- Email: [email protected]
Computer misuse act questioned again
Editorial
EDITORIAL Computer Stephen
Misuse Act questioned
again
Saxby
In a reserved judgment on 16 May 1997 [Director of Public The decision of the QBD suggests that the time has come Prosecutions v Bignell and Another (The Times, 6 June for this area of the law to be re-examined. In 1991, the Court 1997)] the Queen’s Bench Divisional Court (QBD) ruled that of Appeal had to step in to overturn a ruling of a trial judge no offence was committed under Section 1 of the UK that, for a computer misuse offence to occur, hacking Erom Computer Misuse Act 1990 (CMA 1990) when two defenone computer to another was required [Attorney Generdants, who were generally authorized to secure access to al’s Reference (No. 1 of 1991) [1992] 3 WLR 4321. Then in computer material, did so for a purpose not authorised in this 1996 the House of Lords ruled in R v Brown ([1996] 1 All ER particular instance. The case arose over the activities of two 545) that police officers were not guilty of using or police officers who accessed the police national computer to attempting to use personal data under Section 5(2)(b) of obtain information about two motor vehicles. Although they the 1984 Act if, having observed it, they appeared to take no further action with the data. were permitted to access this information, they did so not for police but for private purposes. Accordingly, the access was The main problem appears to be knowing when an not authorized and the prosecutions occurred. ‘unauthorized access’ as opposed to unregistered ‘use’ of In overturning the convictions at personal data has occurred. Although Bow Street Magistrates Court Mr Justhere have been a number of success“The main problem appears to tice Astill ruled that the aim of the ful prosecutions under the CMA 1990 CMA 1990 was to tackle the problem the courts have, on balance, tended be knowing when an of computer hackers whereby computo identify problems of demarcation ‘unauthorized access’ as ters were broken into. The Act made it that were not envisaged at the time clear that if the defendants were opposed to unregistered ‘use’ of the legislation was brought in. It is well known that the vast majority of entitled to control access to the data personal data has occurred”. problems tend to occur when an in question then this could not be unauthorized. There was evidence that employee does something on his employer’s computer that is not done they could in at least two of the ways in the course of his job. Now that employers are establishing set out in Section 17(2) of the Act. These included using the an increasing variety of Internet and intranet connections data or outputting it from the computer in which it was held. these demarcation problems are likely to grow. Moreover, Accordingly, the defendants had authority to access despite even if the DPA 1984 is a possible alternative in the present the fact that, in this case, this was not done for an authorized case, this does not deal with a scenario where the target of purpose. The Judge suggested that this was not a case for the the accused is commercial information rather than personal 1990 Act at all, but one that should have been dealt with under data. Perhaps the Law Commission should be invited to Section 5(2)(b) of the Data Protection Act 1984 (DPA 1984) review the law in this area before the problem increases. which prohibits the use of personal data for purposes not registered under the 1984 Act.
222
Computer Law & Security Report 01997, Elsevier Science Ltd.
Vol. 13 no. 4 1997
EDITORIAL Computer Stephen
Misuse Act questioned
again
Saxby
In a reserved judgment on 16 May 1997 [Director of Public The decision of the QBD suggests that the time has come Prosecutions v Bignell and Another (The Times, 6 June for this area of the law to be re-examined. In 1991, the Court 1997)] the Queen’s Bench Divisional Court (QBD) ruled that of Appeal had to step in to overturn a ruling of a trial judge no offence was committed under Section 1 of the UK that, for a computer misuse offence to occur, hacking Erom Computer Misuse Act 1990 (CMA 1990) when two defenone computer to another was required [Attorney Generdants, who were generally authorized to secure access to al’s Reference (No. 1 of 1991) [1992] 3 WLR 4321. Then in computer material, did so for a purpose not authorised in this 1996 the House of Lords ruled in R v Brown ([1996] 1 All ER particular instance. The case arose over the activities of two 545) that police officers were not guilty of using or police officers who accessed the police national computer to attempting to use personal data under Section 5(2)(b) of obtain information about two motor vehicles. Although they the 1984 Act if, having observed it, they appeared to take no further action with the data. were permitted to access this information, they did so not for police but for private purposes. Accordingly, the access was The main problem appears to be knowing when an not authorized and the prosecutions occurred. ‘unauthorized access’ as opposed to unregistered ‘use’ of In overturning the convictions at personal data has occurred. Although Bow Street Magistrates Court Mr Justhere have been a number of success“The main problem appears to tice Astill ruled that the aim of the ful prosecutions under the CMA 1990 CMA 1990 was to tackle the problem the courts have, on balance, tended be knowing when an of computer hackers whereby computo identify problems of demarcation ‘unauthorized access’ as ters were broken into. The Act made it that were not envisaged at the time clear that if the defendants were opposed to unregistered ‘use’ of the legislation was brought in. It is well known that the vast majority of entitled to control access to the data personal data has occurred”. problems tend to occur when an in question then this could not be unauthorized. There was evidence that employee does something on his employer’s computer that is not done they could in at least two of the ways in the course of his job. Now that employers are establishing set out in Section 17(2) of the Act. These included using the an increasing variety of Internet and intranet connections data or outputting it from the computer in which it was held. these demarcation problems are likely to grow. Moreover, Accordingly, the defendants had authority to access despite even if the DPA 1984 is a possible alternative in the present the fact that, in this case, this was not done for an authorized case, this does not deal with a scenario where the target of purpose. The Judge suggested that this was not a case for the the accused is commercial information rather than personal 1990 Act at all, but one that should have been dealt with under data. Perhaps the Law Commission should be invited to Section 5(2)(b) of the Data Protection Act 1984 (DPA 1984) review the law in this area before the problem increases. which prohibits the use of personal data for purposes not registered under the 1984 Act.
222
Computer Law & Security Report 01997, Elsevier Science Ltd.
Vol. 13 no. 4 1997