Licence to hack?
In response to members of the House of Lords bemoaning the “glacial” pace at which the government was implementing the cyber security recommendation of Sir Patrick Vallance in the March 2023 ‘Pro-innovation Regulation of Technologies Review’ report, and calling for an “injection of urgency”, Home Office Minister Lord Sharpe has indicated that the government was working to establish a statutory public interest defence to cybercrime contrary to the Computer Misuse Act 1990, and would consult on this in due course.
In the March 2023 ‘Pro-innovation Regulation of Technologies Review’ report, Sir Patrick Vallance had recommended that the government amend “the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals”. This has been the subject of intensive lobbying by pockets of the industry.
In 2021, the Home Office had issued a call for information on the Computer Misuse Act 1990 (‘CMA’) and, at the same time as issuing its response in February 2023, issued a consultation on proposals on domain and IP address takedown & seizure, powers to require the preservation of data and, data copying, but indicated that it proposed to give further consideration to other outstanding issues, including the extra-territoriality provisions of the CMA, defences and sentencing.
Addressing a question posed by Liberal Democrat peer Lord Clement-Jones, the government has now confirmed that it agrees that the CMA requires amendment, and that it has established a working group comprised of law enforcement representatives as well as industry members in an effort to “reach consensus” on a public interest defence.
Lord Sharpe acknowledged that the government was not pursuing the approach taken by the US, which issued an updated charging policy for violations of the Computer Fraud and Abuse Act (‘CFAA’) (the US equivalent of the CMA) in May 2022, indicating that good-faith security research should not be charged as an offence. Under that policy, good-faith security activity is considered to constitute “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services”.
The government signalled that it was, however, alive to the potential unintended consequences of any changes and confirmed that it was working “to define what constitutes legitimate cyber security activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum… who should be allowed to undertake such activity, what professional standards they will need to comply with and what reporting or oversight will be needed”. We also consider that any defence must address how any vulnerabilities identified must be responsibly raised with the relevant organisation and make clear that any information – including personal data – extracted remains subject to existing legislation protecting intellectual property and data protection. Any defence would also need to coincide with the public interest defence at s.170(2)(c) Data Protection Act 2018 (‘DPA 2018’) to the potential concurrent offence that would be committed under s.170 DPA 2018 of unlawfully obtaining personal data. Consideration should also be given to the implications for the offences under s.107 Copyright Designs and Patents Act 1988.
Handley Gill submitted a consultation response, addressing the wider issues the government raised including the introduction of a statutory defence to CMA offences. We remain concerned that a statutory defence in the terms being lobbied for would diminish rather than improve the professionalisation of the cyber security industry and would serve to seriously inhibit law enforcement in pursuing prosecutions; we are also sceptical as to the need for any defence, given that we are not aware of any legitimate cyber security professional having ever faced an investigation, let alone been charged, in respect of their activities. Any defence must not become a licence to hack away with impunity.
If you require support in considering the lawfulness of accessing and/or copying computer material, including data and/or software, or conducting other unauthorised acts in relation to computers, please don’t hesitate to contact us.