Government launches new consultation on the review of the Computer Misuse Act 1990
In the Spring of 2021, techUK and its members welcome the government’s announcement of a review of the Computer Misuse Act (CMA) 1990; and we responded to the initial Call for Information which sought the views of stakeholders to identify and understand whether there is activity causing harm in the area covered by the CMA that is not adequately addressed by the current offences. This also included looking at whether law enforcement agencies have the necessary powers to investigate and take action against those attacking computer systems, and whether the legislation is fit for use following tech advances since the CMA was introduced.
Following on the proposals put forward as part of that Call for Information, government has now launched a consultation on new powers for law enforcement agencies to help tackle cybercrime, which sets out the work that will be undertaken on areas where further consideration of proposals is required.
As the Government has set out, it is essential that the UK has the right legislative framework to allow it to tackle the harms posed to its citizens, businesses and government services online. The consultation seeks views on two new powers for law enforcement agencies, and on whether there is a gap in the law relating to data obtained through a CMA offence which is copied and held by another person.
The three proposals for legislation:
1. Domain name and IP address takedown and seizure
The proposal: The development of a new power to allow law enforcement agencies to take control of domains and IP addresses where criminals are using these to support criminal activity including fraud and computer misuse. (This is not to undermine current voluntary arrangements to tackle domain name misuse, but rather – where those arrangements are not available or usable – to ensure that law enforcement agencies are empowered to take action.)
What government wants to know: Views that government is seeking include what the threshold for the use of such a power should be; which organisations should have access to it; what will the power allow that voluntary arrangements don’t currently allow; what activity would the recipients of an order undertake that they don’t do under voluntary arrangements; how can voluntary agreements (the preferred route for takedowns) be protected; should seizure of domain names/IP addresses mean the legal control and ownership of them; and a number of aspects relating to the processing of/applications for court orders related to takedown and seizures.
2. Power to preserve data
The proposal: A power to allow all UK law enforcement agencies to require the preservation (but not seizure) of computer data in an unaltered state – where the person in control of that data is unwilling to do this voluntarily – in order to allow that agency time to determine whether the data is relevant in an investigation. It is also proposed that this power should be available for agencies to use in relation to requests from overseas law enforcement agencies; the power should be signed off by a senior officer; data owners should have the right of appeal; and that, in order to avoid cost burdens on businesses, the power should have a set timeframe of 90 days for preservation.
What government wants to know: Government is seeking views on which agencies should be able to use this power; if there are any problems associated with preserving the data that need to be considered; if there should be a time limit on preservation orders; who should be responsible for covering any costs of preservation and how this should be determined; and whether existing powers in the Police & Criminal Evidence Act 1984 are already sufficient to allow preservation.
3. Data copying
The proposal: To create a power that would allow action to be taken against a person processing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place. The context to this being that, although the CMA covers unauthorised access to computer data, the unauthorised taking or copying of data is not covered by the Theft Act, so there is concern about the difficulty of taking action against a person possessing or using data obtained through a CMA offence, such as where the person who holds the data did not commit the CMA offence.
What government wants to know: Government wishes to consider whether there’s a need/necessity to create a general offence for possessing or using illegally obtained data. It is, therefore, seeking information on the gap in current legislation and the effect this has; whether there are any examples of where harm is caused by the absence of an offence; and what the appropriate penalty would be if such an offence was created.
Areas for further consideration
The consultation document also contains details of government’s proposed approach to several other issues which were raised during the 2021 review, including proposals on the levels of sentencing, improvements to the ability to report vulnerabilities, and whether the UK has sufficient legislation to cover extra-territorial threats.
Proposals were also put forward at that time seeking a change to the law to allow for defences to CMA offences to protect cyber security professionals when they are carrying out what they see as legitimate cyber security activity. Government believes that this is an area that needs more work before it can come to a decision on whether legislative or other changes should be considered. In particular, alongside considering how national cyber security can be improved, there is a need to ensure that the rights of system owners to determine who should access their systems is protected, and that any changes do not provide a means to prevent investigation or prosecution of those suspected of CMA offences.
As these are complex issues, the Home Office is setting up a multi-stakeholder working group to consider the views of law enforcement agencies, prosecutors, system owners and cyber security professionals, and to agree how these issues should be addressed to ensure that the UK’s cyber security can counter the risks posed by state threats and criminals. Several techUK member organisations will be part of this working group going forward.
You can read the full Review of the Computer Misuse Act 1990: consultation and response to call for information document here.
The deadline to respond to this consultation is 6 April 2023.
techUK will be responding to this consultation on behalf of its members. To register your interest in contributing to techUK’s response, please contact Jill Broom ([email protected]) or Raya Tsolova ([email protected]).