Computer Misuse Act

In February 2022 PC Pro ran a feature article entitled "Is the Computer Misuse Act fit for purposes?" where I was interviewed. The feature article by Davey Winder is available to PC Pro subscribers. The feature article concluded as follows "” We’ll leave the final word to two people who were instrumental right at the beginning of this journey into cybercrime legislation: ex-barrister Alistair Kelman and the former hacker Robert Schifreen. “The CMA can be seen as a bit of a sweeping-up measure which has depended for its validity and acceptability on it only being sparingly used in prosecutions,” Kelman said. “It would be appropriate, in my view, that prosecutions could only be brought under a revised Act with the prior consent of the attorney general or the director of public prosecutions, leaving the CMA available for use in unusual and extreme circumstances without causing long-term issues.” Kelman insists that we have a sound system of checks and balances in our legal system in the form of the Association of Chief Police Officers’ “Good Practice Guide for Digital Evidence”, which, he said, “should be read into a prior-consent system under a revised CMA”. With such safeguards in place, Kelman is happy that a person engaged in penetration testing, an infosecurity researcher or someone investigating a vulnerability disclosure issue “would not be at genuine risk of prosecution, while bad actors would always remain at risk”. Schifreen adds that the deterrent aspect of the initial Act simply isn’t working, as evidenced by the continued rise in cybercrime. “It’s unlikely that increasing the penalties or tweaking the wording of the Act is going to stem the tide,” he said. “Far better than reforming the CMA would perhaps be to give some more resources to Action Fraud, so that they can investigate and prosecute more people. This might then act as a real deterrent.”