the Computer Misuse Act needs fixing

30 year old legislation isn't working

What's the law?

The amended Computer Misuse Act 1990 legislation creates three specific offences:
  • Causing a computer to perform any function with intent to secure access to any program or data held in any computer the person is not authorised to access (Section 1, CMA 1990).
  • Committing a section 1 offence with the intention of committing further offences (Section 2, CMA 1990).
  • Doing any unauthorised act in relation to a computer that a person knows to be unauthorised, with intent to or being reckless as to whether his act will: impair the operation of any computer; prevent or hinder access to any program or data held in any computer; impair the operation of any program or the reliability of any data; or enable any of the things above to be done. (Section 3, CMA 1990.)

What's broken?

The Act does not have provisions for responsible disclosure or public interest research. The Act offers no protection whatsoever for good faith actions.
As I have discovered, The Computer Misuse Act can be weaponised, bringing criminal law challenges to those reporting an accidental discovery.

PR's welcome

The UK Government has an open RFC reviewing the Computer Misuse Act 1990, including offences and the powers available to law enforcement agencies to investigate those offences.
The Govt want to hear from UK organisations including academia, business, law enforcement agencies, the cybersecurity industry, private sector and independent researchers.