You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the Computer Misuse Act 1990 as required by OCR J277 Section 1.6. This act was introduced to criminalise unauthorised access to computer systems and has been updated several times to address modern cyber threats.
Before 1990, there was no specific UK law that made hacking illegal. In 1985, two hackers (Robert Schifreen and Stephen Gold) gained unauthorised access to BT's Prestel email system and even accessed Prince Philip's mailbox. They were initially convicted under the Forgery and Counterfeiting Act 1981, but the conviction was overturned on appeal because the existing law did not cover computer-based offences.
This case highlighted the need for dedicated legislation to address computer crime, leading to the Computer Misuse Act 1990.
The Computer Misuse Act 1990 created three levels of offence, each with increasing severity:
| Aspect | Detail |
|---|---|
| Offence | Knowingly accessing a computer system without authorisation |
| Example | Guessing someone's password to read their emails |
| Intent required | The person must know they are not authorised |
| Maximum penalty | 2 years imprisonment and/or a fine |
This is the most basic offence — simply accessing a system you are not authorised to use, even if you do not cause any damage or steal any data.
| Aspect | Detail |
|---|---|
| Offence | Gaining unauthorised access with the intention of committing another crime |
| Example | Hacking into a bank's system to steal money or commit fraud |
| Intent required | Must intend to commit or facilitate a further offence |
| Maximum penalty | 5 years imprisonment and/or a fine |
This is more serious because the unauthorised access is a step toward committing another crime (such as fraud, theft, or blackmail).
| Aspect | Detail |
|---|---|
| Offence | Performing unauthorised actions that impair the operation of a computer |
| Example | Spreading a virus, conducting a DDoS attack, deleting files |
| Intent required | Must intend to impair or be reckless about impairing a computer's operation |
| Maximum penalty | 10 years imprisonment and/or a fine |
This covers acts of sabotage, including distributing malware, modifying or deleting data, and denial of service attacks.
OCR Exam Tip: You must know all three sections of the Computer Misuse Act. A common exam question gives a scenario and asks which section of the act has been broken. Remember: Section 1 = just accessing, Section 2 = accessing to commit another crime, Section 3 = damaging/impairing systems.
The Computer Misuse Act has been amended to keep pace with evolving technology:
| Amendment | Change |
|---|---|
| Police and Justice Act 2006 | Increased penalties for Section 1 (from 6 months to 2 years); added offences for making, supplying, or obtaining tools (such as hacking software) intended for use in computer crime |
| Serious Crime Act 2015 | Added Section 3ZA — unauthorised acts causing or creating a risk of serious damage (e.g. to national security, human welfare, or the economy). Maximum penalty: life imprisonment if human welfare is endangered |
| Scenario | Section Violated |
|---|---|
| A student guesses a teacher's password and reads their emails | Section 1 |
| A hacker breaks into a company's database to steal credit card details | Section 2 |
| Someone creates and distributes a ransomware program | Section 3 |
| A hacker launches a DDoS attack that brings down a hospital's systems | Section 3ZA (Serious Crime Act) |
| A person creates hacking tools and sells them online | Police and Justice Act 2006 amendment |
| Limitation | Explanation |
|---|---|
| International enforcement | Cybercriminals often operate from other countries, making prosecution difficult |
| Keeping pace with technology | New attack methods emerge faster than legislation can be updated |
| Attribution | It can be difficult to identify the person responsible for an attack |
| Legitimate security research | The act can potentially criminalise security researchers who find vulnerabilities (although penetration testers with permission are exempt) |
| Feature | Computer Misuse Act 1990 | Data Protection Act 2018 |
|---|---|---|
| Focus | Unauthorised access to computer systems | Protecting personal data |
| Protects against | Hacking, malware, DDoS attacks | Misuse of personal information |
| Offenders | Hackers, cybercriminals | Organisations mishandling data |
| Regulator | Police / Crown Prosecution Service | Information Commissioner's Office (ICO) |
| Penalties | Imprisonment and fines | Fines and enforcement notices |
OCR Exam Tip: Do not confuse these two acts. The Computer Misuse Act deals with hacking and unauthorised access. The Data Protection Act deals with how organisations handle personal data. They can both apply to the same situation (e.g. a hacker steals personal data — this breaches both acts).
flowchart TD
CMA((CMA 1990<br/>+ amendments)) --> S1["Section 1<br/>Unauthorised access"]
CMA --> S2["Section 2<br/>Access with intent<br/>to commit further offence"]
CMA --> S3["Section 3<br/>Unauthorised acts<br/>impairing operation"]
CMA --> S3A["Section 3A<br/>Making/supplying<br/>hacking tools"]
CMA --> S3ZA["Section 3ZA<br/>Acts causing serious<br/>damage"]
S1 --> P1["Max 2 years<br/>+ fine"]
S2 --> P2["Max 5 years<br/>+ fine"]
S3 --> P3["Max 10 years<br/>+ fine<br/>e.g. DDoS, malware"]
S3A --> P3A["Police and Justice<br/>Act 2006 amendment"]
S3ZA --> P4["Max life imprisonment<br/>Serious Crime Act 2015"]
The Computer Misuse Act 1990 criminalises unauthorised access to computer systems at three levels of severity. It has been updated to cover creating hacking tools and attacks that cause serious damage. For the OCR J277 exam, you must be able to identify which section applies to a given scenario and explain why the act was needed. Remember the key distinction: this act covers computer crime (hacking, malware), while the DPA covers data handling.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.