Computer Misuse Act 1990: Call for Information - Which? response

Which? welcomes the opportunity to submit a response to the Home Office’s Call for Information on the Computer Misuse Act; we welcome the intention to review the act. 

Despite being a more than 30 year old piece of legislation, the Computer Misuse Act (CMA) remains the primary vehicle for law enforcement to prosecute cyber-dependent crime. The Act has been updated a few times over its lifespan, and new prosecution guidance issued, and we note that the General Data Protection Regulations 2018 also plays a role, along with the Network and Information Systems Regulations 2020.

Largely, though, the original CMA legislation remains intact, despite the digital landscape changing immeasurably since 1990. There is a growing feeling that this legislation - which pre-dates the mass use of the Internet, Web 2.0 and Social Media, Mobile apps and ecosystems, and smart connected devices - is ill-equipped to properly deal with the cybercrime landscape of 2021, and beyond.

Which? is the UK’s consumer champion. As an organisation we’re not for profit - a powerful force for good and here to make life simpler, fairer and safer for everyone. We fund our work mainly through member subscriptions. We are not influenced by third parties – we never take advertising and we buy all the products that we test. Which? works in pursuit of its charitable objects for the public benefit. 

In Which?’s capacity as the UK’s consumer champion, we have chosen to answer those questions which allow us to draw on our experience in consumer protection in the digital sphere to present information and recommendations that draw on our expertise. We believe that there are other stakeholders and organisations that are well-suited to consult on the other areas of this call for information. Our response, therefore, will concentrate on questions relevant to consumers, or work Which? has undertaken and published that could bring insights, guidance or recommendations for the Home Office’s Computer Misuse Act team, going forward.

As we understand it, this Call for Information intends to explore how the Act could be strengthened to give law enforcement agencies more powers to “investigate and take action against those attacking computer systems”, particularly in the light of “technological advances”. While we understand the need to strengthen these powers, we would urge extreme caution that any action does not weaken the integrity of encryption on consumer products, apps, devices and services. Which? advocates encryption as a way to build trust in digital and computer systems. Encryption gives consumers the peace of mind that data and data about them is protected from unwarranted inspection. We believe that this should be protected at all costs for the sake of trust in the internet products and services that we all use and value.

Not only is encryption a tool that builds trust and security in digital and computer systems, it keeps consumers but also the country safe, through maintaining a secure national infrastructure. We believe that this is critical right now as the government has placed cyberattacks as one of the critical concerns of the UK's risk register as we emerge from the Covid19 pandemic.

In addition, we are interested in contributing “any other suggestions on how the response to cyber-dependent crime could be strengthened within the legislative context”. We would wish to push forward a case for stronger powers for independent research bodies, such as Which?, to more heavily scrutinise the computer systems of third parties when there is a clear public interest to do so, for example, if a company has had a data breach or security incident in the past, and there is concern that continuing security vulnerabilities might again put consumer data at risk.