You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
When personal computers and networks arrived, the criminal law had a gap: existing offences were written for the physical world, and "breaking into" a computer over a phone line did not obviously fit theft, criminal damage or trespass. The Computer Misuse Act 1990 was passed to close that gap by creating offences aimed squarely at the unauthorised use of computers. This is a discursive 1.5 topic, so beyond knowing the offences you must be able to apply them to scenarios and discuss hard cases — above all the way the Act treats malware and the awkward question of ethical hacking and penetration testing, where the very same act (probing a system for weaknesses) is a crime when unauthorised and a profession when authorised. We cover why the Act exists, its main offences, the key role of authorisation and intent, how it captures malware and the making of hacking tools, and where its limitations lie.
This lesson addresses the H446 1.5 content on the criminal law protecting computer systems:
(Phrasing here paraphrases the specification content; it is not a verbatim quote.)
In the years before 1990, attempts to prosecute people who had gained unauthorised access to computer systems ran into a problem: the conduct did not fit the existing criminal offences, which assumed tangible property. "Looking at" data without permission was not theft (nothing was permanently taken), and it was not obviously criminal damage. The courts found, in effect, that hacking was not a crime under the law as it then stood. Parliament responded with a purpose-built statute that made the unauthorised use of a computer itself an offence, regardless of whether anything was stolen or damaged. The recurring theme of the whole Act is therefore authorisation: it is not using a computer that is criminal, but using one you are not permitted to use, in ways you are not permitted to.
The Act creates a ladder of offences of increasing seriousness, distinguished by intent and consequence. You should be able to state each and pick the right one for a scenario.
| Offence | What it covers | Intent required | Maximum penalty (paraphrased) |
|---|---|---|---|
| Unauthorised access to computer material | Causing a computer to perform a function to secure access to programs or data without authorisation — "basic hacking". | Knowing the access is unauthorised; no intent to do anything further is needed. | The least serious tier: a custodial term and/or a fine. |
| Unauthorised access with intent to commit/facilitate a further offence | The same unauthorised access, but as a stepping stone to another crime (fraud, theft, blackmail). | Knowing access is unauthorised and intending a further offence. | A heavier custodial maximum, reflecting the criminal purpose. |
| Unauthorised acts with intent to impair (or being reckless) | Unauthorised acts that impair a computer's operation, the reliability of data, or access to programs/data — covers damage and disruption. | Intending to impair, or being reckless as to whether impairment results. | Heavier still, reflecting active harm. |
| Making, supplying or obtaining articles for use in computer-misuse offences | Creating, distributing or obtaining tools (e.g. malware, hacking toolkits) intending or believing they will be used to commit the above offences. | Intent or belief that the article will be used in an offence. | A custodial maximum aimed at the supply chain of cybercrime. |
Two later refinements are worth knowing as factual additions to the regime (real amendments, named accurately):
Exam Tip: For a scenario, decide on two axes. (1) Access only, or further harm? Pure snooping is the basic access offence; access to commit another crime is the "with intent" offence; damaging or disrupting is the "impair" offence. (2) Did they make/supply a tool? That is the separate articles offence. Always state which offence and justify it from the scenario's facts.
Almost every Computer Misuse Act question turns on two words.
Authorisation. The offences are defined by the access or act being unauthorised. Authorisation is granted by whoever controls the system — and it is specific: being allowed to use a computer for one purpose does not authorise every use of it. This is the crucial and frequently examined point that the Act can be broken from the inside. An employee who is permitted to use a customer database for their job, but who looks up a celebrity's record or a neighbour's details out of curiosity, has exceeded their authorisation and commits the basic access offence — no firewall was breached, no password cracked, yet it is still a crime, because that particular access was not permitted. Authorisation, not technical difficulty, is the test.
Intent and knowledge. The offences require the right mental state. The basic access offence requires that the person knew the access was unauthorised — accidentally clicking a link to a page you did not realise was off-limits is not the offence if you had no such knowledge. The more serious offences require, additionally, intent to commit a further crime, or intent (or recklessness) as to impairing a system. "Recklessness" is important for malware: someone who unleashes a worm may not intend to damage any particular computer, but proceeds aware of an obvious risk that damage will result — and that recklessness is enough.
flowchart TD
A[Someone accesses or affects a computer] --> Q1{Authorised?}
Q1 -- Yes --> OK[No CMA offence<br/>e.g. own account, or permission given]
Q1 -- No --> Q2{What did they do / intend?}
Q2 -- Just gained access --> S1[Basic unauthorised access offence]
Q2 -- Access to commit a further crime --> S2[Unauthorised access WITH INTENT]
Q2 -- Impaired / damaged / disrupted --> S3[Unauthorised acts to IMPAIR<br/>incl. reckless]
A2[Made or supplied a hacking/malware tool] --> S4[Making/supplying ARTICLES offence]
Malicious software maps neatly onto the offences, and a good answer says which offence each behaviour engages rather than just calling it "illegal".
| Malware behaviour | Offence(s) most engaged | Why |
|---|---|---|
| A virus or worm that spreads and corrupts or deletes files | Unauthorised acts to impair; usually also unauthorised access | It runs on machines without permission and impairs their operation / data reliability; releasing it is at least reckless as to damage. |
| Ransomware that encrypts a victim's files and demands payment | Impair (it denies access to data) and access with intent (the further offence of blackmail) | It both disrupts the system and serves a further criminal purpose. |
| A denial-of-service (DoS/DDoS) attack flooding a server | Unauthorised acts to impair | It impairs access to the service for legitimate users, without necessarily "accessing" data. |
| Spyware/keyloggers quietly capturing data | Unauthorised access (often with intent if used for fraud) | It secures access to data without authorisation, frequently as a step toward another crime. |
| Writing or selling a malware kit or exploit | Making/supplying articles | The tool itself is targeted, separately from any attack carried out with it. |
The articles offence matters because it lets the law reach the supply chain — the people who build and sell the weapons — not only the individual who pulls the trigger.
Here is the topic's most interesting tension, and a favourite for discursive questions. A penetration tester ("ethical hacker") does exactly what a criminal hacker does — probes a system for vulnerabilities, attempts to gain access, tries to exploit weaknesses — yet does so as a respected, well-paid profession. How can the same actions be a serious crime in one case and a legitimate service in the other?
The answer is the hinge of the whole Act: authorisation. A penetration tester operates with the explicit, documented permission of the system's owner, usually under a contract that defines exactly what may be tested, when, and within what limits (the "rules of engagement" and "scope"). Because the owner has authorised the access, the access is not unauthorised, and so the offences are simply not committed. The criminal hacker performs technically identical actions but without permission, so the access is unauthorised, and it is an offence.
This produces some sharp practical lessons:
This is also where the dual-use tools problem bites. The articles offence targets hacking tools, yet penetration testers rely on the same tools (port scanners, exploit frameworks, password crackers) to do legitimate work. The law manages this through the requirement of intent or belief that the tool will be used in an offence — a security professional using a scanner under contract lacks that criminal intent — but the line is genuinely blurry, and it is a fair point of criticism.
Because exam marks hinge on choosing the right offence, it is worth drilling the classification on short cases. For each, ask the two diagnostic questions — was it authorised? and, if not, access only, a further crime, impairment, or a tool?
| Scenario | Authorised? | Offence | Reasoning |
|---|---|---|---|
| A student guesses a friend's password and reads their messages "for a laugh", changing nothing. | No | Basic unauthorised access | Access secured without permission; no further crime, no damage. The harmless motive is irrelevant. |
| An attacker breaks into a retailer's system specifically to steal card details and use them. | No | Access with intent | Unauthorised access used as a step toward fraud/theft. |
| A disgruntled ex-employee remotely deletes a former employer's project files. | No | Unauthorised acts to impair | Unauthorised act impairing data reliability/availability; intent to impair is present. |
| Someone overwhelms a charity's website with traffic so genuine users cannot reach it. | No | Unauthorised acts to impair (DoS) | Impairs access to the service; no data need be "accessed". |
| A developer writes and sells an exploit kit on the understanding buyers will attack with it. | No | Making/supplying articles | The tool itself is targeted, regardless of any single attack. |
| A contracted pen-tester, in scope, gains admin access to a test server and reports it. | Yes | No offence | The owner authorised the access in advance and in writing. |
| An employee, authorised to read but not to edit a database, alters a record to cover a mistake. | No (for that act) | Basic access exceeded, possibly impair | The edit was outside the granted permission; altering data may also impair its reliability. |
A subtle point worth making in an answer is that impairment is broader than "damage" in the everyday sense. It expressly includes impairing the reliability of data (so subtly corrupting or falsifying records counts) and impairing access to programs or data (so a denial-of-service attack qualifies even though nothing is deleted and no file is "stolen"). Candidates who think the impair offence requires destroyed hardware or wiped files miss a large part of its reach.
Because uninvited access is an offence regardless of motive, the security community relies on lawful channels for finding and fixing flaws:
These exist precisely because the law draws its line at authorisation: they are the routes by which a would-be helper can act with permission rather than committing an offence by acting without it.
A discursive answer is strengthened by acknowledging where the Act struggles.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.