Government launches new consultation on the review of the Computer Misuse Act 1990

In the Spring of 2021, techUK and its members welcome the government’s announcement of a review of the Computer Misuse Act (CMA) 1990; and we responded to the initial Call for Information which sought the views of stakeholders to identify and understand whether there is activity causing harm in the area covered by the CMA that is not adequately addressed by the current offences. This also included looking at whether law enforcement agencies have the necessary powers to investigate and take action against those attacking computer systems, and whether the legislation is fit for use following tech advances since the CMA was introduced.

Following on the proposals put forward as part of that Call for Information, government has now launched a consultation on new powers for law enforcement agencies to help tackle cybercrime, which sets out the work that will be undertaken on areas where further consideration of proposals is required.

As the Government has set out, it is essential that the UK has the right legislative framework to allow it to tackle the harms posed to its citizens, businesses and government services online. The consultation seeks views on two new powers for law enforcement agencies, and on whether there is a gap in the law relating to data obtained through a CMA offence which is copied and held by another person. 

The three proposals for legislation:

1. Domain name and IP address takedown and seizure

The proposal: The development of a new power to allow law enforcement agencies to take control of domains and IP addresses where criminals are using these to support criminal activity including fraud and computer misuse. (This is not to undermine current voluntary arrangements to tackle domain name misuse, but rather – where those arrangements are not available or usable – to ensure that law enforcement agencies are empowered to take action.)

What government wants to know: Views that government is seeking include what the threshold for the use of such a power should be; which organisations should have access to it; what will the power allow that voluntary arrangements don’t currently allow; what activity would the recipients of an order undertake that they don’t do under voluntary arrangements; how can voluntary agreements (the preferred route for takedowns) be protected; should seizure of domain names/IP addresses mean the legal control and ownership of them; and a number of aspects relating to the processing of/applications for  court orders related to takedown and seizures.

2. Power to preserve data

The proposal: A power to allow all UK law enforcement agencies to require the preservation (but not seizure) of computer data in an unaltered state – where the person in control of that data is unwilling to do this voluntarily – in order to allow that agency time to determine whether the data is relevant in an investigation. It is also proposed that this power should be available for agencies to use in relation to requests from overseas law enforcement agencies; the power should be signed off by a senior officer; data owners should have the right of appeal; and that, in order to avoid cost burdens on businesses, the power should have a set timeframe of 90 days for preservation.

What government wants to know: Government is seeking views on which agencies should be able to use this power; if there are any problems associated with preserving the data that need to be considered; if there should be a time limit on preservation orders; who should be responsible for covering any costs of preservation and how this should be determined; and whether existing powers in the Police & Criminal Evidence Act 1984 are already sufficient to allow preservation.

3. Data copying

The proposal: To create a power that would allow action to be taken against a person processing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place. The context to this being that, although the CMA covers unauthorised access to computer data, the unauthorised taking or copying of data is not covered by the Theft Act, so there is concern about the difficulty of taking action against a person possessing or using data obtained through a CMA offence, such as where the person who holds the data did not commit the CMA offence.

What government wants to know: Government wishes to consider whether there’s a need/necessity to create a general offence for possessing or using illegally obtained data. It is, therefore, seeking information on the gap in current legislation and the effect this has; whether there are any examples of where harm is caused by the absence of an offence; and what the appropriate penalty would be if such an offence was created.

Areas for further consideration

The consultation document also contains details of government’s proposed approach to several other issues which were raised during the 2021 review, including proposals on the levels of sentencing, improvements to the ability to report vulnerabilities, and whether the UK has sufficient legislation to cover extra-territorial threats.

Proposals were also put forward at that time seeking a change to the law to allow for defences to CMA offences to protect cyber security professionals when they are carrying out what they see as legitimate cyber security activity. Government believes that this is an area that needs more work before it can come to a decision on whether legislative or other changes should be considered. In particular, alongside considering how national cyber security can be improved, there is a need to ensure that the rights of system owners to determine who should access their systems is protected, and that any changes do not provide a means to prevent investigation or prosecution of those suspected of CMA offences. 

As these are complex issues, the Home Office is setting up a multi-stakeholder working group to consider the views of law enforcement agencies, prosecutors, system owners and cyber security professionals, and to agree how these issues should be addressed to ensure that the UK’s cyber security can counter the risks posed by state threats and criminals. Several techUK member organisations will be part of this working group going forward.

You can read the full Review of the Computer Misuse Act 1990: consultation and response to call for information document here.

The deadline to respond to this consultation is 6 April 2023. 

techUK will be responding to this consultation on behalf of its members. To register your interest in contributing to techUK’s response, please contact Jill Broom ([email protected]) or Raya Tsolova ([email protected]).

Dan Patefield

Head of Cyber and National Security, techUK

×

Dan Patefield

Head of Cyber and National Security, techUK

Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.

Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.

Email:

[email protected]

Phone:

020 7331 2165

Jill Broom

Programme Manager, Cyber Security, techUK

×

Jill Broom

Programme Manager, Cyber Security, techUK

Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.

Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments. 

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Twitter:

@honeybroom

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Raya Tsolova

Programme Manager, techUK

×

Raya Tsolova

Programme Manager, techUK

Raya Tsolova is a Programme Manager at techUK. 

Prior to joining techUK, Raya worked in Business Development for an expert network firm within the institutional investment space. Before this Raya spent a year in industry working for a tech start-up in London as part of their Growth team which included the formation and development of a 'Let's Talk Tech' podcast and involvement in London Tech Week. 

Raya has a degree in Politics and International Relations (Bsc Hons) from the University of Bath where she focused primarily on national security and counter-terrorism policies, centreing research on female-led terrorism and specific approaches to justice there. 

Outside of work, Raya's interests include baking, spin classes and true-crime Netflix shows! 

Email:

[email protected]

Phone:

07712630603