On 7 February 2023, the government launched a consultation on the Computer Misuse Act 1990 (CMA) in order to inform any potential legislative updates to the UK’s cybercrime framework. This consultation follows a review of the CMA that took place in May 2021 and has been launched in the context of enhancing the UK’s cyber resilience in accordance with The National Cyber Strategy 2022.
The consultation seeks views on three main proposals for legislation:
- Domain name and IP address takedown and seizure;
- Power to preserve data; and
- Data copying.
Domain name and IP address takedown and seizure
Currently, any efforts to remove criminally-driven domain names and IP addresses (such as misleading sites set up with the intention to phish) take place under voluntary arrangements, which may not always be effective especially as cybercrime becomes increasingly pervasive. The government has proposed introducing take down or takeover powers by domain name registrars or law enforcement agencies respectively, as well as requiring that the UK Registry refuse to register certain domain names that appear (through the use of algorithms as a prediction tool) to be used for criminal purposes. The government has also suggested empowering trusted bodies with “sinkholing” responsibilities, enabling these bodies to identify and intercept malicious communications and alert potential cybercrime victims to any threats.
Power to preserve data
The government has recognised the importance of data preservation in the context of investigations, even before a law enforcement agency makes a formal request for seizure of that data. At present, such data preservation takes place voluntarily and it is suggested that this may not be sufficient for future purposes. The government has suggested that all UK law enforcement agencies be empowered to require time-restricted preservation of specified computer data by a person in control of such data, subject to appeal by the data owner.
Data copying
The consultation seeks views on whether there is a need to create a general offence for “possessing or using illegally obtained data.” As data copying does not fall within the remit of the Theft Act, it is suggested that the penalties for data copying in the CMA do not address the severity of this offence.
Other aspects considered
One of the main issues raised during the review of the CMA was whether statutory defences should be introduced in the Act in order to safeguard the efforts of those taking action against cybercrime. The government recognised that, although this might foster a healthy cyber ecosystem where the industry is not prevented from taking action against hostile actors, it may also be vulnerable to abuse as bad actors may invoke such a defence to justify the criminal cyber activity. This contentious point remains to be assessed in the context of improving the UK’s cyber security strategy.
Along with reconsidering the sentencing levels for CMA offences, the government is also considering adding extra-territorial provisions to the CMA if it considers the nature of certain CMA offences to be borderless.
Next steps
To date, the proposals put forward in the consultation intend to endow law enforcement agencies with far greater powers in cyber investigations than have been possible under the current regime of voluntary cooperation or contractual obligations.
The consultation will end on 6 April 2023, after which it will be clearer how law enforcement’s envisaged powers surrounding data preservation could interact with any contractual obligations surrounding data retention and destruction.