What is the primary difference between Section 1 and Section 2 of the Computer Misuse Act?

Section 1 involves simple unauthorized access to computer material, whereas Section 2 requires that the unauthorized access be performed with the specific intent to commit a further, more serious crime (like fraud).

How does Section 3 of the CMA differ from Section 1?

Section 1 is limited to the act of gaining unauthorized access (viewing), while Section 3 involves unauthorized modification of data or impairing the operation of the computer (e.g., deleting files or spreading viruses).

When comparing the CMA and the Data Protection Act (DPA), which one focuses on the actions of hackers?

The Computer Misuse Act (CMA) focuses on the illegal actions of individuals who hack or misuse systems, whereas the DPA focuses on the legal obligations of organizations to keep personal data secure.

Is it a defense under the CMA to claim you were hacking a system just to find security flaws for the owner?

No, this is a common error. Without prior explicit authorization from the owner, any unauthorized access is illegal under Section 1, regardless of the 'helpful' intent of the hacker.

Does the CMA apply if you accidentally access a private file because a link was left open?

Generally, no. The CMA requires 'intent' to access unauthorized material; accidental access lacks the necessary 'guilty mind' (mens rea) for a criminal conviction.

If a friend gives you their password once, are you legally allowed to log in whenever you want?

No. Authorization is usually context-specific. Using a password to access an account without current, ongoing permission is considered unauthorized access under the CMA.

Define 'Unauthorised Access' in the context of the CMA.

Unauthorised access occurs when an individual intentionally causes a computer to perform a function to gain access to data or programs that they do not have permission to view or use.

What constitutes 'Unauthorised Modification' under Section 3?

This includes any intentional, unauthorized change to the contents of a computer, such as deleting files, altering data values, or introducing malicious code like viruses.

What is a 'Denial of Service' (DoS) attack in relation to the CMA?

A DoS attack is an attempt to make a computer resource unavailable to its intended users; it is prosecuted under Section 3 because it intentionally impairs the operation of a computer system.

Why was the Computer Misuse Act 1990 created?

It was created because existing laws (like the Theft Act) required something physical to be stolen; the CMA was needed to criminalize the act of digital hacking where only data is accessed or copied.

The Computer Misuse Act 1990 | OCR AS-Level Computer Science

5. Legal, Moral, Cultural & Ethical Issues

The Computer Misuse Act 1990

Summary

The Computer Misuse Act 1990 (CMA) is the primary legislation in the United Kingdom designed to protect computer systems and data from malicious activity. It establishes a legal framework that criminalizes unauthorized access to computer material, unauthorized access with criminal intent, and the unauthorized modification of data, ensuring that hacking and digital sabotage are punishable by law.

1. Definition & Core Concepts

The Computer Misuse Act 1990 (CMA) was introduced to address the growing threat of computer hacking and digital crimes that were not adequately covered by existing theft or property laws. It provides a clear legal definition for activities that constitute 'misuse' of a computer system.
Unauthorised Access is the foundational concept of the act, referring to any instance where an individual gains entry to a computer system or data without the explicit permission of the owner. This includes using stolen passwords, bypassing security protocols, or exploiting software vulnerabilities.
The act is designed to be technology-neutral, meaning it applies to all forms of computer systems, from personal laptops and smartphones to large-scale corporate servers and industrial control systems.
Authorization is the critical legal boundary; if a user has been granted permission to access a specific set of data but exceeds that permission to view other restricted areas, they may be in breach of the act.

A diagram showing the three primary levels of offences under the Computer Misuse Act 1990, illustrating how the severity increases from simple unauthorized access to unauthorized modification.

2. The Three Primary Offences

Section 1: Unauthorised Access

This is the most basic offence, often referred to as 'simple hacking'. It occurs when someone intentionally gains access to data or a program they are not permitted to see, even if they do not change or steal anything.
An example would be a person guessing a colleague's password to look at their private emails; the act of logging in without permission is the crime.

Section 2: Access with Intent to Commit Further Offences

This level involves gaining unauthorized access with the specific intent to commit a more serious crime, such as fraud or blackmail. The secondary crime does not have to be successful for this offence to be triggered.
For instance, if an individual hacks into a bank's server with the goal of transferring money to their own account, they have committed a Section 2 offence the moment they gain access with that intent.

Section 3: Unauthorised Modification of Computer Material

This offence covers the intentional alteration or deletion of data, or the introduction of malicious software (malware) like viruses, worms, or ransomware. It also includes activities that impair the operation of a computer, such as Denial of Service (DoS) attacks.
Examples include changing grades in a school database, deleting a company's financial records, or launching a script that crashes a website.

3. Underlying Principles

4. Key Distinctions

5. Exam Strategy & Tips

6. Common Pitfalls & Misconceptions