The Computer Misuse Act 1990 (‘the Act’) introduced three new offences into UK law, namely, unauthorised access to computer material; unauthorised access to computer material with intent to commit, or facilitate the commission of, a further offence; and unauthorised modification of computer material.
Unauthorised access was covered by the Act under section 17(5) which stated that access is considered to be unauthorised access if a person is not entitled to control access of the kind in question and that person does not have consent to access from any person who is so entitled. Obviously, knowledge of an absence of consent is generally not an issue where the accused is external to the victim. However, where the accused is an employee of a victim organisation, the burden is upon the prosecution to show that the accused knew that “access of the kind in question” was unauthorised, rather than a misuse of express or implied rights of access.
The issue was further considered by the Courts in DPP v Bignell in 1997. The case was concerned with whether two police officers had accessed the Police National Computer, via an operator, for personal purposes. The issue in question was whether a person authorised to access the computer system for a particular purpose, for example policing, can commit an offence under the Act by using such authorised access for an unauthorised purpose, for example personal reasons.
The two officers were originally found guilty in the Magistrates’ Court but successfully appealed in the Crown Court, a decision which was later upheld in the Divisional Court. The Crown Court asserted that the Act was primarily concerned with protecting the integrity of computer systems rather than the integrity of the information stored on the computers, consequently, such unauthorised usage was not caught by the Act.
In effect, the Courts were suggesting that the actions of a person authorised to access parts of a computer system, but who then accessed other parts without permission, would not be covered by the Act. The court was effectively giving those authorised to use a computer carte blanche to do whatever they liked on the system, however malicious. It was clearly a nonsensical stance that was firmly remedied in due course. The case of Bow Street Mags and Allison, ex parte Government of USA 1999, will be discussed in the next blog.