Computer Misuse and Hacking Offences - the Law Explained

Offences under the Computer Misuse Act 1990 including Hacking, DDoS Cyber Attacks

As long as there are digital systems designed to hold and receive information, those systems will be open to manipulation. What we have now come to call ‘hacking’ offences are recognised by the law, and cases can lead to criminal convictions, very large fines, and even prison sentences. We have included some of the common offences below and how the law works. If you are concerned about the possibility of a criminal case you should seek advice from specialist cyber crime solicitors.

Section 1 Hacking - Attempt at Unauthorised Access

This is an offence of using with intent for unauthorised access of a computer. It can be an attempt to use even if access does not take place.

Ingredients:

• causes a computer to perform any function

• Intent to secure access to program or data

• Access is at the time knowingly unauthorised

The hacking doesn’t have to be aimed at a particular computer or particular information. So hacking a network’s servers to gain access to material on non-specified computers is still hacking, as is opportunistic hacking to see what programs or data may be there.

The computer actually has to be made to do something. Simply spying on what a computer is doing or ‘eavesdropping’ on its actions is not enough. On the other hand, there is no requirement that the accused should succeed in obtaining access so a failed attempt which caused the computer to trip a security procedure would be enough to commit the offence.

Effectively, the law says that either the defendant or the computer has to be in the UK. Legal issues will arise as to what constitutes a computer. A server with the sole function of storage may not be classed as a computer. It may potentially be argued that a computer which is based abroad but which carries out a function in the UK might not be covered.

‘Unauthorised access’ means without appropriate permission. The Supreme Court has suggested that even if someone was entitled to access a computer such as a police database, if that person were not allowed to access a certain type of information then he or she could still be guilty of an offence.

The maximum sentence in the Crown Court for a section 1 offence is two years imprisonment per offence, and an unlimited fine.

Hacking with intent to commit offences

Section 2 Hacking - Unauthorised access with intent to commit another offence. (Hacking with intent to commit offences.)

This offence is committed where a person uses a computer in order to access it with the aim of committing a further specific offence. It could apply for example when a person accesses a computer in order to access bank details in order to commit a fraud, but the definition is much wider than that, and includes intending to commit any other offence if that offence has a maximum sentence of at least five years, or is an offence with a sentence fixed by parliament, such as theft with a maximum of 14 years. Somebody who hacks a police computer in order to obtain the details of a witness who he or she wishes to harm or intimidate will be committing this offence. It is unlikely, however, that the person will be charged with the section 2 offence rather than witness intimidation or assault of the witness unless the activity didn’t progress beyond the hacking.

This offence is not always easy to prove. The prosecution has to show what the specific intent was in order to get a conviction. If it can be shown that data such as personal financial data was viewed or copied, the inference could be that a section 2 offence has taken place with the intended later offence being one of fraud. But there will not always be evidence of data of that type which points to a specific offence having been viewed or copied. Much will depend on the context, and that means that investigators may try to show that there are other aspects of the person and his or her activities or background which point to a specific offence.

For section 2 offences, the maximum in the Crown Court is 5 years imprisonment. In the Magistrates’ Court the maximum sentence is 6 months, although the magistrates can send the matter after trial to the Crown Court if they feel that a greater sentence may be necessary.

Section 3 - An unauthorised act with intent to impair or reckless as to the impairment of the functioning of a computer - (computer vandalism)

Section 3 of the Computer Misuse Act, perhaps more simply called computer vandalism, happens when a person commits an act which he or she knows is unauthorised, in order to make one of the following types of damage or problem:

• Impairment of a computer’s operation

• Impairment of program’s or data’s operation

• Preventing or hindering access by a legitimate user

Recklessness is also covered, so there does not have to be an intention to cause the impairment or the access problem. Just knowing it is possible could be enough.

There does not have to be an intention to damage a specific computer or program, so opportunistic entry to a computer’s functions in order to do some damage is still covered by the offence.

This offence could be used to cover DDoS (distributed denial-of-service) attacks, uploading a virus to a computer, or any other sabotage. The prosecution do not have to prove any underlying motivation for the damage being caused. Just intending the damage or impairment to the normal operations of or access to the computer, program or data is enough.

Hacking to impair offences carry a maximum of 6 months imprisonment in the magistrates’ court, or 10 years in the Crown Court, with the possibility of fine with no upper limit.

Section 3a - making adapting supplying article for use in offence under 1, 3 or 3ZA

A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA. These offences are the offences explained above of hacking, hacking to commit an offence, 

The offence can be committed by just being reckless as to whether it will be used for the above purposes. There does not need to be an actual intention.

Obtaining such an article is also covered, but the person has to intend that it will be used or supplied for one of the above purposes.

An ‘article’ is just a legal word meaning a thing. It could include a device used to connect to an ATM to stop it functioning properly, but it does not have to be a physical item. It could be a piece of computer software such as a ‘hacking tool’. But hacking tools can be legitimate software which is used by system admins and others in IT security to test systems with full permission. What will decide whether it is an offence is what the underlying intention was. This would be a matter for the jury to decide, and they would consider other evidence which may point to whether the tool was intended to commit an offence.

The 3(a) ‘hacker tools’ offences can be heard in the Magistrates or the Crown Court. In the Magistrates’ Court, the maximum sentence is 6 months imprisonment. In the Crown Court, it is two years. There is also the possibility of an unlimited fine.

Section 3ZA - cyber attacks

Major cyber attacks such as DDoS attacks are now specifically covered under s. 3ZA

This is a newer offence which has been created to cover hacking by activities of organisations and individuals who know that their actions will or are likely to cause serious damage, and intend for that damage to take place. The offence can also be committed by just being reckless as to whether the damage will take place, so in fact the person does not need to get as far as having actual intention to be guilty of the offence.

The ‘serious damage’ which is mentioned in section 3ZA means damage to human welfare, to a place or the environment, the economy of a country, or the national security of a country.

These so-called cyber attack offences are treated very seriously because of the threat to the stability and health of society and the public. The maximum after trial in the Crown Court is 14 years, but is life imprisonment if the action is carried out in the knowledge that it may cause serious damage to human welfare or the national security of a country.

Which court and what sentence for hacking offences under the Computer Misuse Act?

Most of these offences can be heard in the Magistrates’ Court or the Crown Court, although in most cases it is probably unlikely that the judge or judges in the Magistrates’ Court, which is the lower court, would accept the responsibility of judging the case, and instead would usually send the case to the Crown Court. Section 3ZA, the cyber attack offence which requires serious material damage to be caused, can be heard only in the Crown Court.

Factors affecting sentence

Whether somebody goes to prison and for how long if convicted of a hacking offence will depend on a number of factors. Clearly a court will look at whether there was any motive for the hacking, be it for example revenge or personal gain, and importantly whether any damage was caused to the person or organisation whose computer(s) was hacked. This damage might include loss of money, business, market confidence, or the effect of personal or confidential business data being accessed and whether it was used. The Court of Appeal has also identified planning and targeting as aspects which increase sentence.

Defence approach and strategy

There is no single key to success in cases of this type, but there are some things somebody facing investigation or prosecution should be aware of.

The need for specialists

Engaging specialist cyber crime solicitors is an extremely important step to take. These cases may be prosecuted in the criminal courts, but they are highly specialist, and the legal team must have at least a basic awareness of hardware and software, and the key terminology and what it means. They should also have proper access to computer expert witnesses who are specialists in any relevant area. Barristers with an interest in tech should also be selected to present the case if it reaches court.

The following aspects will often be bones of contention in any criminal trial, and should not be blindly accepted by the defence unless it is unavoidable.

Identity

Can it even be proved that the client was the person who operated the computer or caused it to function in a certain way? Can the IP address be traced? Is there any evidence of or possibility of the IP address being faked or the client’s computer being remotely accessed by the true culprit? These are fundamental questions which should be asked before anything else is accepted by the defence.

Intention and Motive

In offences where the prosecution say there was intent to either commit further offences or cause damage, can that intention be proven. It is common knowledge that hackers often access systems for the challenge of exposing security flaws rather than to actually damage any aspect of an organisation or its systems. While such access may still amount to an offence, it is unlikely to be at the same level of seriousness, and in some cases may not result in a prison sentence, even of the person is convicted.

Authorisation

In some cases, employees will be charged with offences. In some circumstances, they will be authorised to access certain data, for example, a police officer in the course of his or her work. Whether somebody had authorisation to do certain things would depend on all of the circumstances, including their job description.

Final Note

This is a short introduction to the law on computer misuse offences. It cannot replace specialist legal advice. If you or a family member is concerned about an investigation or prosecution for a computer related offence you should seek free legal advice from specialist cyber crime solicitors.