The Government is now asking whether The Computer Misuse Act - that was drafted, before the use of the internet some thirty years later, is still fit for purpose.
In the Government's call for information, it cites two major categories of cybercrime: (1) 'cyber-dependent crimes', such as hacking or introducing malware; and (2) 'cyber-enabled crimes', which include more traditional crimes such as theft of data.
It is the former, cyber-dependent crime, which is the focus of the Government's request. This is a clear indication that the intent is not to broaden the scope of the Act and attempt to regulate other traditional crimes that have been exacerbated by the internet, such as online harassment. Presumably, the intent is that these types of crimes will either continue to be regulated by existing law or will be addressed under the ambit of the draft Online Safety Bill (which my colleague, Helen Hart, has written about here).
The Act currently prohibits:
- Unauthorised access to computer material (e.g. hacking)
- Unauthorised access to computer materials with intent to commit a further crime, for example, stealing data (e.g. planting a virus)
- Unauthorised modification of data (e.g via the use of malware)
- Making, supplying or obtaining anything which can be used in computer misuse offences
A key issue for legislators to address is how to regulate a crime that may be committed overseas, especially where such act does not constitute a crime in the overseas territory. And even where the crime is caught under the Act, there is a practical hurdle of how the Government enforces UK law against a non-UK national. For example, the origins of the WannaCry ransomware (which severely impacted the NHS in 2017) is not yet known. However, a number of fingers have been pointed towards North Korea. What are the chances of someone in North Korea being charged with an offence under the Act....
In addition, how will the Act interact with and regulate artificial intelligence? Will it penalise the computer programmer who initially inputted the algorithms into the machine, even if it was not the intent of the programmer to commit a crime? (On the topic of new laws and AI, read this article by my colleague James Gill - Lewis Silkin.)
I thought it fitting to end with a quote as this is not an easy one to fix:
"Technology is ruled by two types of people: those who manage what they do not understand, and those who understand what they do not manage."
Since the Act was passed 30 years ago, our reliance on the digital world has increased enormously and we are now critically dependent on the internet.