Abstract
Fourteen years after its creation in 2006, s3A Computer Misuse Act 1990 remains as problematic, if not more problematic than ever. Established to support the fight against cybercrime, the offence of misuse of tools has not only the paradoxical effect of endangering legitimate security research, as foreseen in 2006, but has also become a threat to established newsgathering practices. Its broad structure, combined with the vagueness of the other CMA offences, and the absence of public interest defences, criminalises the very tools which facilitate the work of, respectively, security researchers, and whistle-blowers and journalists-, leaving these actors exposed to criminal liability for resorting to dual-use hacking tools and obfuscating tools. Ultimately this pattern of over-criminalisation harms the fight against cybercrime and crime, defeating the very objective of deterrence cybercrime offences harbour. It is time, not just for reforming the CMA and in particular s3A, but also for the legislator, both in the UK and at international level, to properly engage with the security industry and civil society.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ball, J. (2014, June 5). Guardian Launches SecureDrop System for Whistleblowers to Share Files, The Guardian [Online]. Available from: https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents.
Billig, J., Danilchenko, Y., & Frank, C. E. (2008, September). Evaluation of Google Hacking. In Proceedings of the 5th Annual Conference on Information Security Curriculum Development (pp. 27–32).
Broucek, V., & Turner, P. (2013). Technical, Legal and Ethical Dilemmas: Distinguishing Risks Arising from Malware and Cyber-attack Tools in the ‘Cloud’—A Forensic Computing Perspective. Journal of Computer Virology and Hacking Techniques, 9(1), 27–33.
Brunton, F., & Nissenbaum, H. (2013). Political and Ethical Perspectives on Data Obfuscation. In Privacy, Due Process and the Computational Turn: The Philosophy of Law Meets the Philosophy of Technology (pp. 164–188).
Clayton, R. (2007, December 31). Hacking Tool Guidance Finally Appears. Blog. https://www.lightbluetouchpaper.org/2007/12/31/hacking-tool-guidance-finally-appears/. Accessed 27 November 2017.
Clough, J. (2015). Principles of Cybercrime. Cambridge University Press.
Committee to Protect Journalists. (2012). CPJ Journalist Security Guide: Covering the News in a Dangerous and Changing World. Available at https://cpj.org/security/guide.pdf.
CRLNN, Criminal Law Reform Now Network. 2020. Reforming the Computer Misuse Act. Available at http://www.clrnn.co.uk/.
Council of Europe. Explanatory Report to the Convention on Cybercrime. Available at https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185.
Cyber-Rights. (2003). An advocacy Handbook for the Non Governmental Organisations. http://www.cyber-rights.org/cybercrime/.
Denning, D. (2000). Reflections on Cyberweapons Control. Computer Security Journal, 16(4), 43–53.
European Digital Rights (EDRi) Submission to the Council of Europe’s Second Protocol to the Convention on cybercrime, 20 February 2019. https://edri.org/safeguarding-fundamental-rights-in-the-new-cybercrime-protocol/.
European Digital Rights (EDRi). (2018, April 3). Nearly 100 Public Interest Organisations Urge Council of Europe to Ensure High Transparency Standards for Cybercrime Negotiations. Available at https://edri.org/global-letter-cybercrime-negotiations-transparency/.
European Network and Information Security Agency (ENISA). (2013). The Directive on Attacks Against Information Systems. A Good Practice Collection for CERTs on the Directive on Attacks Against Information Systems. Available at https://www.enisa.europa.eu/publications/the-directive-on-attacks-against-information-systems.
European Network and Information Security Agency (ENISA). (2015). Good Practice Guide on Vulnerability Disclosure. From Challenges to Recommendations. Available at https://www.enisa.europa.eu/publications/vulnerability-disclosure. Accessed 4 February 2020.
European Network and Information Security Agency (ENISA). (2018). Economics of Vulnerability Disclosure. Available at https://www.enisa.europa.eu/procurement/economics-of-vulnerability-disclosure.
European Parliament. (2011, November 24). Draft Report on the Proposal for a Directive of the European Parliament and of the Council on Attacks Against Information Systems and Repealing Council Framework Decision 2005/222/JHA, 2010/0273 (COD).
European Parliament, LIBE. (2017, July 25). Report on the Fight Against Cybercrime, (2017/2068 (INI), para 21, 34. Available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2017-0272+0+DOC+PDF+V0//EN.
Fafinski, S. (2006). Access Denied: Computer Misuse in an Era of Technological Change. The Journal of Criminal Law, 70(5), 424–442.
Fafinski, S. (2008). Computer Misuse: The Implications of the Police and Justice Act 2006. The Journal of Criminal Law, 72(1), 53–66.
Furnell, S., & Papadaki, M. (2008). Testing Our Defences or Defending Our Tests: The Obstacles to Performing Security Assessment References. Computer Fraud & Security, 2008(5), 8–12.
Great Britain. Police and Justice Act 2006. Explanatory Notes. Available from: https://www.legislation.gov.uk.
Great Britain. House of Lords. (2006, July 11). Official Report: Parliamentary Debates [Hansard], Vol. 684, co. 611. London: The Stationery Office.
Guinchard, A. (2018). Transforming the Computer Misuse Act 1990 to Support Vulnerability Research? Proposal for a Defence for Hacking as a Strategy in the Fight Against Cybercrime. Journal of Information Rights, Policy and Practice, 2(2).
Guinchard, A. (2020). Better Cybersecurity, Better Democracy? The Public Interest Case for Amending the Convention on Cybercrime n.185 and the Directive 2013/40/EU on Attacks Against Information Systems. In R. Pereira, A. Engel, & S. Miettinen (Eds.), The Governance of Criminal Justice in the European Union: Transnationalism, Localism, and Public Participation in an Evolving Constitutional Order. London: Edward Elgar.
Hafiz, M., & Fang, M. (2016). Game of Detections: How Are Security Vulnerabilities Discovered in the Wild? Empirical Software Engineering, 21(5), 1920–1959.
Horder, J. (2019). Ashworth’s Principles of Criminal Law (9th ed.). Oxford: Oxford University Press.
Jardine, E. (2015). The Dark Web Dilemma: Tor, Anonymity and Online Policing. Global Commission on Internet Governance Paper Series, No. 21. Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2667711.
Katos, V., & Furnell, S. (2008). The Security and Privacy Impact of Criminalising the Distribution of Hacking Tools. Computer Fraud & Security, 2008(7), 9–16.
Kleberg, C. F. (2015). The Death of Source Protection? Protecting Journalists’ Source in a Post-Snowden Age. London, UK: LSE Polis. Available at http://eprints.lse.ac.uk/63140/.
Law Commission. 2007. Conspiracy and Attempts. CP 183.
Lee, M. (2015, November 12). Edward Snowden Explains How to Reclaim Your Privacy. The Intercept [Online]. Available from: https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/.
Maurushat, A. (2013). Disclosure of Security Vulnerabilities: Legal and Ethical Issues. Springer.
Organisation for Economic Co-operation and Development. (1986). Computer-Related Crime: Analysis of Legal Policy. OECD.
Posetti, J. (2017). Protecting Journalism Sources in the Digital Age. UNESCO. Available at https://unesdoc.unesco.org/ark:/48223/pf0000248054.
Poulsen, K. (2013, May 14). Strongbox and Aaron Schwartz. The New Yorker [Online]. Available from: https://www.newyorker.com/news/news-desk/strongbox-and-aaron-swartz.
Pyetranker, I. (2015). An Umbrella in a Hurricane: Cyber Technology and the December 2013 Amendment to the Wassenaar Arrangement. Northwestern Journal of Technology and Intellectual Property, 13, i.
Rachovitsa, A. (2016). Engineering and Lawyering Privacy by Design: Understanding Online Privacy Both as a Technical and an International Human Rights Issue. International Journal of Law and Information Technology, 24(4), 374–399.
Romanosky, S., Libicki, M. C., Winkelman, Z., & Tkacheva. O. (2015). Internet Freedom Software and Illicit Activity: Supporting Human Rights Without Enabling Criminals. Santa Monica: The RAND Corporation. Chapter 7, ProQuest Ebook Central. Available at https://www.rand.org/pubs/research_reports/RR1151.html. Accessed 8 September 2020.
R v Bow Street Magistrates’ Court and Allison (AP) Ex Parte Government of the United States of America (Allison). (2002). 2 AC 216.
R v Coulson. (2013). EWCA Crim 1026.
R v Martin. (2013). EWCA Crim 1420.
Safi, M. (2020, January 22). Greenwald Charges Are ‘Existential Threat’ to Journalism in Brazil, Says Edward Snowden. The Guardian [Online]. Available from: https://www.theguardian.com/media/2020/jan/22/greenwald-charges-are-existential-threat-to-journalism-in-brazil-says-edward-snowden and https://www.hrw.org/news/2020/01/23/brazil-journalist-faces-baseless-charges.
Schuster, S., Van Den Berg, M., Larrucea, X., Slewe, T., & Ide-Kostic, P. (2017). Mass Surveillance and Technological Policy Options: Improving Security of Private Communications. Computer Standards & Interfaces, 50, 76–82.
Silic, M. (2013). Dual-Use Open Source Security Software in Organizations–Dilemma: Help or Hinder? Computers & Security, 39, 386–395.
Sommer, P. (2006). Criminalising Hacking Tools. Digital Investigation, 3(2), 68–72.
Stieglitz, E. J. (2006). Anonymity on the Internet: How Does It Work, Who Needs It, and What Are Its Policy Implications. Cardozo Arts & Entertainment Law Journal, 24, 1395.
Townend, J., & Danbury, R. (2017). Protecting Sources and Whistleblowers in a Digital Age. Institute of Advanced Legal Studies. Available at https://infolawcentre.blogs.sas.ac.uk/files/2017/02/Sources-Report_webversion_22_2_17.pdf.
United States v J P Assange, Indictment. (2018, March). Available from: https://www.justice.gov/usao-edva/press-release/file/1153481/download.
Van der Vlist, F. N. (2017). Counter-Map** Surveillance: A Critical Cartography of Mass Surveillance Technology After Snowden. Surveillance & Society, 15(1), 137–157.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
Guinchard, A. (2021). The Criminalisation of Tools Under the Computer Misuse Act 1990. The Need to Rethink Cybercrime Offences to Effectively Protect Legitimate Activities and Deter Cybercriminals. In: Owen, T., Marshall, J. (eds) Rethinking Cybercrime. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-030-55841-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-55841-3_3
Published:
Publisher Name: Palgrave Macmillan, Cham
Print ISBN: 978-3-030-55840-6
Online ISBN: 978-3-030-55841-3
eBook Packages: Law and CriminologyLaw and Criminology (R0)