to the CMA?
Some sections of the CMA will be broadened when CMA is amended, making it an offence to enable one of the crimes in the CMA to be committed. A new offence will also be created under CMA covering the supply of articles that may be used to commit a crime under the act. The changes are intended to fulfil the UK’s obligations under the Cybercrime Convention and also to reflect a perceived need to update the legislation to take account of the increased use of the internet.
The Police and Justice Act 2006 amends the CMA and broadens its scope in relation to hacking. Under the amended Section 1 of CMA, a person will be guilty of the offence of hacking not only if they access a program without authorisation; but also if they enable unauthorised access.
The Act also broadens the scope of Section 3 CMA providing that it will be an offence to carry out various unauthorised acts in relation to a computer. It will be an offence to impair, (or cause to impair), the operation of any computer; to prevent or hinder (or cause to prevent or hinder) access to any program or data held on a computer, or to impair (or cause to impair) the operation of any program or reliability of any data.
The Act also introduces a new offence of “making, supplying or obtaining articles” for use in computer misuse offences (Section 3A CMA), the so-called dual-use articles offence. Where an individual believes that an article is likely to be used to commit an offence it is an offence to adapt, supply or offer to supply this article. This could lead to imprisonment for a period of up to 2 years.
The Crown Prosecution Service Guidance
The CPS Guidance sets out the circumstances when the CPS should prosecute an individual or company under Section 3A. The guidance considers the factors that will be considered to decide whether it will be “likely” for an article to be used to commit an offence. As “likely” is not defined in the Act, prosecutors should look at (a) the functionality of the article and (b) the thought the suspect gave to who would use it. For example, whether prosecution is likely may depend on whether the product was given to IT security professionals or made available to the public at large.
The guidance also considers when it will prosecute when “dual purpose” items are sold (e.g. items that have both a legitimate and illegal use). In general, the types of factors that will be significant are:
Whether there are up to date contracts, terms and conditions and acceptable use policies;
Whether individuals are made aware of the Computer Misuse Act and what is lawful; and
Whether individuals have to sign a declaration that they do not intend to contravene the CMA.
Although this CPS guidance is not yet in force it will provide useful guidance for those manufacturing and distributing articles that could be used to breach the CMA, when the amendments come into force. It gives an indication of the factors that prosecutors will consider and therefore allows companies to consider now how to ensure that they do not fall foul of the CMA.