The Home Office has gone out to consultation on its review of the Computer Misuse Act 1990. It’s made three proposals for legislation.
In a foreword, Home Office security minister Tom Tugendhat says: “The first relates to the proposal for the development of a new power to allow law enforcement agencies to take control of domains and internet protocol (IP) addresses where these are being used by criminals to support a wide range of criminality, including fraud and computer misuse. We recognise that a significant amount is done under voluntary arrangements to tackle the misuse of domain names, and we would not want to see these arrangements undermined, but I believe that we need to ensure that where such arrangements are unavailable, law enforcement agencies have the power to take action.
“The second proposal is for a power to allow a law enforcement agency to require the preservation of computer data to allow that law enforcement agency to determine whether the data would be needed in an investigation. The power would not allow the law enforcement agency to seize the data, but would allow it to be preserved in case needed.
“Finally, we would welcome views on whether a power should be created that would allow action to be taken against a person possessing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards being in place.”
Comment
Ollie Whitehouse, spokesman for the CyberUp campaign, said: “More than 21 months since the Government announced its review of the Computer Misuse Act, this is a response that is light on delivery. Cybercrime is endemic across the UK. We need urgency and pace – not for these issues to be kicked into the long grass.
“We welcome that the Government has acknowledged that there is a problem with legitimate cyber security activity being constrained by the UK’s outdated cyber laws; 66 per cent of respondents to its consultation agreed on this point. And yet – today’s announcement lacks concrete action, leaving the UK way behind other nations.
“We understand this is a complex issue and that reform needs careful consideration. But, very little progress has been made in nearly two years. We simply cannot wait another two years for reform – it is too important for the UK’s enhanced protection in cyberspace, not to mention its future prosperity.
“It is essential that the Government lay out a clear timetable and plan for the next steps, to ensure there are no more delays. CyberUp – with our coalition of parliamentary and industry supporters – has been an important part of the debate over the last four years, and we will continue to work with the Government to get this right.”
Background
The Computer Misuse Act 1990 (CMA) is (still) the main law that criminalises unauthorised access to computer systems and data, and the damaging or destroying them. In May 2021, the then Home Secretary Priti Patel announced a review of the CMA, given that (in the words of the new consultation, that runs until April) ‘whether the legislation is fit for use following the technological advances since the CMA was introduced’.
As campaigners argue, the 1990 law may prevent UK cyber professionals from carrying out threat intelligence research that can help law enforcement against (increasing) cyberattacks. Cyberup asks for a reform of the Computer Misuse Act to include a statutory defence for good faith research, so long as certain safeguards are met.
DCMS call for views
Meanwhile the (now to be broken up) Department for Digital, Culture, Media & Sport has put out a ‘call for views on software resilience and security for businesses and organisations’.
