The Computer Misuse Act: The Law That Criminalizes Hacking In The UK

Matthew Hughes 20-05-2015

Hacking into computers is illegal pretty much worldwide.


In the UK, the key legislation that deals with computer crimes is the Computer Misuse Act 1990, which has formed the basis of much of the computer crimes legislation in many of the Commonwealth nations.

But it’s also a deeply controversial piece of legislation, and one that has recently been updated to give GCHQ, the UK’s primary intelligence organization, the legal right to hack into any computer they so desire. So, what is it, and what does it say?

The First Hackers

The Computer Misuse Act was first written and put into law in 1990, but that’s not to say that there was no computer crime prior to then. Rather, it was just incredibly difficult, if not impossible, to prosecute. One of the first computer crimes to be prosecuted in the UK was R v Robert Schifreen and Stephen Gold, in 1985.

Schifreen and Gold, using simple, off-the-shelf computer equipment, managed to compromise the Viewdata system, which was a rudimentary, centralized precursor to the modern Internet owned by Prestel, a subsidiary of British Telecom. The hack was a relatively simple one. They found a British Telecom engineer, and shoulder-surfed as he keyed in his login credentials (username ‘22222222’ and password ‘1234’). With this information, they ran amok through Viewdata, even browsing the private messages of the British Royal Family.


British Telecom soon became suspicious and started to monitor the suspect Viewdata accounts.

It wasn’t long until their suspicions were confirmed. BT notified the police. Schifreen and Gold were arrested and charged under the Forgery and Counterfeiting Act. They were convicted, and fined £750 and £600 respectively. The problem was, the Forgery and Counterfeiting Act didn’t really apply to computer crimes, especially ones that were motivated by curiosity and inquiry, not financial goals.

Schifreen and Gold appealed against their conviction, and won.

The prosecution appealed against their acquittal to the House of Lords, and lost. One of the judges in that appeal, Lord David Brennan, upheld their acquittal, adding that if the government wished to prosecute computer criminals, they should create the appropriate laws to do so.

This necessity lead to the creation of the Computer Misuse Act.

The Three Crimes Of The Computer Misuse Act

The Computer Misuse Act when introduced in 1990 criminalized three particular behaviors, each with varying penalties.

  • Accessing a computer system without authorization.
  • Accessing a computer system in order to commit or facilitate further offenses.
  • Accessing a computer system in order to impair the operation of any program, or to modify any data that doesn’t belong to you.

Crucially, for something to be a criminal offense under the Computer Misuse Act 1990, there has to be intent. It’s not a crime, for instance, for someone to inadvertently and serendipitously connect to a server or network they don’t have permission to access.

But it’s entirely illegal for someone to access a system with intent, with the knowledge that they don’t have permission to access it.

With a basic understanding of what was required, mainly due to the technology being relatively new, the legislation in its most fundamental form didn’t criminalize other undesirable things one can do with a computer. Consequently, it has been revised multiple times since then, where it has been refined and expanded.

What About DDoS Attacks?

Perceptive readers will have noticed that under the law as described above, DDoS attacks What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More aren’t illegal, despite the vast amount of damage and disruption they can cause. That’s because DDoS attacks don’t gain access to a system. Rather, they overwhelm it by directing massive volumes of traffic at a given system, until it can no longer cope.


DDoS attacks were criminalized in 2006, one year after a court acquitted a teenager who had flooded his employer with over 5 million emails. The new legislation was introduced in the Police and Justice Act 2006, which added a new amendment to the Computer Misuse Act that criminalized anything that could impair the operation or access of any computer or program.

Like the 1990 act, this was only a crime if there was the requisite intent and knowledge. Intentionally launching a DDoS program is illegal, but becoming infected with a virus that launches a DDoS attack is not.

Crucially, at this point, the Computer Misuse Act wasn’t discriminating. It was just as illegal for a police officer or spy to hack into a computer, as it was for a teenager in his bedroom to do it. This was changed in a 2015 amendment.

You Can’t Make A Virus, Either.

Another section (Section 37), added later on in the life of the Computer Misuse Act, criminalizes the production, obtaining and supply of articles that could facilitate a computer crime.

This makes it illegal, for instance, to build a software system that could launch a DDoS attack, or to create a virus or trojan.

But this introduces a number of potential problems. Firstly, what does this mean for the legitimate security research industry Can You Make A Living Out Of Ethical Hacking? Being labeled a “hacker” usually comes with plenty of negative connotations. If you call yourself a hacker, people will often perceive you as someone who causes mischief just for giggles. But there is a difference... Read More , which has produced hacking tools and exploits with an aim to increase computer security How To Test Your Home Network Security With Free Hacking Tools No system can be entirely "hack proof" but browser security tests and network safeguards can make your set-up more robust. Use these free tools to identify "weak spots" in your home network. Read More ?

Secondly, what does that mean for ‘dual use’ technologies, which can be used for both legitimate and illegitimate tasks. A great example of this would be Google Chrome The Easy Guide to Google Chrome This Chrome user guide shows everything you need to know about the Google Chrome browser. It covers the basics of using Google Chrome that is important for any beginner. Read More , which can be used for browsing the Internet, but also launching SQL Injection attacks What Is An SQL Injection? [MakeUseOf Explains] The world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users,... Read More .


The answer is, once again, intent. In the UK, prosecutions are brought by the Crown Prosecution Service (CPS), which determines whether someone should be prosecuted. The decision to take someone to court is based upon a number of written guidelines, which the CPS have to obey.

In this instance, the guidelines state that the decision to prosecute someone under Section 37 should only be done if there is criminal intent. It also adds that in order to determine if a product was built in order to facilitate a computer crime, the prosecutor should take into account legitimate usage, and the motivations behind building it.

This, effectively, criminalizes malware production, whilst allowing the UK to have a flourishing information security industry.

“007 – License to Hack”

The Computer Misuse Act was again updated in early 2015, albeit quietly, and without much fanfare. Two important changes were made.

The first was that certain computer crimes in the UK are now punishable with a life sentence. These would be given out if the hacker had intent and knowledge their action was unauthorized, and had the potential to cause “serious damage” to “human welfare and national security” or were “reckless as to whether such harm was caused”.

These sentences don’t appear to apply to your garden variety disaffected teenager. Rather, they’re saved for those who launch attacks that have the potential to cause serious harm to human life, or are aimed at critical national infrastructure.


The second change that was made gave police and intelligence operatives immunity from existing computer crime legislation. Some applauded the fact that it could simplify investigations into the types of criminals who could obfuscate their activities through technological means. Although others, namely Privacy International, were concerned that it was ripe for abuse, and the sufficient checks and balances aren’t in place for this type of legislation to exist.

Changes to the Computer Misuse Act were passed on March 3rd 2015, and became law on May 3rd, 2015.

The Future of the Computer Misuse Act

The Computer Misuse Act is very much a living piece of legislation. It is one that has changed throughout its life, and will likely continue to do so.

The next likely change is due to come as a result of the News of The World phone hacking scandal, and will likely define smartphones as computers (which they are), and introduce the crime of releasing information with intent.

Until then, I want to hear your thoughts. Do you think the law goes too far? Not far enough? Tell me, and we’ll chat below.

Photo credits: hacker and laptop Via Shutterstock, Brendan Howard /, Anonymous DDC_1233 / Thierry Ehrmann, GCHQ Building / MOD

Explore more about: Law, Online Privacy, Online Security.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Rose
    February 17, 2019 at 11:49 am

    Someone hacked into my email. They got a friends name, set up a VPN fake email address and sent me a message from it using my friends name. They have done this to frighten me as I informed them that I knew they were doing something illegal. I have no idea how big or small an operation they are running and am afraid to go to the police for fear of putting myself or my friend in danger. Just how much information can they obtain from hacking my email account?

  2. Joe
    November 24, 2016 at 12:14 pm

    Do you need any of this hacking services?

    Remove A Link

    • Mugshot Picture Removed

    • Blog Link Removed

    • Google Link Removed

    YouTube videos removed

    Locate Missing People

    Find and reconnect with family, old friends, relatives just about anyone! People Search reports include phone numbers, address history, ages, birthdates, household members and more.

    Background Checks

    • Background reports include, when available, a criminal check, lawsuits, judgments, liens, bankruptcies, property ownership, address history, phone numbers, relatives & associates, neighbors, marriage/divorce records and more.

    • We also can get access to a persons Twitter and Facebook account so you can find out who a person really about outside of the office.

    Nationwide Employment Background Check includes

    • SSN Trace

    • Address History

    • 7-Year National Criminal Database Search

    • Courthouse Verification of Criminal Database Records (up to 3)

    • National Sex Offender Registry Check

    Online Dating Scams

    Have you been scammed because all you were looking for was love? We can help you in 2 ways.

    1. Verify the person's identity before meeting the person and moving to the next step.

    2. If you have been scammed online and would like to track the person's location so you can proceed with some type of action. you should contact me at darkwebguru at gmail dot com

  3. bob
    January 26, 2016 at 6:13 pm

    Law is too far punishing ethical people for finding exploits in websites. Without hackers, nothing would be secure