UK government outlines reforms to thirty-year-old cybercrime law

Proposed changes to the 1990 Computer Misuse Act are set out in a consultation paper, following a ‘call for information’ by the UK Home Office in 2021.

Legal experts have welcomed the government’s move to modernise the outdated legislation.

“The Computer Misuse Act is more than 30 years old and is clearly overdue for a review and update. It’s positive that the government recognises that it is an area in need of reform given the risk cybercrime presents to businesses and individuals,” said cyber risk expert Julia Varley of Pinsent Masons.

The Home Office proposes three main changes to the CMA. The first will enable law enforcement agencies to take control of domains and IP addresses that are being used by criminals to carry out online criminal activities, such as fraud and computer misuse. It also includes provisions to allow the public authorities to take down these domains and prevent the creation of domains that are suspected and predicted to be for criminal purposes. 

“A notable feature of the proposed changes is around trying to break the link between criminal domains and victim domains. It is achieved through granting law enforcement agencies the power to take control of or take down the domains and IP addressed used by criminals, as well as the power to require the UK registry not to register domain names that are predicted to be used for criminal purposes,” said Varley.

The second proposal aims to toughen up the offences and penalties for taking or coping data rather than merely unauthorised access to or modification of data.

“Considering the seriousness of the threat and the difficulty in taking action against a person possessing or using illegally obtained data, the changes are welcome,” she added.

Under the CMA, data copying only attracts a fine and a maximum of up to two years imprisonment. It is difficult to take action against a person possessing or using data obtained through a CMA offence. It is also not covered under the Theft Act, as theft of data from computer systems commonly involves copying the data, without the intention to “permanently deprive”. The government is considering creating a general offence for possessing or using illegally obtained data.

The third proposal would give law enforcement agencies a new power to require data owners or individuals in control of data to preserve that data in an unaltered state so that it is available for law enforcement investigations.

The proposed power would not permit a law enforcement agency to seize data, but it is intended to allow time for the agency to determine whether the data is relevant to an investigation. If the data is required, the agency would need to obtain court authorisation before it could seize the data. This power would apply to any data relating to any offence. It would be available to all UK law enforcement agencies, including the National Crime Agency (NCA), UK police forces, HM Revenue & Customs (HMRC) and the Serious Fraud Office.

Cyber risk expert Stuart Davey of Pinsent Masons raised questions over the enforcement of the proposed changes, given the international nature of CMA offences.

“The main difficulty will be trying to enforce it worldwide, given that many of the cybercrimes involving victims in the UK are carried out by individuals or groups outside of the UK. The UK government will have to rely on cooperation with governments and law enforcement agencies in other jurisdictions, and also those jurisdictions having the ability and legislation to prosecute extra territorial criminality. It’s a global problem that calls for global response and this is recognised to some degree in the consultation,” he said.

The consultation ends on 6 April 2023.